GDPR: A European Regulation
The General Data Protection Regulation, commonly known as the GDPR, is the European reference text on personal data protection. Applicable since May 25, 2018 on the entire European territory.
The regulatory framework established by the GDPR thus makes it possible: to ensure transparency to guarantee the rights of the persons concerned to make companies responsible for the processing of personal data, in particular through the supervisory authorities.
The GDPR applies by default to any public or private organization (company, association, public administration) located on the territory of the European Union, but can also apply to companies located outside the EU under certain conditions.
Privacy by Design / Privacy by Default
Data protection by design
The news about data protection is increasingly revealing massive data leakage. To avoid this problem, the concept of Privacy By Design is gaining more and more importance as a sound practice for the processing and storage of personal data.
What is Privacy By Design?
Implemented in Article 25 of the General Data Protection Regulation, this principle implies for each company to think upstream about the protection measures implemented for each processing and this according to the nature of the processed data and the different actors taking part in the processing (subcontractors, DPO, project manager …).
These measures are technical and organizational measures that allow, on the one hand, to comply with the GDPR and, on the other hand, to guarantee the protection of the privacy of the persons concerned.
The company takes a preventive approach to avoid any non-compliant data manipulation.
Privacy by Default
To ensure a sufficient level of data protection, it is not enough to simply design it according to the principles of Privacy by Design.
There is another principle to consider, once a product or service is made public: Privacy by Default.
It states that the product or service must respect data protection standards by default, without needing any external intervention once it is made public.
For example, in the context of an application, the user should not have to modify his settings to reinforce the protection of his data. Everything should be pre-set so that his data is optimally protected.
Going further – How to implement the Privacy By Design principle?
Privacy By Design is built around 7 principles:
- Take preventive measures in a proactive way to avoid personal data breaches: anticipate and prevent incidents of privacy breach before they occur
- Provide default privacy protection, i.e., automated and implicit privacy protection: this protection is presumed and must be automatic without the need for the individual to express it or to ensure it himself.
- Privacy by design of systems and business practices: in other words, privacy must be built into the architecture of the information system from the outset and privacy features must be built into the system.
- Ensure protection throughout the retention period of personal data: in other words, all necessary measures must be implemented to ensure protection throughout the retention period so as to ensure the destruction of the data at the end of the retention period
- Ensuring an integrated protection of privacy: in this case, it is necessary to ensure the protection of privacy while taking into account the legitimate interests and objectives pursued by the company.
- Respecting the privacy of users: the interests of the persons concerned prevail and the company must take their interests into account in its project design in accordance with privacy regulations.
- Ensure visibility and transparency of the company’s practices: every element of the systems related to the protection of personal data must remain visible and transparent in case of an audit. This helps build trust.
The principle of Privacy By Design must be taken into account for each change in the company’s organization (new technology processing personal data for example).
PIA: Risk Analysis and Prevention
The Privacy Impact Assessment, also known as PIA, is a data protection impact analysis.
What is a GDPR PIA?
The impact analysis is a tool to make organizations accountable for their personal data processing. Specifically, it is a security risk analysis that focuses only on personal data that are likely to generate high risks for the rights and freedoms of data subjects when their data are processed.
Which processing operations require a GDPR PIA?
GDPR Article 35 provides a non-exhaustive list of processing operations for which a PIA is mandatory:
- Large-scale data processings
- Systematic surveillance
- Automatic decisions with legal effects
- Processing of sensitive personal data
- Evaluation or rating based on personal data, including profiling and prediction
- Processing of biometric data, data relating to criminal offences and convictions
- Processing relating to new/innovative technologies
- In the case of data cross-referencing
The PIA is mandatory only if two of the above criteria are met.
The local supervisory authorities reserve the right to extend the list of processing operations requiring an impact assessment.
Your company wishes to implement a system to control outgoing emails, scanning them to detect leaks of confidential information from your employees. Your Data Protection Officer (DPO) is alerted and recommends the implementation of a PIA. Indeed, such a system consists of a processing that meets at least two criteria: systematic monitoring and use of innovative technologies.
How to make a GDPR PIA?
On the one hand, the data controller is responsible for conducting the PIA. The impact analysis must be carried out upstream of the implementation of the processing, before the company thinks of processing the data.
Several methods exist to carry out an PIA.
In summary, a PIA consists of describing the entire legal justification for the processing and all its potential negative consequences for the data subjects. If the risks to data subjects are too great, measures to mitigate these risks should be put in place and described. Only if the risks are low can the processing be implemented.
Découvrez le module PIA by Data Legal Drive
Discover how the Data Legal Drive GDPR software integrates your impact assessment within an ecosystem that brings together all your compliance processes