Module 5: How to face security and privacy challenges
Landing the Concept
The adoption of the General Data Protection Regulation (GDPR from now on) has dramatically altered the requirements mandated for the processing of personal data, wherever this processing happens, as long as the data is indeed personal and is related to individuals living in the European Union.
Privacy, and security against data misuse, theft and loss, has therefore become paramount for any institution that has to acquire and store personal data. To understand what needs to be done, and to evaluate if your institution is already doing enough to process personal data according to the GDPR, we propose a simple dissemination text written to reach this objective, which also explores the concepts of security and privacy by default.
Contextually, you’ll be provided with an example of how to create a “privacy notice”. This document must be provided by the institution to every data subject whose personal data undergoes processing. It is of primary importance, as it formalizes all the steps required by the GDPR in order to have a safe and secure processing of personal data by that institution  – a bad information notice immediately means a bad way of processing data .
By following the questions outlined in the attached document, in the section “Privacy Notice”, you should be able to evaluate the adequacy of just about any Privacy Notice, including the one from your Institution.
We suggest that you obtain your institution’s Privacy Notice and analyze it in light of what is described in the attached document. Usually, you should be able to find it online, in pages simply titled “Privacy” or “How we process personal data”. In the last chapter of the document there are a number of questions, listed by the GDPR.eu page: these should help you assess the quality of your institution’s Privacy Notice. For example, is the Privacy Notice written in an easy-to-understand way? Is it divided into clear paragraphs? Does it detail all the requirements imposed by the GDPR? We encourage you to write a few lines of commentary on your analysis, identifying particular strengths of your institution’s Privacy Notice (perhaps because better protections than those required by default are provided to data subjects) or weaknesses (perhaps because some rights are not specified well enough or the Privacy Noticed is not written clearly enough).
- https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN, “whereas” number 2.
- As per articles 12, 13, 14 GDPR. But mainly 13: https://www.privacy-regulation.eu/en/article-13-information-to-be-provided-where-personal-data-are-collected-from-the-data-subject-GDPR.htm
- An idea also explored in the Guidelines provided by the EU Commission: https://ec.europa.eu/newsroom/article29/items/622227