GDPR Newsletter

The PwC DPO voice - Data protection by design and by default

N°10 - October 2017 edition

Data protection by design and by default: the epitome of accountability

Who can honestly say they've never had writer's block: first nothing, then a blur, and finally an extremely active thought process? Who has never tried to prise emotion from torpor, to create something from nothing, or to give sense to the abstruse? It is a truly exhilarating notion.

The possibilities seem endless, sparking in us the pipe dream of freeing ourselves from the aesthetic conventions and the functional, technical, legal, economic, social and even philosophical considerations that play a necessary role in the very purpose of our creation.

But with the EU Regulation on the protection of natural persons with regard to the processing of personal data (the "GDPR"), as soon as personal data becomes involved, the budding artist lurking within us will have to morph into someone who is analytical and meticulous.

Make sure you know your GDPR obligations before you start

Article 5 of the GDPR lays down the principles applicable to the processing of personal data: (i) lawfulness, fairness and transparency; (ii) purpose limitation; (iii) data minimisation; (iv) accuracy; (v) storage limitation; (vi) integrity and confidentiality; and (vii) accountability.

Meanwhile, Chapter 3 of the Regulation addresses the rights of the data subject (the person whose data is being processed). These rights are: (i) transparency; (ii) access; (iii) rectification and erasure; (iv) restriction of processing; (v) portability; and (vi) the right to object.

These provisions are not simply abstract theoretical concepts; they must be implemented to the letter into any project where you intend to process personal data. An essential prerequisite for this implementation is to think of it as an inescapable canvas that channels your aspirations. The blank page will then give way to an exhaustive checklist of, at the very least, each and every one of the Regulation's thirteen requirements listed above, which must be met before you launch your project.

This exercise must be systematically repeated every time a new project begins, and the responses must be challenged and documented.

Make sure you understand the rights and freedoms of natural persons before you start

The GDPR simultaneously takes a risk-based approach, which includes the degree of likelihood and severity. Therefore, the more significant the impact on the rights and freedoms of the data subjects is considered to be, the more carefully the data controller must consider additional technical and organisational measures that are technically and financially viable, in order to reduce the risks. These measures may include access-right management, encryption and anonymisation, among others.

These risk-mitigation measures must be preventive. In other words, just like with the aforementioned checklist, they must be planned at the outset of any project involving the processing of personal data.

Be aware that data protection by design obviously neither excludes remedial measures nor involves adopting an unchanging stance frozen in time. Moreover, you must bear in mind that a risk analysis is iterative and scalable by definition. Therefore, an initial design that ends up being unsuitable must undergo corrective measures. New risks (which are bound to arise as new threats and system vulnerabilities appear) must be addressed through new measures tailored to these risks. There could one day be new technologies that strengthen data protection and are integrated into a process that already exists today.

In practice...

Data protection by design and by default necessitates changes in stakeholders' habits. The data controller must adopt a radically different perspective on the data itself in order to change the project manager's way of thinking, disrupt the DNA of the IT architecture and raise the data owners' awareness of the regulatory challenges.

While this requirement to protect data by design and by default adds another layer of admin and paperwork, which may be seen as onerous in a business environment that demands agility and reactivity, it is really an objective streamlining of processes that embodies all the benefits of preventing risks (not totally eliminating them) and mitigating their impacts. This requirement will enable businesses to build the trust that is needed between the data controller and their partners, employees and clients. It could also be the start of a real commercial advantage as soon as, for example, it is enhanced by certification - a possibility that the GDPR allows for.

Cédric Nédélec
Data Protection Officer

Contact us

Frédéric Vonner
Partner, GDPR Leader, PwC Luxembourg
Tel: +352 49 48 48 4173

Cédric Nédélec
Data Protection Officer, PwC Luxembourg
Tel: +352 49 48 48 2186

Ludovic Raymond
Tel: +352 49 48 48 4304

Follow us