Personal Data Protection 2018: GDPR OVERVIEW AND REQUIREMENTS
The media regularly reports on personal data leaks. There is even a site where you can check whether your data have been leaked. In September 2017, the news of Dropbox and Yahoo user data being leaked went viral. Both companies revealed the leak several months post factum, potentially endangering most of their user data. This issue has increased in popularity and the new General Data Protection Regulation (GDPR) could rapidly decrease data leaks, however, it is essential to understand the Regulation and meet GDPR compliance requirements.
Data protection still is the fundamental right of each natural person. The previous EU Directive was written in 1995 (Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data), but, with rapid technological advancements, it has become ever so important to process and store natural person data correctly.
The Regulation affects all 28 EU member states and all data controllers, including data controllers who do not physically reside in the EU but offer their products or services to EU data subjects. The main goals of the Regulation are to increase the control each EU data subject has over their data and to protect their data. A unified natural person data protection regulation in the entire EU will promote awareness about natural person data processing and storage. Additionally, it will end the numerous adaptations and corrections made to state laws and end the fragmented enforcement of data protection within the EU. Since the Regulation incorporates identical requirements and concepts for all EU member states, it will thus prevent market distortions in the market and work slowdown in government institutions.
What does GDPR mean?
How does GDPR benefit natural persons?
GDPR requires significant changes to be made to the current regulation of the natural person data protection law in order to raise the level of personal data protection and provide the data subject with the rights and responsibilities to control their data processing. Now, when all services involve data processing, the use of natural person data has become uncontrollable, which endangers both the data subject and the company processing the data. Rules regulating several key aspects of data processing will result in better personal data protection, which in turn will build trust in the data subject when they send their data for processing.
Main requirements of gdpr compliance
Code of conduct
The data controller establishes the code of conduct for GDPR compliance which includes:
- Natural person data processing.
- Information provided to the society and the data subject.
- Enforcing data subject rights.
- Information provided to children, child protection and the way consent is obtained from the guardian.
- Informing the correct institutions and the data subject in case of a data leak.
- Integrated data protection mechanisms.
- Responsibilities of a data protection specialist.
Integrated natural person data protection and data protection by default
GDPR does not describe specific technologies or products that work as GDPR compliance or data protection mechanisms, however, it describes the thought process and provides suggestions regarding natural person data security. In order to protect data subject rights, the data controller considers the current state of technologies owned, implementation costs, the character of data processing and its scope, context, risks, and performs the required technical and organisational activities such as data anonymisation or data pseudonymisation. Also, an important mechanism is data encryption: all data which can identify a natural person are encrypted and data exchange is performed with encrypted data exchange protocols, e.g. SSL tunnels.
Responsibility for natural person data protection
Public institutions, companies specialising in processing and storing natural person data on a wide scope, and companies which have more than 250 employees, are required by GDPR to appoint a person responsible for natural person data security in the institution/company.
The right to be forgotten
This GDPR requirement provides the data subject with the option to erase their own data or to ask the data controller to erase data when the data subject no longer wants their data to be stored and processed in a specific service. Of course, the request for data erasure can be denied if it has legal grounding.
gdpr Requirements affect companies outside the EU
If the data controller is located outside the EU but their company offers products and services to data subjects within the EU, e.g. for Yahoo/Dropbox users, then GDPR requirements apply to these companies. When the Regulation enters into force, all companies, regardless of their location, will have equal requirements which in turn will lower market distortions.
The right to know about data leaks
The data controller will have to inform the respective authorities and all data subjects affected within 72 hours of a malicious break in into a system, interference, or unsanctioned access to personal data.
The right to transmit data elsewhere
The data controller will have to ensure the user with the option to save their data in a commonly used, machine-readable format so it is possible to transmit these data to another data controller.
Special protection for children
The Regulation has specific conditions for children under the age of 16. The data controller will have to make sure that the guardian has given their consent to the processing of the personal data of a child.
GDPR administrative fines
For legal persons the maximum GDPR administrative fine is 14 000 EUR , but the amount can change depending on aggravating or mitigating factors.
After GDPR enters into force, the supervising instances will impose fines, including administrative fines. The amount of an administrative GDPR fine will be up to 20 million EUR or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine.
What can you do to comply with the Regulation?
- Perform a risk management analysis for natural person data.
- Appoint a data protection specialist.
- Create a procedure for processing and executing personal data subject requests to export and erase natural person data because these requests have to be executed within 30 days after receiving them; however, it is possible to extend the period if there are objective considerations.
- When implementing new systems for personal data processing and storage, as well as when reviewing old systems, remember the concept of integrated personal data protection and data protection by default.
- Illustrate the process of personal data processing and storage to the user in a clear and understandable way.
- Do not reinvent the wheel. Better security = deeper/layered security.
To efficiently implement and overlook deeper/layered security, you need a lot of human and time resources, therefore, we recommend considering cloud solutions. By using cloud solutions, you cover the first security layers.
You do not have to worry about:
- Physical resources: security guards, surveillance systems, natural disasters, fires, power loss.
- Infrastructure: servers, data storage, network devices, virtualisation solutions. You are left with more time and resources to think about other security layers.
Microsoft Azure cloud solutions fully comply with requirements of the old natural person data protection directive and other security standards.
How can you prepare for General Data Protection Regulation? Download this free GDPR document package!
Madars Šmits, SQUALIO Cloud Solution Product Manager