Abstract/Summary

The General Data Protection Regulation (GDPR) was introduced to safeguard the privacy and personal data of individuals within the European Union. However, despite the legislators' best intentions, organisations have encountered significant challenges in adhering to its requirements, which can sometimes result in a "command that cannot be obeyed." An area that has been underexplored in the existing literature is Data Protection by Design and by Default (PbDD), which mandates that organisations implement appropriate technical and organisational measures to integrate data protection into their operations. However, issues of GDPR applicability arise due to factors such as the Regulation's lack of certainty, its complexity, and cost of implementation, as well as constraints related to storage limitation and technological compatibility. My thesis proposes a novel strategy for implementing PbDD, placing emphasis on the principles of data protection and individuals' rights. By adopting this approach, organisations are expected to mitigate many of the risks associated with processing personal data, in line with the requirements of PbDD expressed in Article 25 of the GDPR. This comprehensive PbDD-based compliance framework is referred to as the Data Protection Principles Approach (DPPA). The DPPA addresses tensions between data security, organisational data needs, and GDPR requirements. It helps ensuring compliance, considering the impact of technological advances and the legal landscape in the EU. It provides stronger mechanisms to safeguard individuals' rights and enhance control over personal data, while advocating for a policy-driven approach over outdated "win-win" evaluations based on business economics. In addition to critical reflection and doctrinal legal research, the methodology employed incorporates a distinctive approach to analysing primary data collected specifically for this research, both quantitatively and qualitatively. The data focuses on GDPR fines imposed by regulators in the EU and UK, providing rigorous insights into the edge issues that contribute to the development of the DPPA.