Part I. Are you a public or private organisation assessing your technology for the GDPR?
At Trilateral Research, we have worked with several organisations within the public and private sector to assess their current technology for the GDPR. In this series, our technical team will provide weekly technical insights into four technical areas that we often assess for our clients. This first week we will look into the assessment of data flow, transfer and sharing. In the course of the following weeks we will analyse:
- Assessment of data flow, transfer, and sharing
- Assessment of data storage, retention, and deletion
- Assessment of access control and security
- Assessment of access procedures, policy, and legal contracts
Assessment of Data flow, transfer and sharing
Data is generally transmitted/received through either a push model (data-driven) or a pull model (demand-driven). Characteristics of the push model are:
- data is transmitted without a request from the receiving side making the sender the active component
- the receiver side may not be able to control or validate the content of the disseminated data
Characteristics of the pull model are:
- the sender side passively wait for a request from the receiver side now considered the active component
- the receiver side has the control over the content of data received
While concerns for the GDPR implementation are effectively the same for both models, there are specific risks more likely to appear if using a push or a pull model that system developers need to remain cognisant of, especially when data is being transferred from a data controller to a data processor.
For the push model a primary risk is that the controller pushes the wrong data; whether not conforming to legal processing requirements or pushing data in the wrong format (i.e., plain text data instead of anonymised/pseudonymised data).
For the pull model, organisations need to ensure that a processor cannot access or process data that falls outside their controller-processor contract by using privacy by design technical measures.
Our GDPR service offering includes:
- Data Protection Impact Assessments of existing and proposed technologies, leveraging both our technical and data protection expertise
- Assessment and updating existing privacy notices and consent requirements for our clients
- Assessing the legal basis for processing our clients’ businesses rely upon, and assessing and updating their policies and procedures
Data Protection Impact Assessment (DPIA)
Trilateral provides compliance roadmaps and DPIA templates for organisations, as well as train their staff to complete these activities, thereby assisting them to manage their future compliance costs.
Do you really need a Data Protection Officer (DPO)?
We provide an external DPO service for businesses and organisations who do not need or cannot currently justify, employing a full-time internal DPO.
Contact our team