After completing this unit, you’ll be able to:
- Explain the key privacy principles underlying the GDPR.
- Discuss steps that organizations can take to protect personal data.
- Describe the choices the GDPR grants to individuals with respect to their personal data.
Several major principles underpin many of the requirements found in the GDPR. Let’s review them.
Fairness and Transparency
Organizations must always process personal data lawfully, fairly, and in a transparent manner.
When Grande Banque du Nord asks Marie Dubois to register as a client on their website, Grande Banque must clearly notify Marie about what specific information the bank and its website collects from her, and how the bank plans to use that information. For instance, if Grande Banque tracks Marie’s use of its website, Grande Banque must describe such tracking in a privacy notice.
Organizations can collect personal data only for specified, explicit, and legitimate purposes. They cannot further process personal data in a manner that’s incompatible with those purposes.
When Grande Banque asks Marie to register as a client, the bank must notify her about the processing it plans to do with her personal data. Grande Banque must use Marie’s personal data only for the purposes that are described in that notification. For instance, Grande Banque must not sell her information to a home moving company looking for new clients if the privacy notice did not state that Grande Banque shares personal data for this purpose with moving companies.
Organizations can collect only personal data that’s adequate, relevant, and limited to what’s necessary for the intended purpose.
When Marie downloads and sets up an account on the Grande Banque mobile app, Grande Banque can collect only information that’s relevant to service Marie. The app must not record her precise location, access the contacts on her phone, or collect information about other apps on her phone. Grande Banque must not ask Marie to provide information, such as her religion or ethnicity, that is not relevant to the mortgage process.
Personal data must be accurate and, where necessary, kept up to date.
When Marie fills out a detailed form for Grande Banque in preparation for making an offer on a house, she provides her current salary. However, when she receives a promotion and a raise at work, she contacts Grande Banque with the news. Grande Banque must update its records to reflect her new salary.
Personal data must be kept only for as long as it’s needed to fulfill the original purpose of collection.
Marie discovers that another bank, Petit Crédit du Sud, offers a much lower interest rate. Marie decides to switch from Grande Banque to Petit Crédit, and she informs Grande Banque she is terminating their relationship. Grande Banque must delete all of Marie’s personal data that it has no legitimate need to keep; for instance, information about Marie’s income, savings accounts, and debts.
Organizations must use appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration. Depending on the specific use case and personal data processed, the use of data segregation, encryption, pseudonymization, and anonymization is recommended, and in some cases required, to help protect personal data.
As part of the mortgage application process, Petit Crédit asks Marie to fill out a form on its website that asks for detailed and sensitive personal information. Petit Crédit must ensure that the form is on a secure web page and that the data is encrypted in transit. When Petit Crédit stores that data in its Salesforce instance, it must ensure that it has limited access to that data only to those Petit Crédit employees who have a legitimate need to access the data.
Let’s pause to consider some measures that organizations can put in place to protect personal data.
||Contrary to some reports, the GDPR does not require organizations to encrypt personal data. However, depending on the circumstances, the law encourages encryption as an effective way to help ensure the security and confidentiality of personal data. In particular, the law suggests that encryption may be appropriate for sensitive personal data and specific types of data managed by highly regulated companies.
||The GDPR encourages organizations to use pseudonymization as a risk-based measure to protect data security and the rights of individuals. In certain scenarios, organizations can utilize pseudonymization as a measure to enable the use of data beyond the original purpose. For instance, pseudonymization may constitute a sufficient safeguard against risks from profiling. However, pseudonymized data is still considered personal data under the GDPR.
||If data is truly anonymized, then the data does not constitute personal data under the GDPR. However, the bar to be considered anonymous is high: It must be impossible for any individual to be identified from the data by any further processing or by combining it with other information.
A data controller is responsible for implementing measures to ensure that the personal data it controls is handled in compliance with the principles of the GDPR. This includes appointing a data protection officer, imposing contractual obligations on processors, and using the principles of “privacy by design” and “privacy by default.” Additionally, a data controller must be able to demonstrate compliance, including by keeping a record of processing activities and conducting privacy impact assessments.
In order to put Marie’s personal data in Petit Crédit’s Salesforce instance, the bank must ensure it has a written agreement with Salesforce addressing the processing of personal data, such as a data processing addendum. Petit Crédit must also keep a record of how and why the bank collected Marie’s information, what types of information it collected, with whom it shared the data, and what security is in place to protect the data.
Here are three methods that organizations can use to operationalize privacy principles into their culture.
|Privacy by Design
||This is the idea that when organizations plan a new processing activity or develop or implement a new product, service, or feature, they must design such activities and products with the GDPR principles in mind, to ensure they put appropriate safeguards in place to protect privacy.
|Privacy by Default
||This is the idea that organizations must always use the most “privacy friendly” default settings when collecting, processing, or storing data. For example, when giving individuals a choice over how much of their data is processed, the default setting should always be the choice with the least amount of processing. When selecting a retention period, the default must be the shortest possible retention period.
|Data Protection Impact Assessments
||Analyses of new processing activities to identify and address privacy risks.
The GDPR grants data subjects a number of rights regarding how controllers handle their data. These rights require controllers to have systems in place to respond to and effectively address data subjects’ requests.
Data Access: Data subjects have the right to confirm with a data controller whether the organization is processing their personal data. If it is, the controller must provide the data subject with information about such processing, including the specific data processed, the purposes of the processing, and the other parties with whom such data has been shared.
Right to Object: Data subjects can in certain cases object at any time to the processing of their personal data, in particular if the processing is for direct marketing purposes.
Data Rectification: Data subjects can request that a controller correct or complete personal data if the data is inaccurate or incomplete.
Restriction of Processing: Data subjects can request that a controller stop access to and modification of their personal data. For example, the controller can mark or use technological means to ensure that such data will not be further processed by any party.
Data Portability: In certain cases, data subjects have the right to ask a controller to provide their personal data in a structured, commonly used, and machine-readable format (for example, a .csv file) so that they can transmit their own personal data to another company.
Right to Erasure: Also known as “the right to be forgotten,” this right empowers data subjects to request that a data controller delete or remove their personal data in situations such as the following: when the data is no longer needed for the original purpose, when the data subject withdraws consent, or when the data subject objects to the processing and the controller has no overriding legitimate interest in the processing.
So how does an organization actually adhere to these principles and respond to data subject requests? In the next unit, we share our thoughts on the key elements of a GDPR compliance program.