{"id":15942,"date":"2020-07-13T14:05:11","date_gmt":"2020-07-13T12:05:11","guid":{"rendered":"https:\/\/eiposgrados.com\/?p=15942"},"modified":"2021-09-29T13:41:53","modified_gmt":"2021-09-29T11:41:53","slug":"risk-analysis-in-the-rgpd-art-25","status":"publish","type":"post","link":"https:\/\/eiposgrados.com\/eng\/blog-dpo\/analisis-de-riesgos-en-el-rgpd-art-25\/","title":{"rendered":"Risk Analysis in the RGPD: Art. 25"},"content":{"rendered":"<p>By<a href=\"https:\/\/www.linkedin.com\/in\/el%C3%ADas-vallejo-grande-ab837488\/\" target=\"_blank\" rel=\"noopener\"><strong> Elias Vallejo<\/strong><\/a>, professor \u201cData protection audits and information systems\u201d in the master&#039;s degree in\u00a0 <a href=\"https:\/\/eiposgrados.com\/eng\/master-in-data-protection-management-and-chief-compliance-officer\/\"><strong>Compliance &amp; Data Protection Directorate<\/strong><\/a> of <a href=\"https:\/\/eiposgrados.com\/eng\/\"><strong>the EIP International Business School<\/strong><\/a> wanted to share with us a study analyzing the different risks mentioned in the RGPD.<\/p>\n<h2><strong>Different risk analyzes in the GDPR<\/strong><\/h2>\n<p>Professor El\u00edas Vallejo comments that the idea of carrying out a risk analysis in the RGPD is present in 3 cases.<\/p>\n<ol>\n<li>24.- Responsibility of the Data Controller and Art. 35 Data Protection Impact Assessments<\/li>\n<li>32.- Security of Treatment.<\/li>\n<li>25.- Data protection from design and by default<\/li>\n<\/ol>\n<p>In the first and second post of our Data Protection &amp; Regulatory Compliance Specialists Blog, Elias Vallejo told us about the <a href=\"https:\/\/eiposgrados.com\/eng\/blog\/risk-analysis-in-the-rgpd-arts-24-and-35\/\"><strong>Art. 24, Responsibility of the Data Controller, Art. 35 Data Protection Impact Assessments and<\/strong><\/a> about him <a href=\"https:\/\/eiposgrados.com\/eng\/blog\/risk-analysis-in-the-rgpd-art-32\/\"><strong>Art. 32, Security of Treatment<\/strong><\/a>.<\/p>\n<p>We leave you the words of El\u00edas Vallejo, about art, 25 Data protection from design and by default.<\/p>\n<h2><strong><u>Art. 25.- Data protection from design and by default<\/u><\/strong><\/h2>\n<p>The risk analysis in this article is broader than the previous two.<\/p>\n<p>On the one hand, when mentioning that it must be taken into account \u201c<em>the state of the art<\/em>\u201d is already telling us that technical security measures must be considered; but, on the other hand, in accordance with article 25 itself, the application of technical and organizational measures must have the purpose of \u201c<em>comply with the requirements of this Regulation and protect the rights of interested parties<\/em>\u201d<\/p>\n<p>But if you take into account security measures and possible legal breaches,<\/p>\n<h2><strong>What differentiates it from art. 24?<\/strong><\/h2>\n<p>The answer is not simple, but that does not mean we should abandon the idea of delimiting this risk analysis and differentiating it from the others.<\/p>\n<p>The first difference is that the risks must be taken into account before creating the information system, from its design, which does not occur in the other two risk analyses.<\/p>\n<p>Likewise, the controls to be included in this risk analysis are more detailed, they are not so general, \u201cdefault\u201d privacy must be considered, maximum privacy in all phases of the system.<\/p>\n<p>In this risk analysis, pseudonymization and data minimization take on special importance (understanding the latter from a fourfold perspective: the amount of personal data collected, the extent of its processing, its retention period and its accessibility).<\/p>\n<p>But everything explained in this analysis still leaves its application up in the air. We must go to the \u201cPrivacy by Design Guide\u201d of the AEPD.<\/p>\n<p>Traditionally, information security is protected, ensuring the confidentiality, availability and integrity of information. But that is already analyzed in the risk analysis of art. 32 which, in turn, is part of the risk analysis of art. 24 and the EIPD of art. 35.<\/p>\n<p>In the risk analysis of art. 25, the risks of any deviation from what is planned and permitted by the Organization must be analyzed. This makes us begin its analysis based on the aforementioned Guide. Thus, three new concepts emerge with which we must work when carrying out this analysis of privacy risks from design and by default.<\/p>\n<p><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-full wp-image-15957\" src=\"https:\/\/eiposgrados.com\/wp-content\/uploads\/2020\/07\/elias.png\" alt=\"\" width=\"596\" height=\"436\" title=\"\" srcset=\"https:\/\/eiposgrados.com\/wp-content\/uploads\/2020\/07\/elias.png 596w, https:\/\/eiposgrados.com\/wp-content\/uploads\/2020\/07\/elias-300x219.png 300w, https:\/\/eiposgrados.com\/wp-content\/uploads\/2020\/07\/elias-226x165.png 226w\" sizes=\"(max-width: 596px) 100vw, 596px\" \/><\/p>\n<p>This risk analysis does not analyze probabilities and impacts, but rather establishes design strategies, then establishes tactics (describing them) and finally proposes controls through design patterns.<\/p>\n<h2><strong>Design strategies<\/strong><\/h2>\n<p>First, we have the data-oriented privacy design strategies: minimize, hide, separate, and abstract.<\/p>\n<p>Second, we have the process-oriented privacy design strategies: inform, monitor, comply, and demonstrate.<\/p>\n<p>However, this topic requires more detailed study that will not be addressed in this article.<\/p>\n<h3><b>Do you want to specialize in Compliance Management and data protection?<\/b><\/h3>\n<p>He<strong><a href=\"https:\/\/eiposgrados.com\/eng\/master-in-data-protection-management-and-chief-compliance-officer\/\">\u00a0Master in Compliance &amp; Data Protection Management\u00a0<\/a><\/strong>will make you a\u00a0<strong>highly qualified professional<\/strong>\u00a0with the necessary skills to carry out specialized tasks in two of the most relevant areas for both\u00a0<strong>private businesses<\/strong>\u00a0as for\u00a0<strong>public administrations<\/strong>: data protection and regulatory compliance or Compliance.<\/p>","protected":false},"excerpt":{"rendered":"<p>The idea of carrying out a risk analysis in the GDPR is present in 3 assumptions: Responsibility of the Data Controller and Data Protection Impact Assessments; Security of Treatment; and Data protection by design and by default.<\/p>","protected":false},"author":59,"featured_media":15946,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[330,142],"tags":[],"class_list":["post-15942","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-dpo","category-blog"],"acf":[],"_links":{"self":[{"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/posts\/15942","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/users\/59"}],"replies":[{"embeddable":true,"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/comments?post=15942"}],"version-history":[{"count":0,"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/posts\/15942\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/media\/15946"}],"wp:attachment":[{"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/media?parent=15942"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/categories?post=15942"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/tags?post=15942"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}