GDPR – INFORMATION SECURITY FOR PERSONAL DATA
The General Data Protection Regulation (GDPR) applies throughout the EU and aims at creating a uniform and equivalent level of data protection, in order not to prevent the free flow of data within Europe. While information security is essentially about protecting all types of information, the Data Protection Regulation deals with the protection of personal data. Unlike traditional information security, additional focus has been placed on protecting individuals’ fundamental rights and freedoms, not just protecting organization’s interests. However, with sufficient information security work, these interests go hand in hand.
WHEN DOES THE DATA PROTECTION REGULATION APPLY?
The General Data Protection Regulation applies to personal data processing related to the EU, either when the organization processing personal data is established within the EU or when someone outside the EU offers services and goods to persons within the EU or oversees their behavior. The Data Protection Regulation applies practically to all types of processing activities regardless of who performs them. It therefore applies to companies, associations, organizations, authorities and individuals.
WHAT IS MEANT BY PERSONAL DATA AND PERSONAL DATA PROCESSING?
The General Data Protection Regulation applies to the processing of personal data. Personal data signifies any information related to an already identified or identifiable living person. What matters is that the personal data, individually or in combination with other tasks, can be linked to a living person. Examples of personal data includes personal identification number, name or address. In addition, images and sound recordings of individuals can be also be considered personal data, even if no names are mentioned. All forms of treatment of personal data constitutes personal data processing, such as collecting, registering, organizing, structuring, storing, processing, altering, producing, reading, using, disclosing, disseminating or providing by other means, adjusting or assembling, restricting, erasing or destructing.
ENCRYPTION AND PSEUDONYMIZATION – IS THE DATA PROTECTION REGULATION STILL APPLICABLE?
Encrypted data and various types of electronic identities, such as IP numbers and cookies, still counts as personal data if they can be linked to a physical person. Information that has been encoded, encrypted or pseudonymized, but which may be attributed to a physical person with the use of supplementary information, is personal data.
A novelty in the General Data Protection Regulation is that solely following the law is no longer sufficient. If you are responsible for processing personal data, you must also be able to provide sufficient evidence to prove that you are complying with the provisions of the Data Protection Regulation and in what way.
In addition to liability, there are a number of basic principles that applies to the data controller:
- having support in the General Data Protection Regulation to process personal data
- only collecting personal data for purposes that are specific, clearly stated and legitimate
- not processing more personal data than what is necessary considering the purpose
- ensuring that the personal data is correct
- deleting personal data when it is no longer needed
- protecting personal data, such as preventing unauthorized access and ensuring that the data is not to be lost or destroyed
- being able to demonstrate compliance with the Data Protection Regulation and in what way
HOW DO YOU DEMONSTRATE COMPLIANCE WITH THE DATA PROTECTION REGULATION?
You can demonstrate your compliance with the provisions of the Data Protection Ordinance in several ways, for example by:
- designating a data protection officer
- providing clear information to the data subjects
- keeping records of, and documenting the personal data processing activities within your organization, including what considerations you have made in relation to the processing
- establishing internal guidelines for data protection (a data protection policy)
- educating the staff
- building integrity-friendly solutions in your systems (so-called built-in data protection)
- conducting a data protection impact assessment before starting a new personal data processing activity that implies special integrity risks.
Consider our package solutions for more comprehensive solutions.
Data Protection Officer (DPO)
WHO CAN ASSUME THE ROLE OF DATA PROTECTION OFFICER?
The entity processing personal data must in certain cases appoint a data protection officer. The role of the data protection officer is to monitor compliance with the General Data Protection Regulation, for example by performing inspections and spreading information across the organization.
A data protection officer may be:
- an employee or a consultant
- a physical person, organization or group
- appointed data protection officer in one or more authorities or companies.
As the complexity of the processing of personal data increases, or the amount of sensitive data that is being processed increases, the amount of expertise required from the data protection officer also increases.
However, a data protection officer should at least:
- possess knowledge of the Data Protection Regulation
- understand the organization’s core business, how the organization processes personal data and how the organization’s information technology and IT security works
- have the ability to spread information and establish a data protection culture within the organization.
The data protection officer should be able to work independently and autonomously, without being influenced by others within the organization. It is therefore important that the data protection officer does not have any other duties that interferes with their role as data protection officer.
An independent position can, for example, be achieved with an external data protection officer.