What is GDPR ?

GDPR: A European Regulation

The General Data Protection Regulation, or the GDPR, is the European reference text on personal data protection. It has been applicable across the entire European Union since May 25, 2018.

The regulatory framework established by the GDPR is designed to ensure transparency to guarantee the rights of data subjects by making organizations responsible for their personal data processing and empowering national supervisory authorities.

The GDPR applies by default to any public or private organization (company, non-profit, public administration, etc.) located in the European Union and to companies located outside the EU under certain conditions.

Privacy by Design / Privacy by Default

Data protection by design

Massive data leaks are increasingly making the headlines. To prevent this issue, the concept of Privacy By Design is rapidly gaining ground as a sound practice for processing and storing personal data.

What is Privacy By Design?

Implemented in Article 25 of the General Data Protection Regulation, this principle forces organizations to think early on about the protective measures implemented for each processing activity according to both the nature of the data to be processed and the players involved in the processing (subcontractors, DPOs, project managers, etc.).

These measures are both technical and organizational. They facilitate GDPR compliance and guarantee the protection of data subject privacy.

Organizations take a preventive approach to avoid non-compliant data processing.

Privacy by Default

There needs to be more than just taking the Privacy by Design approach to ensure sufficient data protection.

A second approach must be considered once a product or service is public: Privacy by Default.

Privacy by Default states that a product or service must meet data protection standards by default without requiring external intervention once it is made public.

For example, for a software application, a user should not have to modify their settings to strengthen their data protection. Everything should be preconfigured for optimum data protection.

Going further – How to implement the Privacy By Design principle?

Privacy By Design is built around 7 principles:

• Take preventive measures proactively to avoid personal data breaches: anticipate and prevent privacy breaches before they occur.
• Provide default privacy protection, i.e., automated and implicit privacy protection. This protection must be assumed and automatic: the data subject should not need to request or implement it themselves
• Privacy by design of systems and business practices: privacy must be built into the architecture of the information system from the outset, and privacy features must be built into the practice
• Ensure protection throughout the personal data retention period: all necessary measures must be implemented to ensure protection throughout the retention period, and data destruction at the end of said period
• Ensure integrated protection of privacy: privacy protection must be ensured while simultaneously considering the organization’s legitimate interests and objectives
• Respect user privacy: the interests of data subjects are the priority, and organizations must consider them during project design following privacy regulations
• Ensure visibility and transparency of an organization’s practices: every aspect of the systems involved in personal data protection must be visible and transparent in case of an audit. This helps build trust

Privacy By Design principles must be taken into consideration every time a change occurs in an organization (e.g., new technology for processing personal data).

PIA: Risk Analysis and Prevention

The Privacy Impact Assessment, or PIA, is an impact assessment for protecting data.

What is a GDPR PIA?

An impact assessment is a tool to make organizations accountable for their personal data processing. More specifically, it is a security risk assessment that focuses on personal data likely to represent a high risk for the rights and freedoms of data subjects when their data is processed.

Which processing activities require a GDPR PIA?

GDPR Article 35 provides a non-exhaustive list of processing activities for which a PIA is mandatory:

• Large-scale data processing
• Systematic surveillance
• Automatic decisions with legal repercussions
• Processing of sensitive personal data
• Evaluation or rating based on personal data, including profiling and prediction
• Processing of biometric data and data relating to criminal offenses and convictions
• Processing relating to new/innovative technologies
• Data cross-referencing

The PIA is mandatory only if two of the above criteria are met.

The local supervisory authorities reserve the right to expand the list of processing activities requiring an impact assessment.

Use cases

Your company wishes to implement a system to scan outgoing emails to detect potential confidential information leaks by your employees. Your Data Protection Officer (DPO) is informed and recommends the implementation of a PIA because such a system represents processing that meets at least two criteria: systematic monitoring and the use of innovative technologies.

How do you conduct a GDPR PIA?

The data controller is responsible for conducting the PIA. It must be carried out before the processing activity is implemented.

There are several ways to conduct a PIA.

Briefly, a PIA describes the full legal justification for the processing activity and all potential negative consequences for data subjects. If the risks to data subjects are too high, measures to mitigate these risks must be implemented and described. If the risks are small, the processing activity can be implemented.