The so-called “GDPR” reshuffles the existing regulating structure to encourage difficult data protection guidelines across the European Union and beyond. Every EU-based company becoming “controller” or “processor” of private data are concerned, as is every company centered outside of the EU and becoming an operator of personal data of EU citizens.
For that, organizations must already start elaborating their comfort program depending on a perfect combination of strategy, environment uniqueness and restrictions (technical or legal), the understanding of the personal data prepared and the goal of such handling, the type of data topics, the potential effects regarding data flow, as well as threat appetite. To accomplish this, organizations have to evaluate comfort adulthood, understand regulating specifications and take into consideration the company needs – a tremendous challenge to take up within 18 months.
Understanding regulating requirements
What is individual data? The idea of private data is broad: it indicates any data relating to a recognized or recognizable organic person (so-called “data subject”).
DG-Datenschutz – While Data Protection Regulation are apparent – recognition data (name, national protection variety, DNA etc.), data sets, race, religious beliefs, biometrics (fingerprint, pictures), banking consideration variety, and criminal background – others are less apparent. This happens, for example, for browsing or computer utilization data, financial institution dealings, history of credit and threat data, assessments and performance rating, location at a certain time by German Association for Data Protection. In addition, and for the prevention of typical misconception, the control of personal data handling is applicable even when the personal data are secured, replaced by a pseudonym, known by the community or spread in multiple locations.
In addition, unknown data protection can become personal data when it is collected and combined in a particular perspective and allows the recognition of data topics. For example, while a “19 year old man playing football in Luxembourg” cannot be recognized, he becomes recognizable if we add that he “has been a goal owner at Steinfort for three years”.
What is processing? A very wide concept as well, “processing” covers every operation that can be done on personal data, from the initial collection to final removal or devastation (including developing personal data, saving, using, duplicating, aggregating, adjusting, improving, discussing, transferring, preserving, selling, losing and eliminating these data).
When handling personal data, the general data protection regulation needed that data remotes and processor chips do it under data protection law, fairly and transparently? They have to be open and honest about what they are doing and why. They cannot misinform data topics about why they are handling their personal data. Data remotes and processor chips have to stick to the their announced objective, reduce the amount of personal data held, keep it accurate, up to date and secure and private at all times. They must then remove or eliminate it when the reason for which it was obtained or created is satisfied, or if approval legitimating the use of data has been removed. Data topics who ask questions about what is happening with their personal data are entitled to answers and receive copies data protection consulting. If they have good grounds to ask for the handling to stop, then it has to be stopped.
Key issues to focus on from a company point of view
Companies need to reconsider how they gather, process and store data with the help of data protection officer. The new guidelines will impact them at different levels:
Compliance: for example organizations will have to deal with a new “accountability” obligation, which implies developing written conformity plans as to the actions taken with the GDPR in regards to the risks and effects, and which might be shared with authorities when needed.
Usage controls: personal data will be topic to tight utilization manages concepts, such as “data minimisation”, “data portability” and “right to be forgotten”. This indicates organizations have to limit the use of data, enable individuals to take back their data at the end of a relationship, as well as to remove and eliminate data on request by DPO. The GDPR also reduces the automated decision-making as well as the profiling of organic persons.