According to the basic definition, The General Data Protection Regulation, GDPR is the document with the help of which European Parlament, Council of the European Union regulate and unify data protection and privacy for all individuals within the European Union.
Simply put, GDPR is the set of rules managing the procedure of collecting, processing, storing and distributing personal data. The main objective is to protect personal data according to human rights.
First, let’s define which data protected by GDPR is personal. Quick identification of the human face is considered personal information.
For example, a corporate email including the name and surname will refer to personal data, with any other content, i.e., info@company, - not. Name and mobile phone number apply to personal data as well. However, the address/tel bu itself is general information. If you can find out any fact about the person using data (working place, contacts, etc.), it becomes personal.
The company is allowed to process data only after obtaining the consent. Data processing includes сollection, storage, modification, use, distribution, depersonalization, and destruction. The GDPR confirms the consent using an indicator that gives the full information to the subject “to which he/she agrees.” To cut the story short, “term of use” is enough to get the simple consent for the personal data processing. At the same time, permission must be given by specific affirmative action, meaning freely provided, specific, informed and unambiguous agreement of the subject of personal data to their processing.
If you choose such consent form, be ready to fulfill the following requirements:
Following the rules means not only getting the concent but also keeping the terms of the agreement. Once the person wants to withdraw the concent, the company immediately should delete personal data.
According to GDPR, there are no precise requirements on how to leverage, grade and protect personal data. So the procedure of receiving data can be chosen by the company. The most popular method is to anonymize the information by data encryption and pseudonymization. However, web developers can choose the way of personal data protection. However, the proposed level of protection must meet the standard of technical capabilities of the companies (state-of-the-art).
Pseudonymization is one of the technical and organizational tools to ensure a level of security that is appropriate for risk. It involves changing the information in the way personal data cannot be assigned to a specific subject.
In practice, it is enough to pass the personal database through simple encryption, and keep the keys to decryption separately. Then, in case of leakage, the data can’t be identified without the key. Furthermore, the key can be changed as well. One more way to protect the data is to divide the database and store it separately — one parameter for one database with the assigned personal number. Thus, each database will not contain personal data. Only for specific actions, the system will connect these data. Separating the name from the rest of the data and replacing it with another identifier represent the pseudonymization process.
Each company can document the list of all measures for the personal data protection in the form of a description, checklist, log-book, etc. This is the best way to ensure the company and its clients in case of information leakage. How to prove the performance of the regulation? Just document all taken measures and actions. Then, if the information leaks, the company may be exempt from administrative fines for violation of the Regulations, as it took all required steps.
This is not the rule, but a piece of advice, which is not mandatory to implement. State and some types of private organizations may assign data protection officers (DPO, or just a data protection officer) to protect personal data. The officer should monitor security measures compliance, act as a data impact assessment consultant - Data Protection Impact Assessments (DPIA), and be the contact person for people who provide personal data and the supervisory body. Position requirements: the existing employee can be appointed as an officer or hire the new one. The main thing is that this candidate has to be an independent expert in the field of personal data protection.
Appointment of an officer is mandatory for:
If you want to secure and protect personal data using one more organizational tool, the appointment of the data protection officer is appreciated.
Under GDPR, in personal data protection sphere, there is a subject (a person who provides the information), controller, operator. Moreover, in the case of personal data violation, all actions will differ according to the position obligations.
The Subject is an individual who provides the data for further procession.
The Controller is the owner of the database, who identifies objectives and ways of gathering personal information.
The Operator is the specialist who works directly with the database.
In the Case of Information Leakage, It Is Necessary to Take the Following Measures:
To notify the controller/supervising body/ subject about the occurred issue, if it’s possible.
If you don’t want to miss any crucial information about GDPR, check with this guide, and confirm your compliance with ISO / IEC 29134: 2017 by passing the DPIA (Data Protection Impact Assessments).
As it turned out, the much-talked-of Regulation doesn’t seem anything super-complex. Follow GDPR is not so complicated as it appears at first sight. Huge fines do not threaten those who will faithfully follow the Rules and have this documentary evidence.
We at Evergreen stick to the level of security regulated by the GDPR and know what actions we have to proceed with to provide our customers with the safety of their data.