El futuro del RGPD

As we come to the end of our long journey through the world of data protection, we have one final aspect to consider: privacy by design. The legislation wants all data controllers to take the right to privacy into account when planning future personal data processing operations.

Thus, the creators of the GDPR assume that privacy management will be reflected in what we do. If we do so, legal requirements will become a natural and obvious aspect of building an application or setting up a website or, equally, organizing a survey or conducting a scientific study.

It is best not to collect or process personal data except when necessary; and even when we have a good reason to collect and process such data, we need to limit processing operations to those that are strictly necessary. Therefore, all new initiatives in this area require a reflection on what we should do.

  • Although in the past it was considered advisable to add more attributes or fields to a file when performing an analysis for a new application or when designing a database (based on the idea that they might be useful in the future), today it is more important that the amount of data is kept to a minimum and tailored to the specific purpose for which the data will be processed.
  • It is advisable to include information in a database to indicate when a specific piece of data is outdated or obsolete, or simply when we should stop keeping it. This facilitates the systematic deletion of data when it is no longer needed, or when we can no longer guarantee its accuracy.

In the future, applications should contain functionality that guarantees the data subject’s rights and facilitates their exercise in practice.

  • Whenever an application requests personal data from data subjects, we must at the same time provide information on the purpose for which the data is requested, the duration of the processing of such data, the risks involved and the protection measures. For example, a smartphone app that tracks sports performance must provide the user with adequate information about the data it collects and stores in the background, and communicate what its creator intends to do with that data before the user uses the app for the first time. It is desirable that this aspect be incorporated into the user interfaces of the applications.
  • Similarly, anyone attempting to collect data through a website must immediately provide clear and basic information about the data processing operations. Such information must be provided in a timely manner. In addition, as far as possible, distinctions should be made between the different potential purposes.
  • Future applications could also include functionality that allows data subjects to view their data and, if the situation allows, rectify, complete or delete it. Of course, this is only possible if the data subject’s rights do not conflict with other interests.

Privacy by design also means that, when designing an application, best practices for protecting data are considered from the outset.

  • For example, whenever possible, you can create the application so that everything is encrypted. A website can use encryption protocols, such as https, and data can be exchanged via encrypted files sent over encrypted channels. If the data are to be retained for some time after a processing operation, they can also be retained in an encrypted archive, e.g. in a secure digital archive. All these measures reduce the risk of data becoming public or falling into the wrong hands. It is important to take these steps early in the design phase, as it will be cheaper than making the changes later.
  • Another measure that may also be considered in some circumstances is the pseudonymization of data. This means that we remove direct references to specific individuals from the files. This measure reduces the risk of infringements in the event of a mishap in connection with a file.

All this leads us to talk about the privacy by defaultThis means that when an application allows the user to choose whether or not to make data public, share it with others, or make it available for certain types of processing operations or future communications, the standard configuration of that application should always be the most secure. These settings are only changed if the user actively performs a procedure (e.g. by checking a box or clicking a button to indicate consent).

As you can see, maximum data privacy can be ensured by using all kinds of measures, which the GDPR encourages everyone to apply at all times and to the fullest extent. Data privacy is not an issue to be forgotten or dispensed with in a current project. On the contrary. This is an issue that should concern us.

The future will show how large and small companies, individual data subjects (who may be prompted to act by consumer organizations or trade unions), supervisory authorities and the EU itself will deal with the GDPR. There is no doubt that the courts will have to deal with some complex litigation. Moreover, it will be difficult to predict what the answers will be to the many questions that remain to be answered. However, one thing is clear to us: data privacy is something to keep in mind, and most likely always will be.

This article has been extracted from
Group Joos