The new regulation passed by the European Union named the General Data Protection Regulation (GDPR) goes into effect on May 25th this year across the European Union (EU), along with Norway, Iceland, and Liechtenstein. The GDPR is designed to enhance personal data protection within information systems. The GDPR also aims to better protect data subjects against personal information abuse through reduction of the collection, storage, and distribution of such data. Company and institution managers, who work with or have access to personal data, must be knowledgeable of and comply to the GDPR, because failure to comply to the regulations could result in unforeseen consequences, such as high financial penalties. In this white paper a few critical articles of the GDPR will be highlighted through the possible impact on companies and institutions and the solutions for compliance.
Many popular and prevalently dispersed technical services of recent years are built on the collection and processing of data, often referred to as ‚big data‘. The building of huge databases for collecting, sorting, and analyzing new information in real time according to the customer demands and needs is big business. Specific examples of this practice are the free services Google Maps, which displays traffic intensity in real time on individual roads, and Google Translate that uses the Google Neural Machine Translation (GNMT), a machine translation system based on Artificial Neural Networks and Deep Learning. Another critical example of Big data being used today is to forecast and monitor epidemics, such as the current major public health concern threatening Europe and North America. The services in these examples are enabled exclusively through the quantitative collection and analysis of enough data (public transit on roads), willingly provided by consumers, with brief consideration (or even without it) of the terms and conditions for using said services. These aforementioned terms and conditions enable companies to track and monitor people, while using the data gathered to analyze and predict consumer behaviours. Hitherto, customer acceptance of the terms and conditions of use is anticipated if the customer does not tick the „non-acceptance“ box. The GDPR demands a definite acceptance of the tracking and submitting of data by the consumer.
Seven key implications of the GDPR will now be described.
Informed consent is one of the cornerstones of the GDPR. Silence, inactivity and thereby anticipated consent can no longer be interpreted as consent. The consent to certain conditions must by acknowledged by a clear confirmation. Furthermore, a person‘s decision on consent must by based on exact and unambiguous information.
Technology, including computers and mobile devices can be exploited, leading to security breaches and stolen data. In some cases, security breaches lead to leakage and/or theft of personal information. Upon such a breach, the company or institution must report the security event within 72 hours or if the nature of the breach is severe, reporting is expected immediately. Perhaps reporting the security event will not decrease the users‘ loss or damage, but it is expected to promptly inform them regardless
Right of access by the data subject
A company or institution controlling a data subject‘s personal information is obliged to provide the subject with the information at no cost to the data subject. The customer has a right to know what of her personal information is stored, where it is stored, how it is processed and for what purpose. Currently, companies and institutions can demand a fee for providing this service, but the GDPR protects the costumer by eliminating the service fee.
Cloud storage of data continues to increase rapidly, and today the personal information owners have little knowledge of where the information is actually stored. The geo-location matters, and whether the information is stored within the European Economic Area (EEA = EU + Iceland + Norway + Liectenstein) or outside the EEA, such as the United States of America.
The Right to Erasure (Right to be Forgotten)
Data subjects have the right to formally request the erasure of personal data, specifically when publicly available, as in on a website or archived news article. The clause, also referred to as the ‚Right to be Forgotten,‘ was born out of successful court cases in Spain and Italy. Companies or institutions must have a valid argument for continuing to store or process personal information.This clause caused concern amongst the information processing community, because locating all traces of personal information can be tedious or nearly impossible in large organizations. A possible solution would be to apply encryption from the onset of data processing and storage. Furthermore, care should be taken only to store relevant information for as long as needed.
Data protection by design and by default
Data protection by default when designing information systems implies that companies and institutions take into account the scope of all technical and organizational measures, as well as the context and purposes of processing personal data beforehand when constructing the information systems. Companies and institutions should develop their protection methodologies and processes for processing, transferring and storing personal data, along with risk evaluations of potential threats and vulnerabilities before the data enters their systems. Measures and controls of the information security standard ISO/IEC 27001:2013 are practical for this purpose, e.g. access control, data encryption and workflow registration that ensures traceability of data processing.
Data Protection Officers
Companies and institutions that process personal information and have more than 250 employees are required to employ a Data Protection Officer (DPO). The DPO is required to have a sound knowledge of data protection including assignment of responsibilities, awareness raising and training of all staff involved in the processing operations. The DPO must also be adept on the relevant legal framework and cooperating with the supervisory authority. The DPOs should work in a similar manner to Compliance Officers in financial institutions and the DPO must be a direct report to the top leadership. Outsourcing the DPO role is another option or adding all the duties to a compliance officer or security manager in the company or institution.
Sensitive personal information
Personal information is partly categorised as extremely sensitive information. This category of personal information must be treated with utmost care and can only be received and processed upon special request,while guarding the user‘s interest during processing. Demanding information of this kind can only be allowed if supported by law. This information category includes health information, union affiliation, religion, nationality, politics and sexual orientation. The new regulation adds genetic information and biometrics (e.g. fingerprints and eyescans) to this category.
The new General Data Protection Regulation alters the way personal information is treated. Personal information will no longer be a resource freely exploited by companies, as it has been pointed out that the internet is „written in ink, not pencil“ and it is high time to start exercising caution with the treatment of personal information. Many companies and institutions have made plans for the induction of the regulation, while others have done little or nothing to become prepared and may be hoping for lenience or grace periods. Information will now become a limited resource that is managed as such. Meeting the increasing demands on personal data protection can be compared to the growing pains suffered in the information technology advancement of the 90‘s and early 2000‘s. The ongoing development of properly managed data continues, but now with a heightened consideration for data subjects personal interests and that is good news for all.
This article was first published in Morgunblaðið on February 5th 2018.
About the author, Svana Helen Björnsdóttir:
Executive Chairman and founder of Stiki in 1992.
Senior consultant in various IT projects for the Icelandic government, health sector and private sector. Responsible for business development within Stiki.
Supervisor for the Icelandic Data Protection Authorities in various projects involving secure processing of personal data.
Experienced Information systems analyst and designer with focus on information security, integrity, availability, confidentiality and traceability within information systems and application of international standards. Co-designer and users’ mentor of Risk Management Studio® in implementation projects of information security in various companies.
Lecturer and presenter in international venues on issues of operational risk, IT risk, IT security and quality of information processing.
Business consultant and teacher in the use of a number of ISO standards and integration of standards in management systems.
Author of specialist reports for Icelandic Data Protection Authorities about secure processing of personal data in medical research projects.