References
The Data Protection Impact Assessment DPIA is a fundamental tool provided for by the General Data Protection Regulation GDPR. It consists of a systematic analysis of the risks for privacy and personal data protection arising from specific processing operations, in particular those that may entail high risks for the rights and freedoms of individuals. For more details click here.
Article 35 of the GDPR establishes the obligation to carry out a Data Protection Impact Assessment (DPIA) when a type of processing, in particular if it uses new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. Read the summary table in pdf on the main points of Article 35 click here to read.
How to apply it
What do you expect? Endless technical-bureaucratic statements and readings that do nothing but fill your head with pseudo-notions that apparently seem compliant with the dictates of the GDPR. Big Tech, healthcare, schools and in general private and public companies, use external consultants to sort out the paperwork and sleep soundly, they don’t seem to care about the true essence of the matter.
This is not about creating documents and attachments with unreadable content, but about protecting our data, those of a citizen, of a student, which are called into question in a context where a simple document does not protect us from a violation of privacy.
A hand mirror for the larks when you notice that the documentation is regularly updated to version 1.x, this is exactly what is used to reassure the masses.
Contracts and data protection notices are legally required instruments, but they do not represent a guarantee of actual data processing in compliance with data protection regulations. They are, in essence, declarations of intent, which do not provide any concrete technical proof.
In other words, these statements say nothing about what the software actually does when used in everyday practice. The claims made in these documents can only be verified through in-depth technical analysis or, conversely, refuted by concrete evidence.
The control
The simple citizen cannot do anything: there is a need for guarantors, institutions and associations that ensure that everything is not only compliant, but also truly aimed at protecting privacy.
Let’s turn on the light bulb
You’ve read this far and now don’t give up… the less theoretical part starts now!
Why do public institutions, such as state, school and health institutions, require consent for the use of cookies on their websites? Consent should only be required for profiling cookies, while for those strictly necessary for the functioning of the site, consent should not be required. In fact, public institutions should limit the use of any tracking tool to the bare minimum, as they have a duty to protect citizens’ privacy. Why do public institutions adopt this practice, which seems to be in conflict with their role as guarantors of transparency and confidentiality?
Case study
I randomly picked a healthcare site and, using Firefox Developer Tools, analyzed the segment related to a Java script called Cookie script.
Iubenda takes care of making sites and apps compliant in a simple way. The solution for creating privacy and cookie policies, cookie banners, terms and conditions, and for managing users’ privacy preferences.
Iubenda a tracker of biblical proportions! It is often on the banned lists of corporate sites, is it a coincidence?
Of course it will be simple, accessible and free, remember that nothing is free! But looking through the pages you can see the following link click here to read.
You read that right: Iubenda starts measuring conversions and statistics even for users who do not give consent.
I don’t want to advertise a law firm but, clearly explained SIMBULA law firm in short, be careful, it is not certain that using iubenda trackers you will not find yourself in trouble, legal actions will rain down it is only a question of time with respect to the user base that is invested and with respect to the data that is already collecting, there is no need to suspend the service the data has already been collected!