A few best practices to be ‘GDPR compatible’ and save time!
> Appoint a Data Protection Officer (DPO) to oversee the company’s management of personal data and carry out responsibilities pertaining to information, advice and control within the company.
> Provide for personal data protection from the design stage of applications and data processing operations: minimise the collection of data in light of the purpose, cookies, period of conservation, informational notices, obtainment of consent, data security and confidentiality, and roles and responsibilities of stakeholders involved in the implementation of data processing operations. The Data Protection Officer should be consulted.
> Raise awareness and organise the reporting of information, in particular by crafting a training and communication plan for employees.
> Handle complaints and requests from persons concerned to exercise their rights (rights of access, rectification, opposition, portability, withdrawal of consent) by defining individuals and processes (the rights may be exercised electronically if the data were collected by electronic means).
> Plan ahead for violations by providing for, in certain cases, a mechanism to notify the data protection authority within 72 hours and to notify the persons concerned promptly.
Data protection impact assessment (PIA): for processing operations likely to create high risk
What is a data protection impact assessment (PIA)?
It is a study that helps build data processing operations which respect privacy and demonstrate that the processing is GDPR compliant.
A PIA is a tool for assessing the impact on privacy designed around two pillars:
> The ‘non-negotiable’ fundamental principles and rights defined by law. They may not be adjusted
in any way, regardless of the nature, gravity or plausibility of the risks incurred.
> The management of risks to the privacy of the persons concerned, which makes it possible to determine the appropriate technical and organisational measures to protect personal data.
A PIA contains:
> A description of the data processing operation studied and its purpose(s)
> An assessment of the necessity and proportionality of the processing operations in relation to the purposes
> An assessment of the risks to the rights and freedoms of the persons concerned, as well as the measures planned to address the risks
When should a data protection impact assessment (PIA) be carried out?
A PIA must be conducted for any processing operation that may create a high risk to the rights and freedoms of the persons concerned (Article 35 of the GDPR).
To help you determine the degree of risk, the following nine criteria are defined:
> Evaluation or scoring
> Automated decision making that produces legal effects similarly significant effects
> Systematic monitoring
> Sensitive data or data of a highly personal nature
> Large scale processing of personal data
> Cross-referencing of data sets
> Data pertaining to vulnerable persons
> Innovative use or application of new technological or organisational solutions
> Exclusion from benefiting from a right, a service or contract
If your processing operation meets two or more of these criteria, you are strongly advised to conduct a PIA.
In general, the PIA is a sound practice for designing processing operations which conform to GDPR and respect individual privacy, regardless of whether the operation is likely to create a high risk. It should be carried out before implementing the processing operation. It is an iterative process: the analyses must be reviewed and corrected regularly, especially when major changes are made to how a processing operation is performed.
Who participates in the impact assessment?
> Data controller: validates the PIA and undertakes to implement the action plan defined therein
> Data protection officer: writes the action plan and ensures its execution
> Sub-contractor(s): provide the information necessary to complete the PIA
> Business lines (CISO, project owner, project manager): assist with conducting the PIA by providing adequate information
> Persons concerned: give their opinion on the processing operation