The General Data Protection Regulation, commonly known as the GDPR, is the European reference text on personal data protection. It has been applicable since May 25, 2018, across the entire European Union.
The regulatory framework established by the GDPR is designed to ensure transparency in order to guarantee the rights of data subjects by making organizations responsible for their personal data processing and by empowering national supervisory authorities.
The GDPR applies by default to any public or private organization (company, non-profit, public administration, etc.) located in the European Union, and to companies located outside the EU under certain conditions.
Privacy by Design / Privacy by Default
Data protection by design
Massive data leaks are increasingly making the headlines. To prevent this issue, the concept of Privacy By Design is rapidly gaining ground as a sound practice for processing and storing personal data.
What is Privacy By Design?
Implemented in Article 25 of the General Data Protection Regulation, this principle forces organizations to think early on about the protective measures implemented for each processing activity according to both the nature of the data to be processed and the players involved in the processing (subcontractors, DPOs, project managers, etc.).
These measures are both technical and organizational. They facilitate GDPR compliance and guarantee the protection of data subject privacy.
Organizations takes a preventive approach to avoiding non-compliant data processing.
Privacy by Default
To ensure a sufficient level of data protection, simply taking the Privacy by Design approach is not enough.
A second approach must be taken into consideration once a product or service is made public: Privacy by Default.
Privacy by Default states that a product or service must meet data protection standards by default, without requiring external intervention once it is made public.
For example, for a software application, a user should not have to modify their settings in order to strengthen their data protection. Everything should be preconfigured for optimum data protection.
Going further – How to implement the Privacy By Design principle?
Privacy By Design is built around 7 principles:
Take preventive measures proactively to avoid personal data breaches: anticipate and prevent privacy breaches before they occur.
Provide default privacy protection, i.e. automated and implicit privacy protection. This protection must be assumed and automatic: the data subject should not need to request it or implement it themselves.
Privacy by design of systems and business practices: privacy must be built into the architecture of the information system from the outset, and privacy features must be built into the practice.
Ensure protection throughout the personal data retention period: all necessary measures must be implemented to ensure protection throughout the retention period, and data destruction at the end of said period
Ensure integrated protection of privacy: privacy protection must be ensured while simultaneously taking into consideration the legitimate interests and objectives of the organization.
Respect user privacy: the interests of data subjects are the priority and organizations must take them into account during project design, in accordance with privacy regulations.
Ensure visibility and transparency of an organization’s practices: every aspect of the systems involved in personal data protection must be visible and transparent in case of an audit. This helps build trust.
Privacy By Design principles must be taken into consideration every time a changeoccurs in an organization (e.g. new technology for processing personal data).
Find out how Data Legal Drive can help you achieve Privacy by Design
Use the project management tools in the Data Legal Drive software to make your projects compliant with Privacy by Design!
The Privacy Impact Assessment, or PIA, is an impact assessment for protecting data.
What is a GDPR PIA?
An impact assessment is a tool to make organizations accountable for their personal data processing. More specifically, it is a security risk assessment that focuses on personal data likely to represent a high risk for the rights and freedoms of data subjects when their data is processed.
Which processing activities require a GDPR PIA?
GDPR Article 35 provides a non-exhaustive list of processing activities for which a PIA is mandatory:
Large-scale data processing
Automatic decisionswith legal repercussions
Processing of sensitive personal data
Evaluation or ratingbased on personal data, including profiling and prediction
Processing of biometric data and data relating to criminal offences and convictions
Processing relating to new/innovative technologies
The PIA is mandatory only if two of the above criteria are met.
The local supervisory authorities reserve the right to expand the list of processing activities requiring an impact assessment.
Your company wishes to implement a system to scan outgoing emails in order to detect potential confidential information leaks by your employees. Your Data Protection Officer (DPO) is informed and recommends the implementation of a PIA, because such a system represents processing that meets at least two criteria: systematic monitoring, and use of innovative technologies.
How do you conduct a GDPR PIA?
The data controller is responsible for conducting the PIA. It must be carried out before the processing activity is implemented.
There are several ways to conduct a PIA.
Briefly, a PIA consists in describing the full legal justification for the processing activity, as well as all potential negative consequences for data subjects. If the risks to data subjects are too high, measures to mitigate these risks must be implemented and described. If the risks are small the processing activity can be implemented.
Find out about the PIA module by Data Legal Drive
Find out how the Data Legal Drive GDPR software integrates your impact assessment in an ecosystem that centralizes all your compliance processes.