Personal data protection within the information system

The protection of personal data is sometimes seen as a constraint for an organization, but also as the reserved domain of a clearly identified member of the legal or information systems departments, responsible for ensuring that the right declaration forms are sent out, and that the obligatory mentions appear where they are expected. Nevertheless, administrative rules and constraints, which may appear burdensome for those responsible for designing or operating systems, are only a particularly visible part of a set of regulations set up and maintained to prevent individuals (be they employees, customers, partners, users, prospects...) from having their privacy breached.

A "privacy breach" is a real legal and operational risk for an organization, whether that organization is a company, an association, a public authority... It generally stems from a breach of confidentiality of personal information, and can take the form of uncontrolled disclosure, identity theft, unwanted intrusion or interference in the private sphere, or various forms of discrimination and harassment. When individuals suffer such breaches at the hands of an organization, the consequences for them are often benign, but sometimes catastrophic. A breach of privacy can have a more or less serious impact on social relations (and, in extreme cases, even lead to suicide attempts), involve financial loss, administrative inconvenience, the risk of criminal prosecution (in the case of identity theft, for example), as well as more minor inconveniences such as unsolicited communications. The consequences for the organization in question may affect its reputation or market positioning. What's more, its legal liability may be invoked in both civil and criminal proceedings.

For these reasons, the risks weighing on personal data handled by the organization are increasingly integrated into the operational perimeter of the information systems security manager, and taken as seriously as the protection of the company's information assets (of which personal data is often an essential component). For this protection to be effective, it is essential that all members of the organization, and in particular those interacting with automated data processing systems, have a real awareness of the nature of the risks, of their responsibility in data processing, and of the motivations and principles underlying existing rules and constraints.

The aim of this article is to offer a concrete and pragmatic vision of this regulatory framework. It is not a legal work, nor an exhaustive legal guide, but the vision of an engineer and a computer scientist on a legal framework too often fantasized, perceived as more or less restrictive than it is, and sometimes criticized, rightly or wrongly, as failing to achieve...