How to protect personal data and comply with the GDPR
6 September 2017
In order to comply with the General Data Protection Regulation (GDPR), one of the things that organisations must do is to implement appropriate technical and organisational measures that ensure and demonstrate compliance. This is established under Article 32, which delineates the GDPR’s “security of processing standards”, and is required of both data controllers and data processors.
When implementing this measures the Regulation does state that “the state of the art and the costs of implementation” and “the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons” must be taken into account.
This means that there won’t be one universal set of technical and organisational measures, due to the fact that the different ways data is collected, stored and processed present different levels of risk to individuals. However, the GDPR has set out some suggested methods for data protection.
Privacy by Design and Privacy by Default
Although supervisory authorities have typically advised that organisations take this approach, for the first time GDPR actually lays out “privacy by design” and “privacy by default” as specific obligations. Under this requirement, companies will need to design compliant policies, procedures and systems at the outset of any product or process development.
Under Article 25, a data controller is required to implement appropriate technical and organisational measures at the time of determining the means of processing and at the time of the actual processing. When determining what measures to implement, the controller should take into account “the state of the art, the cost of implementation and the nature, scope, context and purposes of processing, as well as the likelihood and severity of risks to the individual posed by the processing of their data”.
In addition, organisations must give individuals the maximum privacy protection as a baseline, for example, explicit opt it, safeguards to protect consumer data, restricted sharing and retention policies in place. One example would be on social media when setting up a new profile privacy settings would, by default, be set to the most privacy-friendly setting, then it would be up to the user to reduce these if they so wished. This approach will directly lower the data security risk profile, as the less data you have, the less damaging a breach will be.
An essential principle of data protection, it establishes that personal data should not be retained or further used unless it is necessary for purposes clearly stated at the time of collection. The principle of data minimisation applies to the entire lifecycle of the personal data, from the amount collected, the extent of the processing and the period of storage and accessibility.
Data must be “adequate, relevant and limited to what is necessary, in relation to the purposes for which they were processed”, meaning controllers need to make sure that they collect enough data to achieve their purpose but not more than what is needed.
Privacy Impact Assessments
These are an integral part of the “privacy by design” approach and can help you identify and reduce the privacy risks of your projects. They allow organisations to find and fix problems at the early stage of any project, reduce the associated costs and reputational damage that may otherwise accompany a data breach.
Some situations where a Privacy Impact Assessment (PIA) should be carried out could include:
- A new IT system for storing and accessing personal data
- A business acquisition
- A data sharing initiative
- Using existing data for a new and unexpected or more intrusive purpose
- A new surveillance system
- A new database which consolidates information held by separate parts of an organisation
Under Article 35 of the GDPR PIAs are mandatory for organisations with technologies and processes that are likely to result in a high risk to the rights and freedoms of data subjects, however, they are a good strategic tool for any organisation which processes, stores or transfers personal data.
Article 4(5) of the GDPR defines pseudonymisation as “the processing of data in such a way that it can no longer be attributed to a specific data subject without the use of additional information”. In order for a data set to be pseudonymized then the “additional information” must be kept separately and securely from the de-identified data.
The GDPR does incentivize data handlers to implement this privacy-enhancing method because it will allow them to use personal data more liberally without infringing on individuals’ rights. This is outlined in Article 6(4)(e) which states that pseudonymised data may be processed for uses beyond the process that data was originally collected for. This is because the data only becomes identifiable when held with the “additional information”.
However, it is important to note that pseudonymisation is not a cast-iron guarantee of data protection, and using this method does not mean that organisations would not need to report a data breach to their supervisory authority.
The effectiveness of pseudonymisation hinges on its ability to protect individuals from “re-identification”, and this depends on a number of things including the techniques used for pseudonymisation, where the additional identifiable elements are stored in relation to the pseudonymised data and the likelihood that non-identifiable elements could be used to uniquely identify a specific individual.
Unfortunately, the GDPR is quite vague on the level of data protection pseudonymisation provides itself, stating only in Recital 26 that data handlers should take into account whether re-identification is “reasonably likely”.
There no official guidelines as to what constitutes “reasonably likely”, the GDPR merely advises that data handlers take into account “all objective factors”, such as “the costs of and the amount of time required for identification, the available technology at the time of the processing and technological developments.”
What should organisations do?
The bottom line is that privacy should be embedded into every process, every procedure and every system which handles and related to data. Under GDPR organisations need to be proactive when it comes to data privacy and protection, it should be an important part of the planning process and throughout the entire lifecycle.
There are many security measures that businesses can implement and, ideally, you should be looking at solutions which cover multiple angles. Relying solely on encryption or pseudonymisation won’t cut it.