Digital Innovation and Transformation: Impact Assessments and Data Protection by Design

The data protection impact assessment is based upon a double-barreled approach:

• the compliance assessment: the respect of data protection legal principles
• the analysis of the risks associated with the security of the personal data and which are likely to have an impact on the rights and liberties of individuals.

It is an ongoing improvement program that enables a company to adopt measures to attenuate the high risks to the rights and liberties of data subjects.

Article 35 of the European Regulation structures and formalizes the data protection impact assessment. If the high risks persist, then the data processing should in general be subject to a prior authorization of the supervisory data protection authority.

The data protection impact assessments are based upon a detailed analysis of the following elements regarding the data processing:

• Data processing context (legal, economic and social context, data processing purpose, data subjects, nature of the data processed…)
• Business relations with subcontractors that process the data or have access to it.
• Legal framework structuring the transfers of data outside the European Union.
• Security of information systems, of all the devices processing the data (mobile, connected objects, PC, servers, hard documents…) of software, of the network as well as the different means of communication.

Why carry out an impact assessment?

• It’s a risk-management tool for data processing,
• It’s a communication and transparency tool,
• It’s evidentiary proof for the company in question.

Data Protection by Design is the notion of integrating data protection principles into projects at their conceptualization stage.

Article 25 of the European Regulation: Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the data processing and the risks for rights and freedoms of individuals, the Data Controller shall implement appropriate technical and organizational data protection measures at the conceptualization of the processing.

Data Protection by Design embodies the following principles:

• It’s a proactive measure that relates back to anticipatory action,
• It’s a high level of protection by default: “Data Protection by Default”,
• From the conceptualization stage,
• And throughout the lifespan of the data,
• It’s a “win-win” strategy for the company and for individuals,
• It’s a program promoting transparency,
• It puts the individual at the heart of the project.