CS Minor | GDPR

What is GDPR

The acronym GDPR stands for General Data Protection Regulation. The GDPR is a European security law that aims to protect the personal data of European citizens. This law applies to any European company that saves personal data from its users/clients. The only exception to the GDPR is the processing of the Law Enforcement Directive. This process that GDPR does not cover is to protect national security. GDPR compliance Multiple aspects are necessary to be GDPR compliant. These include[1]:

  • Lawful basis and transparency
  • Data security
  • Accountability and governance
  • Privacy rights

Each of these topics consists of a few points that an organization must meet to comply with the GDPR. When an organization complies with all of the points mentioned below (if applicable), they are fully GDPR compliant.

Lawful basis and transparency

This topic mainly consists of non-technical points.

First on the list is to conduct an audit to determine what kind of data the organization processes and which people access it. The importance of this audit is to have a list ready that showcases the processing of data in the organization. Because of this list, it is easier to answer questions like; which employees have access to this data, any third parties that have access, and when the organization plans to erase this data (if possible).

Secondly, the organization needs to have legal justification for why they need to process the data in question (this excludes data regarding children). In case that the legal basis is that the subject chose "consent," there are extra obligations, most notably giving the person the opportunity to revoke consent. If the justification is "legitimate interest," the organization must show through a privacy impact assessment that this is indeed the case.

The last part required for "Lawful basis and transparency" is a privacy policy informing anyone about your data processing and legal justification. By providing this information publicly, anyone interested can investigate what the organization does with the data received from users. This privacy policy must be easily accessible, transparent, and use plain and unambiguous language which anyone can easily understand.

Data security

This topic discusses the steps necessary to comply with the data security part of the GDPR. Data security is like the previous point focused on protocols an organization must contain to comply with GDPR.

The first step necessary is to protect data from the moment the development of the product begins. Furthermore, it is essential to follow the principles of "data protection by design and default." It is also crucial that the data protection principles from "Article 5" is obeyed during the development. The importance of this step is to ensure that the organization and its employees are always aware of the security of the data they save/process.

Secondly, it is essential to use encryption, pseudonymization, or anonymize any personal data used within the organization (wherever possible). For example, most companies use data from their users for metrics, training data, or any other kind of productivity tool. To protect people's privacy, the organization needs to remove any identification of the data's origin. An example is changing all names, birthdays (except the year), and addresses (except the zip code). A randomized data generation algorithm is the fastest and most ethically correct way to do this work. The most important thing is to get accurate data without linking to the original identity of the user entering this data. This way, the organization can use metrics or testing data to improve its products without compromising its users' data.

The third security measure is to create an internal security policy for team members and build awareness about data protection. Humans are usually the weakest link within the security of an organization. Because of this weakness, employees must be well trained/knowledgeable about data security. A security policy can help ensure that the training and knowledge of employees meet a specific standard. A few critical areas of knowledge that employees should possess based on the GDPR are email security, passwords, two-factor authentication, device encryption, and VPNs. Employees with higher access to things like personal data should receive extra training to ensure data security within the organization.

The fourth part focuses on knowing when to conduct a data impact assessment (privacy impact assessment) and having an internal process ready to work on this assessment. The GDPR requires organizations to do this kind of analysis anytime they want to use people's data in a way that could have a high risk to their rights.

Lastly, the GDPR requires organizations to have protocols ready to notify authorities and possible victims of a data breach. For example, when a data breach exposes personal data, the organization must inform the authorities (in your jurisdiction) within 72 hours. In addition, the organization must notify the people exposed by this breach to take precautions to protect other interests. For example, when the leaked data includes passwords, the victims can change their passwords if they reuse them somewhere else. The only exception is when the organization believes that the data breached poses no risk to the parties involved.

Accountability and governance

This portion of the GDPR contains the rules to ensure that there is always someone accountable to ensure compliance with GDPR.

Firstly there must be a person responsible for ensuring that every part of the organization complies with GDPR. This person will be accountable for the organization regarding GDPR and evaluate the data protection policies and the implementation of those policies. The necessity of this role is to make sure that a person is actively checking the GDPR compliance in the organization. Furthermore, this person will ensure that the organization will not encounter any surprises in the future of any GDPR violations, resulting in substantial fines.

The second point is vital in case that one or multiple third parties process personal data on behalf of the organization. There has to be a data processing agreement if this is this case. This agreement has to be signed by the organization and the third party in question. This agreement states the rights and obligations of each party to comply with the GDPR.

The third part only applies to organizations stationed outside of the EU. If a non-EU company wants to process data regarding people from a member state is required to appoint an EU representative. The only exception to this is if the organization is a public authority or only occasionally processes data that has a low risk to the data protection rights of the people in question.

The last requirement is to appoint a Data Protection Officer if the organization falls into one of the circumstances mentioned by the GDPR. These circumstances include but are not limited to tracking people's location or behavior, systematically monitoring a publicly accessible place on a large scale, processing children's data, and processing data that could result in physical harm to the data subjects if leaked.

