What is GDPR?
What is the GDPR and what does it really require from organizations? This article breaks down the core principles of the regulation, including Privacy by Design, Privacy by Default, and the role of the DPIA in assessing high-risk processing. A practical overview of the key steps to building sustainable GDPR compliance.
The GDPR: Origin, Purpose and Key Principles
GDPR: A European Regulation
The General Data Protection Regulation, or the GDPR, is the European reference text on personal data protection. It has been applicable across the entire European Union since May 25, 2018.
The regulatory framework established by the GDPR is designed to ensure transparency to guarantee the rights of data subjects by making organizations responsible for their personal data processing and empowering national supervisory authorities.
The GDPR applies by default to any public or private organization (company, non-profit, public administration, etc.) located in the European Union and to companies located outside the EU under certain conditions.
Privacy by Design / Privacy by Default
Data protection by design
Massive data leaks are increasingly making headlines. To prevent this issue, the concept of Privacy By Design is rapidly gaining ground as a sound practice for processing and storing personal data.
What is Privacy By Design?
Implemented in Article 25 of the General Data Protection Regulation, this principle forces organizations to think early on about the protective measures implemented for each processing activity according to both the nature of the data to be processed and the players involved in the processing (subcontractors, DPOs, project managers, etc.).
These measures are both technical and organizational. They facilitate GDPR compliance and guarantee the protection of data subject privacy.
Organizations take a preventive approach to avoid non-compliant data processing.
Use the project management tools in the EQS Privacy Cockpit software to make your projects compliant with Privacy by Design!
Privacy by Default
There needs to be more than just taking the Privacy by Design approach to ensure sufficient data protection.
A second approach must be considered once a product or service is public: Privacy by Default.
Privacy by Default states that a product or service must meet data protection standards by default without requiring external intervention once it is made public.
For example, for a software application, a user should not have to modify their settings to strengthen their data protection. Everything should be preconfigured for optimum data protection.
Going further – How to implement the Privacy By Design principle?
Privacy By Design is built around 7 principles:
- Take preventive measures proactively to avoid personal data breaches: anticipate and prevent privacy breaches before they occur.
- Provide default privacy protection, i.e., automated and implicit privacy protection. This protection must be assumed and automatic: the data subject should not need to request or implement it themselves
- Privacy by design of systems and business practices: privacy must be built into the architecture of the information system from the outset, and privacy features must be built into the practice
- Ensure protection throughout the personal data retention period: all necessary measures must be implemented to ensure protection throughout the retention period, and data destruction at the end of said period
- Ensure integrated protection of privacy: privacy protection must be ensured while simultaneously considering the organization’s legitimate interests and objectives
- Respect user privacy: the interests of data subjects are the priority, and organizations must consider them during project design following privacy regulations
- Ensure visibility and transparency of an organization’s practices: every aspect of the systems involved in personal data protection must be visible and transparent in case of an audit. This helps build trust
Privacy By Design principles must be taken into consideration every time a change occurs in an organization (e.g., new technology for processing personal data).
DPIA: Risk Analysis and Prevention
What is a GDPR DPIA?
An impact assessment is a tool to make organizations accountable for their personal data processing. More specifically, it is a security risk assessment that focuses on personal data likely to represent a high risk for the rights and freedoms of data subjects when their data is processed.
Which processing activities require a GDPR DPIA?
GDPR Article 35 provides a non-exhaustive list of processing activities for which a DPIA is mandatory:
- Large-scale data processing
- Systematic surveillance
- Automatic decisions with legal repercussions
- Processing of sensitive personal data
- Evaluation or rating based on personal data, including profiling and prediction
- Processing of biometric data and data relating to criminal offenses and convictions
- Processing relating to new/innovative technologies
- Data cross-referencing
The DPIA is mandatory only if two of the above criteria are met.
The local supervisory authorities reserve the right to expand the list of processing activities requiring an impact assessment.
Use cases
Your company wishes to implement a system to scan outgoing emails to detect potential confidential information leaks by your employees. Your Data Protection Officer (DPO) is informed and recommends the implementation of a DPIA because such a system represents processing that meets at least two criteria: systematic monitoring and the use of innovative technologies.
How do you conduct a GDPR DPIA?
The data controller is responsible for conducting the DPIA. It must be carried out before the processing activity is implemented.
There are several ways to conduct a DPIA.
Briefly, a DPIA describes the full legal justification for the processing activity and all potential negative consequences for data subjects. If the risks to data subjects are too high, measures to mitigate these risks must be implemented and described. If the risks are small, the processing activity can be implemented.
Simplify your GDPR compliance with our free white paper and checklist on Data Protection Impact Assessments (DPIAs).
Learn when a DPIA is required, how to assess high-risk processing like AI or sensitive data, and implement effective risk mitigation.
A practical guide for DPOs, compliance officers, and legal teams to stay accountable and avoid enforcement issues.
Conclusion
The General Data Protection Regulation (GDPR) is the main European legal framework governing the protection of personal data. It has been in force since May 25, 2018, and applies to any organization processing the data of individuals located within the European Union. It strengthens transparency, expands the rights of data subjects, and significantly increases the accountability of both private and public entities regarding the processing of personal data, with substantial penalties in the event of non-compliance.
