According to the confidentiality principle, controllers should minimize the risks to data subjects’ rights, interests, and freedoms. For this purpose, they should work on a risk-based approach (See the “Integrity and confidentiality” subsection in the “Main Principles” section of the General part of these Guidelines). In all cases, controllers need to ensure that they comply with data protection requirements and are able to show how they comply e.g. through documentation (see the “Accountability” subsection in the “Main Principles” section of the General part of these Guidelines).
To manage the risks to individuals that arise from the processing of personal data gathered from social networks, it is important that controllers develop a mature understanding and articulation of fundamental rights, risks, and how to balance these and other interests. Ultimately, it is necessary for controllers to assess the risks to individuals’ rights that the use of the data poses, and determine how they need to address these and establish the impact this has on their use for research purposes. For this purpose, there are two key factors that must be considered:
- Risks arising from the processing itself, such as the emergence of biases associated with profiling or automated decision-making systems.
- Risks arising from the processing in relation to the social context, and the side effects indirectly related to the object of processing that may occur.
In order to minimize such risks, controllers must ensure that appropriate technical and organizational measures are implemented to eliminate, or at least mitigate, the security risk, reducing the probability that the identified threats will materialize, or reducing their impact. It is necessary to take into account the security standards that already exist in the market, as well as the compliance standards in relation to data protection that will apply to the processing. Furthermore, developers should always remember that Article 32(4) GDPR clarifies that an important element of security is to ensure that “any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law” (See the “Integrity and confidentiality” subsection in the “Main Principles” section of the General part of these Guidelines).
The general description of the technical and organizational security measures must become a part of the processing records, where possible (Article 30(1) (g) for controllers, and 30(2) (d) for processors) and all implemented measures must form part of the DPIA, as supporting remediation measures to limit risk. Finally, once the selected measures are implemented, the remaining residual risk should be assessed and kept under control. Both the risk analysis and the DPIA are the tools that apply. The risk evaluation and the decisions taken “have to be documented in order to comply with the requirement of data protection by design” (of Article 25 of the GDPR) (see the ‘Data Protection by Design and by Default (DPbDD)’subsection in the “Main Concepts” section of the General Part of these Guidelines”).
Finally, the controllers should always be aware that, according to Article 32(1) (d) of the GDPR, data protection is a process. Therefore, they should test, assess, and evaluate the effectiveness of technical and organizational measures regularly. Procedures that help controllers to identify changes that would trigger a revisit of the DPIA should be created at this moment. Whenever possible, controllers should try to impose a dynamic model of monitoring the measures at stake (See the “Integrity and confidentiality” subsection in the “Main Principles” section of the General part of these Guidelines).
|Checklist: integrity and confidentiality
☐ The controllers have introduced the necessary procedures to ensure that the data subject rights are adequately satisfied, no matter if the data subjects are the end-users or third parties.
☐ The controllers have introduced the necessary procedures to ensure that the data subject rights are satisfied in time (maximum one month after request).
☐ The controllers have introduced efficient tools to ensure that data subjects are able to exercise their rights in a practical manner, for instance by introducing data interoperability standards.
☐ Data subjects are in a position to have access to all their personal data, including the raw data that are gathered from the social networks.
☐ The controllers have implemented tools to locally read, edit and modify the data before they are transferred to any data controller. Furthermore, personal data processed by a device is stored in a format allowing data portability.
☐ The controllers have introduced tools able to communicate rectified data to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.
☐ The controllers have introduced tools able to ensure that all data are efficiently deleted at the data subjects’ request if there are no lawful reasons to oppose that request.
☐ The controllers have ensured that withdrawal schemes should be fine grained and should cover:
☐ The controllers have documented all the information regarding these issues.
1AEPD (2020) Adecuación al RGPD de tratamientos que incorporan Inteligencia Artificial. Una introducción. Agencia EspanolaProteccion Datos, Madrid, p.30. Available at: www.aepd.es/sites/default/files/2020-02/adecuacion-rgpd-ia.pdf (accessed 15 May 2020). ↑