pour lire cette présentation en français ↗️cliquer sur le drapeau français
► Full Reference : L. Pailler, "Les outils technologiques, la Compliance by design et le RGPD : la protection des données dès la conception" ("Technological tools, Compliance by design and GDPR: the protection of personal data from design"), in M.-A. Frison-Roche (ed.), Les outils de la Compliance, coll. "Régulations & Compliance", Journal of Regulation & Compliance (JoRC) and Dalloz, 2021, p. 279-286.
📕read a general presentation of the book, Les outils de la Compliance, in which this article is published
► Summary of the article (done by the Journal of Regulation & Compliance): The author considers that the GDPR has changed the "paradigm" of data protection for the bearer in Compliance, in that the data controllers must ensure the effectiveness of the rules defined by the Regulation, which they make accounts. In addition, the data, processed by the algorithm, is a “means of compliance” described and is used for vigilance plans and all the other tools, this brick being common to all Compliance Law. To respect Law, and in particular to protect people, Compliance by design continues to integrate "compliance" from the design of its tools through standard techniques (Privacy Enhancing Technologies - Pet's), legalized by the GDPR.
The author analyzes the technological means of data protection from the design of the tool, which complement Law and the contract. They are part of the "measures" required to protect people, for example transfers to third countries, these technological means being classified according to their degree of effectiveness. If the principle is free in the choice of technology, but Law requires and controls that it be not only effective but also robust, easy to use and compatible with the tools of use. The author emphasizes that the notion of "effectiveness" encompasses these particular requirements. This effectiveness, which must be proven a priori ("documented") is checked by the Authorities in the appropriateness of the measurement techniques, their effective implementation and their concrete effect.
Even if this is only subject to the state of the art, it must develop its technical resources, helped by the authorities (cf. "compliance pack" of the CNIL (French data regulator)). Even if the powers were aimed at optimizing costs, he must bear them, the context and the purpose of the processing do not ultimately become proportional. So if the risk is very high for people, it will be necessary to insert techniques and protectors other than those of Compliance Law.