Overview
ABSTRACT
Personal data protection has become a critical aspect of information system management and security. Both decision-makers and engineers now need to be well-acquainted with the regulations and good practices in the domain, to prevent computing tools from putting at risk the privacy of individuals and the legal security of organizations. This article explains the link between privacy and personal data protection. It presents the applicable legal context and its evolution at the European level. The issues and tools related to the right to be forgotten and to erasure are set out, together with an overview of the main anonymization techniques and their limitations.
Read this article from a comprehensive knowledge base, updated and supplemented with articles reviewed by scientific committees.
Read the articleAUTHOR
-
Guillaume PIOLLE: Teacher-researcher in computer science - CentraleSupélec / Inria, CIDRE team, - CS47601, Avenue de la Boulaie, 35576 Cesson-Sévigné Cedex, France.
INTRODUCTION
The protection of personal data is sometimes seen as a constraint for an organization, but also as the reserved domain of a clearly identified member of the legal or information systems departments, responsible for ensuring that the right declaration forms are sent out, and that the obligatory mentions appear where they are expected. Nevertheless, administrative rules and constraints, which may appear burdensome for those responsible for designing or operating systems, are only a particularly visible part of a set of regulations set up and maintained to prevent individuals (be they employees, customers, partners, users, prospects...) from having their privacy breached.
A "privacy breach" is a real legal and operational risk for an organization, whether that organization is a company, an association, a public authority... It generally stems from a breach of confidentiality of personal information, and can take the form of uncontrolled disclosure, identity theft, unwanted intrusion or interference in the private sphere, or various forms of discrimination and harassment. When individuals suffer such breaches at the hands of an organization, the consequences for them are often benign, but sometimes catastrophic. A breach of privacy can have a more or less serious impact on social relations (and, in extreme cases, even lead to suicide attempts), involve financial loss, administrative inconvenience, the risk of criminal prosecution (in the case of identity theft, for example), as well as more minor inconveniences such as unsolicited communications. The consequences for the organization in question may affect its reputation or market positioning. What's more, its legal liability may be invoked in both civil and criminal proceedings.
For these reasons, the risks weighing on personal data handled by the organization are increasingly integrated into the operational perimeter of the information systems security manager, and taken as seriously as the protection of the company's information assets (of which personal data is often an essential component). For this protection to be effective, it is essential that all members of the organization, and in particular those interacting with automated data processing systems, have a real awareness of the nature of the risks, of their responsibility in data processing, and of the motivations and principles underlying existing rules and constraints.
The aim of this article is to offer a concrete and pragmatic vision of this regulatory framework. It is not a legal work, nor an exhaustive legal guide, but the vision of an engineer and a computer scientist on a legal framework too often fantasized, perceived as more or less restrictive than it is, and sometimes criticized, rightly or wrongly, as failing to achieve...
Exclusive to subscribers. 97% yet to be discovered!
You do not have access to this resource.
Click here to request your free trial access!
Already subscribed? Log in!
The Ultimate Scientific and Technical Reference
KEYWORDS
regulation | Privacy | personal data protection | computing | information systems | GDPR
This article is included in
Security of information systems
This offer includes:
Knowledge Base
Updated and enriched with articles validated by our scientific committees
Services
A set of exclusive tools to complement the resources
Practical Path
Operational and didactic, to guarantee the acquisition of transversal skills
Doc & Quiz
Interactive articles with quizzes, for constructive reading
Protection of personal data in the information system
Bibliography
- (1) - Article 29 Data Protection Working Party - Guidelines on the implementation of the Court of Justice of the European Union judgment on « Google Spain and Inc v. Agencia Española de Protección de Datos (AEPD), Mario Costeja González » CC-131/12. - Technical report, European Commission, November 2014.
- ...
Websites
Agence Nationale de la Sécurité des Systèmes d'Information. https://www. ssi.gouv.fr/ . (page consulted on March 2, 2018).
Commission Nationale de l'Informatique et des Libertés. https://www.cnil.fr/ . (page consulted on March 2, 2018)....
Norms, standards and recommendations
Agence Nationale de la Sécurité des Systèmes d'Information. Référentiel général de sécurité (RGS). http://www.ssi.gouv.fr/administration/reglementation/administration-electronique/le-referentiel-general-de-securite-rgs/...
Regulations
Council of Europe. Convention for the Protection of Human Rights and Fundamental Freedoms. CETS no. 005, November 4, 1950.
The European Parliament and the Council. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)....
Exclusive to subscribers. 97% yet to be discovered!
You do not have access to this resource.
Click here to request your free trial access!
Already subscribed? Log in!
The Ultimate Scientific and Technical Reference