How to protect personal data and comply with the GDPR
6 September 2017
In order to comply with the GDPR, organisations must implement appropriate technical measures that ensure compliance. This is established under Article 32, which delineates the GDPR’s “security of processing standards”, and is required of both data controllers and data processors.
When implementing this measures the Regulation does state that “the state of the art and the costs of implementation” and “the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons” must be taken into account.
This means that there won’t be one universal set of technical and organisational measures, due to the fact that the different ways data is collected, stored and processed, and the different levels of risk they present to individuals. However, the GDPR has set out some suggested methods for data protection.
Privacy by Design and Privacy by Default
Although supervisory authorities have typically advised that organisations take this approach, for the first time GDPR actually lays out “privacy by design” and “privacy by default” as specific obligations. Under this requirement, companies will need to design compliant policies and systems from the outset.
Under Article 25, a data controller is required to implement appropriate technical and organisational measures at the time of determining the means of processing and at the time of the actual processing. When determining what measures to implement, the controller should take into account “the state of the art, the cost of implementation and the nature, scope, context and purposes of processing, as well as the likelihood and severity of risks to the individual posed by the processing of their data”.
In addition, organisations must give individuals the maximum privacy protection as a baseline. For example, explicit opt-in, safeguards to protect consumer data, restricted sharing and retention policies. For example, when setting up a new social media profile, privacy settings would be set to the most privacy-friendly setting automatically. Then it would be up to the user to reduce these if they so wished. This approach directly lowers the data security risk profile. The less data you have, the less damaging a breach will be.
An essential principle of data protection, it establishes that personal data should not be retained or further used unless it is necessary for purposes clearly stated at the time of collection. The principle of data minimisation applies to the entire lifecycle of the personal data, from the amount collected, the extent of the processing and the period of storage and accessibility.
Data must be “adequate, relevant and limited to what is necessary, in relation to the purposes for which they were processed”, meaning controllers need to make sure that they collect enough data to achieve their purpose but not more than what is needed.
Privacy Impact Assessments
These are an integral part of the “privacy by design” approach and can help you identify and reduce the privacy risks of your projects. They allow organisations to find and fix problems at the early stage of any project, reduce the associated costs and reputational damage that may otherwise accompany a data breach.
Some situations where a Privacy Impact Assessment (PIA) should be carried out could include:
- A new IT system for storing and accessing personal data
- A business acquisition
- A data sharing initiative
- Using existing data for a new and unexpected or more intrusive purpose
- A new surveillance system
- A new database which consolidates information held by separate parts of an organisation
Under Article 35 of the GDPR PIAs are mandatory for organisations with technologies and processes that are likely to result in a high risk to the rights and freedoms of data subjects. However, they are a good strategic tool for any organisation which processes, stores or transfers personal data.
Article 4(5) of the GDPR defines pseudonymisation as “the processing of data in such a way that it can no longer be attributed to a specific data subject without the use of additional information”. For a data set to be pseudonymized the “additional information” must be kept separately and securely from the de-identified data.
The GDPR incentivizes data handlers to implement this method because it allows them to use personal data more liberally without infringing on individuals’ rights. This is outlined in Article 6(4)(e) which states that pseudonymised data may be processed for uses beyond the process that data was originally collected for. This is because the data only becomes identifiable when held with the “additional information”.
However, it is important to note that pseudonymisation is not a cast-iron guarantee of data protection. It does not mean organisations using this method would not need to report a data breach to their supervisory authority.
The effectiveness of pseudonymisation hinges on its ability to protect individuals from “re-identification”. This depends on a number of things including;
- the techniques used for pseudonymisation;
- where the additional identifiable elements are stored in relation to the pseudonymised data; and
- the likelihood that non-identifiable elements could be used to uniquely identify a specific individual
Unfortunately, the GDPR is quite vague on the level of data protection pseudonymisation provides itself. Only in Recital 26 does it mention that data handlers should take into account whether re-identification is “reasonably likely”.
There no official guidelines as to what constitutes “reasonably likely”, the GDPR merely advises that data handlers take into account “all objective factors”. For example, “the costs of and the amount of time required for identification, the available technology at the time of the processing and technological developments.”
What should organisations do?
The bottom line is that privacy should be embedded into every process, procedure and system which handles data. Under GDPR organisations need a proactive approach to data privacy and protection. It should be an important part of the planning process and throughout the entire lifecycle.
There are many security measures that businesses can implement. Ideally, you should be looking at solutions which cover multiple angles. Relying solely on encryption or pseudonymisation won’t cut it.