To ensure that our MPC-solution meets the compliance requirements of our customers, our customers typically ask our help with the following activities:
- Provide input to their Data Protection Impact Assessment process;
- Sign a Data Processing Agreement with the processor, and possibly a Joint Controllership Agreement with the consortium of data owners & controllers;
- Help them assess the information security risks of the processing activities.
In this section of our help centre, we will give tips for each of the above three items.
Before we do that, we define a few general terms.
What is "personal data"?
According to EU GDPR Art. 4 (1) "personal data” is any information relating to an identified or identifiable natural person.
How can MPC help to be GDPR compliant?
If there is a legal basis for processing the data, MPC can help to process data proportionally and address important notions of the GDPR:
- Purpose binding: Parties decide together, explicitly, about the applied analyses. The solution verifies this before running the analysis.
- Data minimization: Only designated party(ies) receive the result of a computation. Nothing else is disclosed about the source data to anyone.
- Ownership: Parties retain control over their data (see above). This makes rectification, deletion, etc. easier.
- Technical measures: Data remains encrypted at all times: during transport, storage and processing. This reduces the risk of a data breach.
- Organizational measures: Single points of failure are avoided. Privacy and information security are based on segregation of duties. Analyses are only possible with explicit approval of (multiple) approvers/data stewards.
How to assess the legal basis for data processing under the GDPR?
A data controller or processor must identify the legal basis by which their processing of personal data is permitted. The legal grounds for processing personal data are limited and clearly defined on the official European Commission website with reference to GDPR Articles:
- Lawfulness of processing is listed in Art.6 of EU GDPR ;
- For processing of special categories of personal data please check Art.9 of EU GDPR .
Who are the key stakeholders involved in the compliance process?
- Legal counsel / Privacy expert: assesses the legal basis, provide expert opinion during DPIA-process and DPA writing.
- Data owner(s) (acting as controllers): define the scope of analysis and collaboration, define risks and mitigation plan, oversee DPIA-process.
- Project Leader(s): optionally involved to support use-case definition, consult on project scope, define risks.
- CISO / Security manager: responsible for technical security assessment
- Data scientist / Technical expert: involved to consult on analysis design and technical aspects of data collaboration (available data sources, data extraction, data quality, analysis scripting, etc).