Security and GDPR

Understanding GDPR

Shalini Kurapati, CIPP/E

Co-founder and CEO, Clearbox AI

Security aspects of GDPR

  • Integrity and confidentiality
  • Organizational and technical measures
  • Privacy risks
  • Privacy by design and privacy enhancing technologies
Understanding GDPR

Integrity and confidentiality

An illustration of a lock on top of a supposed database.

  • Article 5 GDPR principles
  • Ensure security of personal data
  • Protection against:
    • Unauthorized access
    • Unlawful processing
    • Accidental loss or damage
  • Examples - identity theft, activist safety
Understanding GDPR

Organizational measures

Illustration of a company training session representing company data and procedures using charts and two gears.

  • Awareness and culture shift
  • Training, skills development
  • Policies and statements
  • Role definitions and relationships
  • Clear accountability
  • Risk assessments
Understanding GDPR

Data protection impact assessment (DPIA)

A picture of lettered dice, where the word RISK has been formed with the lettered dice.

  • High-risk processing - sensitive data, large scale
  • Risk is a negative consequence for rights, and safety
  • Context, nature, scope and purposes
  • Assess the risks and benefits
  • Mitigation measures
  • Residual risk
  • Good practice even if not high risk
Understanding GDPR

DPIA criteria

Illustration of a checklist

  • Evaluation, Automated decision making
  • Systematic monitoring - tracking
  • Sensitive data - biometric, health
  • Large scale data processing
  • Datasets that have been combined
  • Vulnerable data subjects
  • Use of new technologies
  • Non-EU transfers, no adequacy decisions
1 ARTICLE 29 DATA PROTECTION WORKING PARTY Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679
Understanding GDPR

DPIA use cases

Example 1 - Smart Surveillance in Train Stations

Picture of inside of a train with labels showing that smoking, noises and eating are not allowed and a camera sticker to show that it has video surveillance

  • Police force of an EU country
  • Images and biometric data
  • Identify individuals, high accuracy

Example 2 - Emotional Decoding for In-Store Advertising

A picture of an algorithm processing the facial features of a person.

  • In-house targeted advertising system
  • Cameras on ad display screens
  • How long they look, age, gender, emotions
1 Felix Bieker, Nicholas Martin, Michael Friedewald, Marit Hansen. Data Protection Impact Assessment: A Hands-On Tour of the GDPR’s Most Practical Tool. 10.1007/978-3- 319-92925-5_13. hal-01883612
Understanding GDPR

Let's practice!

Understanding GDPR

Preparing Video For Download...