Privacy perspective for facial reconstitution software

I want to set up a startup and develop software for facial reconstitution.

Are there any constraints from a privacy perspective?

Most constraints will depend on the kind of software you are going to develop. Consider that if your software does facial recognition it will be considered as biometric data under Article 9 GDPR so consent will be needed from the end-user of the software.

If it is a software used for forensic reasons it may be under Article 9, letters (f) and (g), GDPR so that consent may not be needed. 

For more information, please see the article: 
Article 9 GDPR: https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/

What do I need to consider before in the implementation stage?

In the early stage of setting up a startup for developing facial reconstitution software, you need to make a Data Protection Impact Assessment in order to verify what kind of data your company will process and how it will handle and secure them.

In these articles, you may find some help and guidance:

• 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
• 9 steps for implementing GDPR: https://advisera.com/articles/9-steps-for-implementing-gdpr/

In developing the software, you should consider the principles of privacy by design and privacy by default as set in Article 25 GDPR. Here you can find more information about those principles:

 What is privacy by design & default according to GDPR?: https://advisera.com/eugdpracademy/blog/2018/04/17/what-is-privacy-by-design-and-default-according-to-gdpr/

Is it required for us to have a DPO?

In case your software uses biometric data, DPO appointment is mandatory under Article 37 letter c GDPR, because your core business will be the processing of special categories of data. 

You can read more about it in the following article: 
- How to hire the right DPO? https://advisera.com/eugdpracademy/blog/2018/08/27/how-to-hire-the-right-dpo/

- The role of the DPO in light of the General Data Protection Regulation: https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/ 

We are planning to use AWS for storage is this OK or is better to keep the data in our own servers? 

There is no one answer. It is up to the data controller to assess if data are better protected with internal servers or with a cloud solution.

AWS, as a storage provider, claims to be committed to having the highest security and compliance and privacy standards. You will need to check the terms of service of AWS in order to verify protection standards and decide which measures ensure a level of security appropriate to the risk. 

Do we need to perform some kind of risk assessment before starting? 

Article 35 GDPR requires to perform a Data protection impact assessment (DPIA), where using new technologies there is a high risk for the rights of freedom of individuals. However, DPIA is highly recommended also when it is not mandatory in order to demonstrate accountability to GDPR provisions. 

For more information, please read the article: 

 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

How would ISO27001 help us? 

ISO27001 implementation may help you to have an international standard for Information security risk and be accountable to security measures under Article 32 GDPR although there is no complete match between the two rules.

These materials will also help you regarding GDPR implementation:

 What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help

- EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//