Following the adoption of the new EU General Data Protection Regulation (GDPR) on 27 April 2016, most organisations began to re-examine their internal processes and procedures in order to ensure compliance with the new requirements before its entry into force in May 2018.
To assist you in this task, we have identified 10 hot topics which should be handled in priority. We propose to present each of these points of attention separately in a newsflash to be published every two weeks, where we will provide you with practical hints to prepare efficiently.
In this issue, we will detail the notions of data protection by design, data protection by default and data protection impact assessment (DPIA), which are tools provided by the GDPR in order to help companies comply with their obligation of accountability described in our previous issue.
Accountability part 2
As mentionned in our Newsflash N°2, companies will have to implement technical and organisational measures in the context of a new form of data governance. The nature of these measures will be assessed using a risk-based approach.
In this respect, the GDPR sets out a new series of principles and processes that should be followed in order for companies to ensure accountability.
- Adopt a proactive approach to data protection and consider the GDPR at all stages, including at early stages of developing and designing products, services, applications, etc.
- Consider adhering to certification mechanisms
- Establish guidelines to detect risky processing operations and train people internally
- Identify whether the conduct of a DPIA is necessary and, if not doable internally, appoint a specialized third-party IT service provider
- Analyse the results of the DPIA, assess and implement necessary mitigating measures
- Establish processes to consult the supervisory authority if needed
Privacy by design
Processing activities have to be planned, designed and performed by companies with data security and, more generally, compliance with the GDPR in mind and the protection of personal data must therefore be embedded into their design specifications of technology, business practices and physical infrastructures from the outset. Indeed, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, the nature of which shall be assessed taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
Such measures must be designed to implement data protection principles, such as data minimisation, in an effective manner. Data controllers should, among other measures:
- implement processes in order to have the ability to quickly restore the availability of systems;
- implement processes to ensure resilience and integrity of systems;
- consider whether the relevant personal data can be pseudonymised.
Pseudonymisation - The GDPR specifically refers to pseudonymisation as an example of a measure that is designed to integrate the necessary safeguards into the processing of personal data. This consists of replacing one attribute (typically a unique attribute) in a record by another so that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately. Pseudonymisation reduces the linkability of a dataset with the original identity of a data subject; as such, it is a useful security measure but not a method of anonymisation.
In determining which measures and processes have to be implemented, businesses may need to consider matters such as whether a system which processes the personal data of customers/employees would, for example:
- allow personal data to be collated with ease in order to comply with subject access requests;
- allow suppression of data of customers who have objected to receiving direct marketing; or
- allow the data controller to satisfy the data portability requirements of the GDPR.
Privacy by default
The controller shall implement appropriate technical and organisational measures to ensure that, by default, (i) only personal data which is necessary for each specific purpose of the processing is collected and, (ii) personal data is not made available to an indefinite number of people without the data subject's intervention.
Such concept already exists under the current legislation which requires that data be collected only if adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further processed.
The effect of this requirement is that data controllers should, prior to collecting and processing data, have in mind that they are legally required to minimise the amount of data collected, the extent of their processing, the period of their storage and their accessibility.
= > Both concepts of privacy by design and privacy by default are therefore central to the risk-based approach as they oblige businesses to consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing and to take appropriate technical and organisational measures accordingly.
The GDPR is giving greater prominence to the adherence by companies to codes of conduct in order to demonstrate compliance. Data protection authorities are required to encourage the development of data protection related certification mechanisms and labels. Data controllers and processors could rely upon the receipt of such certification from a certification organism recognized by its supervisory data protection authority in order to demonstrate compliance with the requirements of the GDPR.
Data protection impact assessment (DPIA)
The GDPR introduces data protection impact assessments as a means to identify high risks to the privacy rights of individuals when processing their personal data.
Indeed, where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, and in consultation with the data protection officer if one has been appointed, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
In particular, such assessment shall be legally required under the GDPR in the case of:
- a systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of sensitive data (such as, but not limited to, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data) or of personal data relating to criminal convictions and offences; or
- a systematic monitoring of a publicly accessible area on a large scale.
The DPIA in practice - The assessment shall contain at least: (i) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; (ii) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; (iii) an assessment of the risks to the rights and freedoms of data subjects; and (iv) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR.
However, no specific process or format is prescribed under the GDPR, additional guidance is therefore expected this year on this question. Additionally, the GDPR is silent as to its application on processing operations underway when the GDPR will become applicable in May 2018. As a best practice, it is recommended to take advantage of the current transitionary period in order to identify potential long-term risky processing operations.
Prior consultation of the supervisory authority - Where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller has to consult the supervisory authority prior to the processing. When doing so, the company must provide information such as (i) the DPIA triggering the consultation; (ii) where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings; (iii) the purposes and means of the intended processing; and (iv) the measures and safeguards provided to protect the rights and freedoms of data subjects.
Where the supervisory authority is of the opinion that the intended high risk processing would infringe the GDPR, in particular where the controller has insufficiently identified or when the proposed mitigating measures are not sufficient, the supervisory authority shall, within a period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller. That period may be extended by six weeks, taking into account the complexity of the intended processing.
* * *
We can assist you getting GDPR proof, you may consult our compliance package online.
Please contact the members of our Technologies & IP team should you need any assistance in relation to the GDPR.