GDPR: the CNIL reviews the copy of its impact analysis software

RGPD : la CNIL revoit la copie de son logiciel d Cybersecurity

Two years after the implementation of European regulations on data protection, the CNIL, the independent authority responsible in France for its implementation, publishes version 2.3 of its PIA software. This free software helps the pros to carry out one of the major stages of compliance with the GDPR, namely the data protection impact assessment, PIA, or DPIA (Privacy Impact Assessment).

Its beta version was released in November 2017, in anticipation of the implementation of the European regulation the following year. The CNIL therefore advised its users to carry out a DPIA “as far upstream as possible”, which should, if possible, be updated throughout the life cycle of the treatment.

In version 2.3 (downloadable from the “tool” page), the PIA software has been enriched with new functionalities. It is now possible to access the keyword search to filter the data protection impact assessments (AIPD) carried out, to archive them, to create several versions of impact assessments, to categorize them and manage, ultimately, the percentage of progress of the analysis.

Available in 20 languages, this new version is also accompanied by improvements and harmonization of the graphical interface as well as the updating of development libraries, details the CNIL. A number of fixes have been made, including:

  • the correction of a display problem in the attachments;
  • the correction, by the integration of an encoding and decoding solution, of import and export problems of analyzes;
  • the correction of a printing problem;
  • the correction of a display problem linked to accented characters when importing an analysis.

The impact analysis proves to be compulsory for certain specific data processing, when the processing in question is “likely to generate a high risk for the rights and freedoms of the persons concerned”, mentions the CNIL. This therefore generally induces the collection of sensitive data, data cross-referencing, monitoring qualified as “systematic” or even scoring.

The implementation of the GDPR uneven across countries

“Two years after the entry into force of the GDPR, impact assessments on privacy have multiplied within organizations,” notes the CNIL. However, many players have not yet completed their compliance with the European data protection regulation, even if the confinement has allowed some to catch up some of their delay.

Even the European Commission agrees that there is still work to be done in this area. In a report published this week, the European Commission considers that the GDPR has effectively ensured greater protection of the privacy of citizens. However, its implementation is not the same everywhere in Europe, which can potentially have an impact on cross-border activities, and in particular with regard to new technological developments and cybersecurity products, the Commission believes. “The situation is still uneven between member states and is not yet satisfactory overall,” said the report.

And this challenge seems to be notably more difficult to meet for small and medium-sized enterprises, the document continues. Several data protection authorities have provided tools to help SMEs to implement the GDPR, and the European Commission suggests intensifying and generalizing this practice.

“The Commission will monitor the progress made, in close cooperation with the European Data Protection Council and within the framework of its regular exchanges with the Member States so that the GDPR can give its full measure,” said Didier Reynders, European Commissioner to justice.


Rate article