What does the GDPR say about the implementation of privacy and security by design?

21st August 2017 by Marie-Claire Péroux

Embedded privacy and security by design is a new requirements under the new rules on privacy protection in the EU.
Main points to consider for your personal data policy.
More details here.

Art 32: security of processing

4 points your company has to take into account

1) the state of the art

You must keep informed on the latest norms and industry guidance for example
- ISO 27002 : 2013 [2]
- best industry guidance for software engineering as defined by the IEEE "Guide to the Software Engineering Body of Knowledge" [3]
- "Software Engineering Book of Knowledge Software Engineering Code of Ethics and Professional Practice"
- "Software Engineering Code of Ethics and Professional Practice" [4]
- "Best Practices for Consumer Wearables & Wellness Apps & Devices" [5]
- Open Web Application Security Project (OWASP) [6]
Adherence to an approved code of conduct or an approved certification mechanism as referred may be used as an element by which to demonstrate compliance [7]

2) the costs of implementation

3) The nature, scope, context and purposes of processing

4) The risk of varying likelihood and severity for the rights and freedoms of natural persons

"it is also important to note that the notion of risk is central in general in GDPR as a threshold for the controller to implement different obligations, for example with regard to the notification of personal data breaches (Articles 33 and 34 GDPR), the conduction of data protection impact assessment, the prior consultation with competent authorities (Article 36 GDPR)." [8]
- In France, the Supervisory Authority, the CNIL, recommends the use of the EBIOS method
- ISO/IEC 27005:2011 36 can be used too
- NEW: ISO/IEC 29134: 2017- Information technology - Security techniques - Guidelines for privacy impact assessment [9]

Risk management and Data Protection Impact Assessment (DPIA)

A DPIA is mandatory in case a processing is likely to result in "a high risk to the rights and freedoms of natural persons" [10]
The GDPR gives some example of processing requiring a DPIA but it is not an exhaustive list [11]:

(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person

(b) processing on a large scale of special categories of data referred to in Article 9(1), [12] or of personal data relating to criminal convictions and offences referred to in Article 10; or

(c) a systematic monitoring of a publicly accessible area on a large scale.

=>You can find more explanations on what constitutes a high risk to the rights and freedoms of natural persons in guides edited by Article 29 data protection Working Party [13]
"Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679" as of April 4, 2017 41 is a good document to start with.

ILLUSTRATION OF THE BASIC PRINCIPLES RELATED TO THE DPIA IN THE GDPR, REPRODUCED FROM THE GUIDELINES [14]

References:
[1] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
[2] "Guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s)." https://www.iso.org/standard/54533.html
[3] SWEBOK V3, IEEE, https://www.computer.org/web/swebok/v3
[4] "Software Engineering Code of Ethics and Professional Practice" Association for Computing Machinery, ACM, 2015, http://www.acm.org/about/se-code#full
[5] https://fpf.org/wp-content/uploads/2016/08/FPF-Best-Practices-for-Wearables-and-Wellness- Apps-and-Devices-Final.pdf
[6] https://www.owasp.org/index.php/Main_Page
[7] art 32 -3, GDPR, note i)
[8] "Guidelines for SMEs on the security of personal data processing", page 7, European Union Agency For Network and Information Security, ENISA, January 27, 2017 https://www.enisa.europa.eu/publications/guidelines-for-smes-on-the-security-of-personal-data-processing
[9] https://www.iso.org/standard/62289.html [10] Art 35 -1 GDPR, note i)
[11] Art 35 -3, ibid.
[12] Sensitive data: "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation"
[13] In the coming months the Article 29 Working Party, whose members were the EU’s national supervisory authorities, the European Data Protection Supervisor (“EDPS”) and the European Commission, will be transformed into the “European Data Protection Board” (“EDPB”), with similar membership but an independent Secretariat. This Board will "give advice and guidance and to approve EU-wide codes and certification https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/64-- guide-to-the-gdpr--european-data-protection-board.pdf?la=en
[14] Article 29 Working Party "Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679" as of April 4, 2017. http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083