News

The French Data Protection Act provides in article 34 that data controllers shall "take all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data".

In other words, data controllers must identify the risks related to the processing of personal data before determining the appropriate to reduce them. To this end, it is necessary to adopt a global vision and to study the impacts of the processing of personal data on data subjects.

In 2010, the CNIL published a first guide named security of personal datawhich was then translated into English in 2011. This guide is composed of a set of factsheets on the basic precautions a data controller should take when processing personal data. However, it reaches its limits when identified stakes are high or when the system is complex.

The two new guides propose a way to build a comprehensive analysis to handle complex personal data processing operations. These documents are primarily intended for use by controllers, data protection officers (DPO) and chief information security officers (CISO). They assist them in creating a rational understanding of the risks arising from the processing of personal data and to choose necessary and sufficient organizational and technical measures to protect privacy.

They consist of:a methodology for managing the risks that can affect the individuals ; a catalogue of measures and best practices to treat the risks identified with the methodology.

A case study on the management of patients in a medical context, carried out by the Club EBIOS (available in French), illustrates an application of these tools.