There is probably no industry vertical which can afford to ignore data privacy needs, or remain blissfully impervious to the requirements of the diverse privacy laws in the different continents. The purposes for which you may collect personal information could prove a non-compliance minefield if you are not careful. Consider the plight of a tech giant like Microsoft which has had to fork out $20 million for violation of the U.S. Children’s Online Privacy Protection Act.
Geographic location matters: If your organization, even if it is one related to public administration, has branches, outlets, or customers in any European Union (EU) area, then you cannot afford to ignore the requirements of the General Data Protection Regulation (GDPR) ― especially, if you need to collect personal data of individuals. As with all data protection legislation, GDPR makes it mandatory for any entity collecting personal data to have in place safeguards to protect it.
GDPR Is All About Data Privacy of the Individual
While for over two decades ordinary people found that their personal information was available to just about any and every marketing company; the enactment of the General Data Protection Regulation (GDPR) came as welcome relief to all individuals living within EU jurisdiction. Unfortunately, in the USA, data protection is still largely focused on healthcare, and financial institutional operations. GDPR has gone several steps ahead by ensuring not only how much personal data of an individual can be collected, but also limits the purpose, and for how long such data may be retained to ensure fair and lawful processing.
In this respect, it is vital to note the 7 data protection principles under GDPR:
- 1. Lawfulness, fairness, and transparency
- 2. Purpose limitation
- 3. Data minimization
- 4. Accuracy
- 5. Storage limitations
- 6. Integrity and confidentiality
- 7. Accountability
Secure Data Processing Is a Fundamental Right of the Individual
The European Parliament deemed the protection of processing a natural person’s data a fundamental right. Therefore, it declared that every piece of personal data which is collected must be done lawfully, fairly, and transparently. It also declared that protection of fundamental rights is vital to assure the free flow of personal data among member states to strengthen the convergence of economies within the European Union. A universal truth is that new challenges to keeping data secure are constantly emerging as technologies evolve. Globalization has led to governments and companies acquiring, processing, sharing, and storing data at unprecedented levels. It includes processing and analysis of personal data for profiling to predict behaviors. However, when such data is being processed, there should be watertight arrangements to assure its security.
Protections When Outsourcing the Processing of Data
When processing is outsourced ― in part or entirely ― a legally enforceable agreement must be drawn up between the two parties to ensure that it meets GDPR standards. This means that in case any piece of data becomes inaccessible ― temporarily, or permanently, is wrongly modified, viewed by an unauthorized person, or even accidentally (or maliciously) disclosed to someone who lacks the relevant permission; then it constitutes a data breach which must be brought to the notice of the authorities while setting in motion mitigation measures. Like HIPAA, GDPR also requires that the Data Protection Authority (DPA) must be notified without unwarranted delay, and at the latest within 72 hours after having become aware of the breach.
Limitations on Personal Freedoms, and Reasons for Sharing Personal Data
The right to protection of personal data is not an absolute right, but needs to regarded in reference to how it is going to utilized ― the degree to which society will be benefited by such information ― and whether the lack of such sharing will infringe upon, or act adversely on the rights and freedoms of others. In this respect it is vital to keep in mind that public administrations need to collect personal data to appropriately discharge their duties in the public interest, especially during times of crisis as happened during the recent pandemic. However, individuals must be informed before such data is collected ― who is collecting it, to what purpose, who will read it, and what kinds of safeguards have been put in place to assure data security.
No Data Protection for Criminal Offences
Individuals should not expect to be able to take cover behind such data protections when investigative authorities probe criminal offences. Articles 12 to 15 of Directive 2000/31/EC of the European Parliament are intended to protect individuals, providers, and users of personal data. GDPR does not supersede or create prejudice to the application of these provisos, especially the liability of the intermediary service providers who process, store, analyze, and/or utilize such data. For example, if any information is illegal, or infringes upon privacy, then access to that data should be disabled. Ideally, it should be removed completely.
Keep in Mind the Sanctions You Might Face for Non-Compliance
Cross border sharing of personal data increased significantly due to market activities spurred by the social and economic integration caused by the emergence of the European Union as an economic and political entity. This has led to the development of the need for more coherent data framework, which assures the individuals greater control over their personal data, especially individually identifiable information. The Regulation defines the kinds of sanctions to be imposed on those who fail to protect the confidentiality and integrity of personal data, while expecting member states to ensure compliance by making such sanctions equivalent. Also, don’t forget that the protections afforded by GDPR to natural persons are regardless of their nationality, place of residence, and the kind of technology used to collect, process, and store personal data ― when such data is being collected for economic activity, rather than personal or household activity.
Right to Be Forgotten
What sets GDPR apart from other data privacy legislations is the proviso which gives the natural person the right to be forgotten. An individual might request that any specific personal data which is being shared for the conclusion of a transaction must be erased at the earliest as guaranteed under Articles 17 and 19 of GDPR. This right to erasure is an important aspect of the delimitation of purpose and storage time as well as transparency in the collection, and processing of personal information of natural persons. It is intended to prevent search engines from displaying old, personal information which is publicly available. However, it applies only to any information which is held by a data processor when such a request is made. It does not provide a guarantee for prompt erasure of data which might be shared in the future.
Other Rights Guaranteed Under GDPR
The basic rights which natural persons are guaranteed under GDPR include the right to access ― the individual should be able to access data which has been shared for commercial and/or administrative purposes; the right to rectification ― if there has been any minor or substantive change in data, it should be corrected in the records. As an individual, you have the right to object to the collection of certain data as well as to be subject to decisions based on automated processing. A natural person also has the right to data portability, and may restrict processing.
Compliance Is Non-Negotiable
GDPR is not restricted to only those who reside in, or operate within the EU area. Even if the controller or the processor of the data resides or operates outside the EU area, but is accessing the personal information of one who lives and works in the EU; then that processor or controller is subject to GDPR provisos, and must be compliant.
Key Takeaways
- No industry vertical can afford to ignore data privacy needs or remain blissfully impervious to the requirements of the diverse privacy laws in the different continents.
- GDPR makes it mandatory for any entity collecting personal data to have in place safeguards to protect it.
- GDPR limits how much personal data of an individual can be collected, the purpose, and for how long such data may be retained to ensure fair and lawful processing.
- GDPR recognizes that secure data processing is a fundamental right of the individual. It also grants individuals the right to be forgotten.
- A natural person also has the right to data portability, and may restrict processing.
- The Data Protection Authority (DPA) must be notified without unwarranted delay, and at the latest within 72 hours after having become aware of the breach under GDPR.
- GDPR defines the kinds of sanctions to be imposed on those who fail to protect the confidentiality and integrity of personal data
- No data protection for criminal offences.
If still in doubt or Need Guidance or Immediate Assistance?
Why don’t you contact us at (+91 733-113-2288), or write to us at (service@friggp2c.com | friggp2c@gmail.com)
Also, check out our services like Vulnerability Assessment, Penetration Testing, Code Review, Testing as a Service, and Risk Management on our website www.friggp2c.com.
We are determined to work with and for you and make your organization one of the safest business organizations for you, your customers, and all prospective clients.
About the Author
Amit Sarkar (amit.sarkar@friggp2c.com) is the Founder of Frigg Business Solutions at Sheridan, Wyoming, USA, and Hyderabad, Telangana, India. A seasoned writer whose multiple articles have been published in HCCA and SCCE. He is a former CEO of a US Healthcare Regulatory Compliance service organization, and a senior global leader in HIPAA Compliance, IT Security, Risk Management, and Compliance Governance.