Full reference : Pailler, L., Technological Tools, Compliance by Design and GDPR: the Protection of Personal Data from Design, in M.-A. (dir.), Compliance Tools, série "Régulations & Compliance", Journal of Regulation & Compliance and Dalloz, 2020, to be published.
Summary of the article (by Marie-Anne Frison-Roche)
The author considers that the GDPR has changed the "paradigm" of data protection for the bearer in Compliance, in that the data controllers must ensure the effectiveness of the rules defined by the Regulation, which they make accounts. In addition, the data, processed by the algorithm, is a “means of compliance” described and is used for vigilance plans and all the other tools, this brick being common to all Compliance Law. To respect Law, and in particular to protect people, Compliance by design continues to integrate "compliance" from the design of its tools through standard techniques (Privacy Enhancing Technologies - Pet's), legalized by the GDPR.
The author analyzes the technological means of data protection from the design of the tool, which complement Law and the contract. They are part of the "measures" required to protect people, for example transfers to third countries, these technological means being classified according to their degree of effectiveness. If the principle is free in the choice of technology, but Law requires and controls that it be not only effective but also robust, easy to use and compatible with the tools of use. The author emphasizes that the notion of "effectiveness" encompasses these particular requirements. This effectiveness, which must be proven a priori ("documented") is checked by the Authorities in the appropriateness of the measurement techniques, their effective implementation and their concrete effect.
Even if this is only subject to the state of the art, it must develop its technical resources, helped by the authorities (cf. "compliance pack" of the CNIL (French data regulator)). Even if the powers were aimed at optimizing costs, he must bear them, the context and the purpose of the processing do not ultimately become proportional. So if the risk is very high for people, it will be necessary to insert techniques and protectors other than those of Compliance Law.