On May 25, 2018, the new privacy law (the General Data Protection Regulation, or GDPR), will take effect and businesses will be forced to be more careful with personal data. It is important to enforce both a careful technical and organisational handling of personal data within your organisation. But where to start? To help you on your way, I will use some privacy by design principles to provide you with stepping stones towards compliancy, and thus more online privacy.
First of all, it is important to always communicate in a transparent and direct way why you need certain personal data in an online form. It is strictly prohibited to use the date for other purposes than the one mentioned there. You need to communicate these conditions in clear terms, so make sure that the person from whom you are collecting the data, does not need to read the same sentence three times before they can understand what they are agreeing to. For example, do not use double denials in such sentences: “I do not agree with not sharing data with parties not on the list.”
An important part of the Privacy by Design Framework, is data minimisation. This means that you do not process more personal data than necessary for the purpose of the processing. Think about the contact form on your website. Do you ask for a private address? Ask yourself whether this is really necessary or not. Will you be contacting this person by post? If not, the GDPR will prohibit you from asking this. The underlying idea of data minimisation is that you will only process the information that you will actually need to achieve your goal.
Do you need the data anyway? Then it is important to pseudonymise as quickly as possible. This means that personal data is encrypted, so the subject (the people whose personal data are being processed) are no longer directly identifiable, but can still be individualised. It is important that the data and storage is encrypted.
The person whose data is being processed, has a number of rights, like the right to inspect and the right to transfer. This means that this person must be able to get the personal data that an organisation has of him. To be able to comply with this, you need to think about how to make sure the data can be transferred quickly and easily. As explained in the previous paragraph, data has to be encrypted, but also needs to be decrypted again. The data needs to be presented in a format that allows others to work with it as well.
In addition, the person in question can request that their personal data is transferred to another provider. For example when they want to switch telecom providers. Here too, the data needs to be immediately usable for the third party.
Saving and deleting data
Finally, the storage of personal data is only allowed when it is necessary for achieving the goal for which it is collected or processed. This is a general rule that has different effects for different situations. Has the personal data been processed for a goal that is no longer relevant, the data needs to be deleted. To remove data smoothly, it is smart to build systems that automatically delete data.
There is one more right for the client: the right to oblivion. When the person in question invokes this right, the personal data needs to be removed from all systems. It is important to check whether all data has truly been erased. Copies might have been made from the database and back-ups need to be deleted as well.
Time is ticking
You only have 6 months left to get your organisation ready for the GDPR. My advise is to really delve into the technical and organisational measures you need to take .Thin about how your systems need to be set up to meet all the requirements and how best to monitor them. When setting up a system, it is important to always guarantee confidentiality, integrity and availability. Privacy comes first. In short, only ask for the information you actually need. That will save you a whole lot of trouble.
By: Wido Potters