IEEE Technology and Society Magazine - December 2020 - 64

Having Data Processing Agreement contracts in
place with third parties, if the organization contracts
third parties to process data for them.
■ Appointing a Data Protection officer (not in all cases,
though), and so on.

the period of their storage and their accessibility. In
particular, such measures shall ensure that by default
personal data are not made accessible without the
individual's intervention to an indefinite number of
natural persons. " The same rule has been also
expressed by the last sentence of point 78 of the
recital to the GDPR. The principles of data protection
by design and by default should also be taken into
consideration in the context of public tender.

■

The GDPR requires organizations to handle data in a
secure way, by implementing " appropriate technical and
organizational measures. " This may mean actions from
requiring the organization's staff to use two-factor
authentication on accounts where personal data are
stored, to contracting with cloud providers using end-toend encryption. On the other hand, organizational measures comprise aspects like staff trainings, adding a
data privacy policy to the company's handbook, limiting
access to personal data to only those workers who need
it, etc. In case of a data breach, the organization has 72
hours to tell the data subject - or face penalties. If the
company uses technological safeguards, such as
encryption, to render data useless to attackers, the notification requirement may be waived.
From the moment the GDPR was put into effect,
everything that is done in a business must consider data
protection " by design and by default. " This means that
the design of any new product or activity must follow
the data protection principles. In other words, data protection " should not be an afterthought or an issue casually considered at the end of a project or bolted onto
procedures; it must be central to the way that organizations plan and operate " [16].
Data protection by design and by default principles
are regulated in the article 25 of the GDPR, according
to which:
1) Taking into account the state of the art, the cost of
implementation and the nature, scope, context, and
purposes of processing as well as the risks of varying
likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller
shall, both at the time of the determination of the
means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which
are designed to implement data-protection principles,
such as data minimization, in an effective manner and
to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
2) The controller shall implement appropriate technical
and organizational measures for ensuring that, by
default, only personal data which are necessary for
each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing,

64

It is worth noticing that on November 2019 the European Data Protection Board approved the Guidelines
4/2019 on Article 25 Data Protection by Design and by
Default [17], which contain the detailed guidelines
regarding the previsions from the Article 25 of the GDPR.

Data Protection Officer
Under some conditions, data controllers or processors
also need to appoint a Data Protection Officer (DPO):
If they are a public authority other than a court acting in a judicial capacity,
■ If their core activities require them to monitor people systematically and regularly, on a larger scale,
■ Or if their core activities are large-scale processing
of special categories of data listed under Article 9 of
the GDPR or data relating to criminal convictions
and offenses mentioned in Article 10.
■

A DPO may be designated even if it is not required, as
there are benefits to having a person in this role. A DPO's
basic tasks involve understanding the GDPR and the ways
it applies to organizations, advising people in a given
organization about their responsibilities, conducting
audits and trainings in data protection, monitoring the
GDPR compliance and serving as a liaison with regulators.

Data Protection Impact Assessment
Another aspect related to our work is the Data Protection Impact Assessment. In 2017 Article 29 Data Protection Working Party approved the document: Guidelines
on Data Protection Impact Assessment (DPIA) and determining whether processing is likely to result in a high
risk for the purposes of Regulation 2016/679 [20].
It was indicated that " DPIA is a process designed to
describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of
personal data by assessing them and determining the
measures to address them. " DPIAs are important tools for
accountability, as they help controllers not only to comply
with requirements of the GDPR, but also to demonstrate
that appropriate measures have been taken to ensure
compliance with the Regulation " In line with the risk-based

IEEE TECHNOLOGY AND SOCIETY MAGAZINE

∕

DECEMBER 2020
IEEE Technology and Society Magazine - December 2020

Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - December 2020