Privacy rights

The last piece required to be fully GDPR compliant is all about the people's privacy rights using the product. This final topic focuses on functionalities the product must contain. In theory, it is possible to give customers this information through a support desk. However, it is easier and better scalable to automate this within the privacy settings of the product.

First on the list is the ability for users to request and receive all information the organization has on them. This law ensures that anyone has the right to know what an organization knows about them. The customer also has the right to know how long the organization will store their data and why. Before the organization can comply with such a request, it must verify its identity requesting the information. If everything is in order, the organization must comply within a month. It is worth mentioning that based on GDPR, any organization is required to give the first copy of this information for free. After that, however, they can request a reasonable fee for any additional copies.

Second, it should be easy for customers to update incorrect or incomplete information. This law requires that the organization give its best efforts to keep its data up to date by setting up a data quality process. This process must be effortless for customers to view and update their personal information if their identity is verified.

Third, customers have the right to have their personal data deleted. Any organization must oblige this request if the person's identity is verified. There are a few exceptions to this rule. These exceptions are but are not limited to [9]:

  • the data is used to comply with a legal ruling or obligation,
  • the data is being used to exercise the right of freedom of expression and information, and
  • The data represents essential information that serves the public interest, scientific research, historical research, or statistical purposes. The erasure of data would likely impair or halt progress towards the achievement that was the goal of the processing.

Fourth, customers can request to restrict or stop the processing of their data. This request only applies if specific grounds apply. These specifications are [10]:

  • The data subject contests the accuracy of the personal data;
  • The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims;
  • the data subject has objected to processing under Article 21 (right to object) pending the verification of whether the legitimate grounds of the controller override those of the data subject.

The fifth point is about the right of the customer to receive their data in a commonly readable format. An example of such a format is a spreadsheet. This point also includes the right to have their data sent to a third party of their choosing. The ability to send their data to any third party comes down to the fact that people themself own their data instead of the organization which holds it.

The sixth point protects customers' data from being used for direct marketing. Examples of direct marketing include emails, online adverts, and coupons. Any organization which processes its customers' data for this purpose has to stop doing so immediately for that purpose. The only exception is when the organization can demonstrate compelling legitimate grounds based on Article 21 [11].

Finally, the customers have the right to ask for human intervention against choices made from automated processes that have legal effects. Using these methods, any organization must have a procedure to ensure that the rights, freedoms, and legitimate interests are protected. The customer also can question already made decisions based on these processes. In that case, human intervention will help to weigh or challenge these decisions.

References

  1. GDPR.eu. (2019, March 13). GDPR compliance checklist. Retrieved January 5, 2022, from https://gdpr.eu/checklist/
  2. Fogg, S., & Cipp/E, M. C. K. (2021, December 17). What is GDPR? The Basics of the EU's General Data Protection Regulation. Termly. Retrieved January 5, 2022, from https://termly.io/resources/articles/what-is-gdpr/
  3. Wolford, B. (2019, February 22). Data Processing Agreement (Template). GDPR.Eu. Retrieved January 9, 2022, from https://gdpr.eu/data-processing-agreement/
  4. Wolford, B. (2018, November 14). Art. 5 GDPR – Principles relating to processing of personal data. GDPR.Eu. Retrieved January 9, 2022, from https://gdpr.eu/article-5-how-to-process-personal-data/
  5. Wolford, B. (2019b, March 8). Data Protection Impact Assessment (DPIA). GDPR.Eu. Retrieved January 9, 2022, from https://gdpr.eu/data-protection-impact-assessment-template/
  6. Wolford, B. (2019a, February 13). Everything you need to know about the GPDR Data Protection Officer (DPO). GDPR.Eu. Retrieved January 9, 2022, from https://gdpr.eu/data-protection-officer/
  7. Wolford, B. (2020, July 23). Art. 16 GDPR – Right to rectification. GDPR.Eu. Retrieved January 9, 2022, from https://gdpr.eu/article-16-right-to-rectification/
  8. Wolford, B. (2020a, July 23). Art. 15 GDPR – Right of access by the data subject. GDPR.Eu. Retrieved January 9, 2022, from https://gdpr.eu/article-15-right-of-access/
  9. Wolford, B. (2020a, April 24). Everything you need to know about the "Right to be forgotten." GDPR.Eu. Retrieved January 9, 2022, from https://gdpr.eu/right-to-be-forgotten/
  10. Wolford, B. (2018b, November 14). Art. 18 GDPR – Right to restriction of processing. GDPR.Eu. Retrieved January 9, 2022, from https://gdpr.eu/article-18-right-to-restriction-of-processing/
  11. Wolford, B. (2020d, July 23). Art. 21 GDPR – Right to object. GDPR.Eu. Retrieved January 9, 2022, from https://gdpr.eu/article-21-right-to-object/