An IT architect perspective on GDPR – part II

GDPR Requirements


Requirement Description Article
Right to be forgotten Private individuals have the right to ask you to erase all of their data from your systems. Your are obliged to do so, unless this contradicts another local regulation that supersedes GDPR Article 17
Rights of access The given subject has the rights to ask you what personal data you are holding and how they are processes and shared with others. And also,  how the data was acquired. This is applicable for both customers and employees of an enterprise. Article 15
Data portability Subjects has the rights of transferring the data from one provider to another, without being prevented to do so by a data controller. The data must be provided by the controller in a structured and commonly used open standard (XML, PDF, JSON) Article 20
Data protection by design and by default Ensure processes and procedures are in place to embed privacy into any new project. You have to abide by data minimization principle, data pseudo anonymisation. By default, data shall be made available only to whose are entitled (by process or procedure) to work with it and an audit trail must be kept. Article 25, 35
Geographic extent of your data processing Check if you use third party data processors and if you (or the entities which are processing data on your behalf)  transfer data outside EU Articles 44-50
Record of processing You have to identify and  keep a detailed record of data processing activities, including purpose of processing, data categories and description, security measures and a comprehensive data flow map (data lineage) Article 30
Data protection officer You have to appoint a Data Protection Officer. The person who covers this role can be an employee or an external consultant. The recommendations are that a DPO should be from Legal, Compliance or IT areas, with a focus on the legal side. This role should work closely with business, CIO and Chief Data Officer Articles 37-39
Data breaches Under GDPR, you, as data controller, have the legal obligation to notify the Local Supervisory Authority without undue delay. A data breach must be reported within 72 hours after being aware of it. If, from the data that has been breached, private individual can be identified, then you also have the obligation of notifying them. Articles 3334
Data retention Data can only be retained for as long as necessary for the purpose for which it was obtained, let’s say for the entire duration of the contractual obligations. However, the retention period can be prolonged if there are any other regulations that supersedes GDPR (example; 7 years retention period for data after you have close the business relationship with a bank).

For each category of data, you have to have a well defined retention period, before deleting or anonymizing  the data. Think of call recordings in a call center. For those recordings you have to specify an amount of time to keep them.

You can’t keep everything for an undefined period of time or forever.

Article 5
Privacy Impact Assessment – PIA Every new project involving personal data must undergo a PIA. The results will have to show what impact the new project, technology, application, process will have on individuals and to ensure GDPR compliance. Article 35
Profiling You have to have the individual consent for profiling or put it under lawful data processing. Article 22
Lawful data processing

Under GDPR, there are several lawful criterias under which personal data can be processed:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • processing is necessary for compliance with a legal obligation to which the controller is subject
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

Children If you collect and / or process personal data of children, then you have to obtain a consent. Consent for children must be given by the child’s parent or custodian and be verifiable. Article 8
Data security

Security has to be appropriate to the risks of individuals if data was lost, stolen or disclosed to unauthorized persons.

On other words, security measures have to be tailored to the risk, for the private individual, of if his data would be breached.

Security covers all aspects of an organisation (people, processes, systems)

Things to be taken into account:

  • Pseudo anonymisation
  • Encryption (at rest / intransit)
  • Ongoing integrity
  • Ability to restore data in timely manner
  • Processes for testing security

Article 32
Governance

One of the key principles of GDPR is that any organisation have to place personal data governance in the center of their activity.

Enterprise wide it is important to raise awareness about data privacy and make it into the mindset of the people who are working with data.

 

  • Develop and / or document your Privacy Governance Model, with clear roles and responsibilities, to embed privacy into organisation
  • Appoint a DPO
  • Training for all personnel
  • Review insurance policies  and update them if necessary, in the light of new increased fines
  • Establish a clear procedure for notifying a data breach

Article 5, 27, 37-39
Accountability

In GDPR era you have to have documentation, to prove how are you GDPR compliant. GDPR compliance should be integrated in audit framework to ensure that all policies are working

 

You need to implement an enterprise wide data protection policy

Article 5, 24, 25, 30
Consent

Where consent is used as the basis for data processing, consent must be explicit given for data collected and for the purpose of the processing.

GDPR imposes new requirements for a valid consent. You can no longer use a 20 pages document, full of jargon that nobody reads or worse, understands, but are required to sign if they want the services you are providing.

The consent must be in a clear, eligible form and language and must be given freely, with no “coercition”.

Under GDPR, any privacy note must state the processing ground you are relying upon and if rely on legitimate interest, state the nature of it.

Article 4, 7

End of part II