This is the third in a series of blog posts that summarize some of the key concepts of the European Union’s new General Data Protection Regulation (GDPR or “the Regulation”). Our previous posts answered two frequently asked questions: What is GDPR? and Does my business need to be GDPR compliant?. In this next blog post, we unpack one of the key principles of the Regulation — privacy by design.
Once a business has met at least one of the six lawful grounds for processing data (explained more in our e-book), it is essential that the data is processed securely.
GDPR sets out multiple principles governing the collection and use of personal data that follows the overall philosophy of “privacy by design and default”.
Dr. Ann Cavoukian first developed the concept of privacy by design (PbD) in the mid-1990s while working as the Commissioner of Information and Privacy in Ontario. PbD calls for technology to have a comprehensive and proactive approach to protecting privacy, and includes seven foundational principles, many of which are adapted for GDPR. Some of these core principles include:
Data protection by design and default appears in Article 25 of the Regulation. “Protection by design” means the principles of data protection are built into the technology from the beginning, and not as an afterthought. This responsibility rests on the shoulders of the data controllers. The second part of the phrase, “protection by default” means the data is protected automatically and does not require any action on the part of the data subject or data controller. Basically, if you were to do nothing, the data is still protected.
The expectation under GDPR is that a company will have instituted security measures to minimize the risk of a data breach occurring, and will mitigate the risk that personal data would be exposed even if one were to occur. Article 32 outlines several methods for securing personal data, many of which are standard operating procedure at TrueVault:
• Data de-identification: Remove or tokeninize identifying information.
• Data encryption
• Routine data backups, and the ability to restore backups in a timely manner
• Regular testing and assessment of technology and processes
Data controllers and/or processors are required to maintain accurate records of the personal data they have stored in their system. The best way to go about this is to create a user-friendly way for data subjects to update their information with your company, and offer frequent reminds as to the data your company has stored on each data subject.
Companies are no longer permitted to collect large datasets about their users under GDPR. Instead, data processors must only collect data they can prove a legitimate interest in collecting, and/or get explicit consent from the data subject. Related to the lawful grounds mandate is the expectation that companies will only process the minimum amount of data necessary in order to do business. Notably, even if the company has consent to collect data from the data subject, they must be able to prove that the data they are collecting is tied directly to their business goals.
Personal data must be stored only for as long as it takes to fulfill certain processing requirements. After the data processing is complete, the data should be deleted. Similarly, data subjects have the right to request that some or all of their data be deleted at any time. This is frequently described as the “Right to be Forgotten” principle.
In order to comply with GDPR, the technology and processes a company uses must be equipped to fulfill these data security and data protection principles. For instance, if a data subject files a request for her data to be deleted, the data processor must have a simple way to identify all the personal data it has stored on the data subject and delete those specific records to fulfill this request.
Compliance is an end-to-end process. We took the information described in our GDPR Guide (and this blog series) and compiles it in an easy-to-use checklist.