Welcome aboard and we wish you a nice (and safe) journey!
In the previous episode, we were discussing preparation for the trip and… for personal data processing. I have explained why it is important to know where, how and who you plan to spend your time with, and of course for how long.
Nobody likes to carry a heavy backpack!
Packing is probably the most difficult phase of every trip preparation. It would be wonderful to be able to take your favorite coffee maker, beloved bathtub and the entire wardrobe of clothes... you know - just in case. Most of us tend to collect “just-in-case" stuff. Before you pack your backpack, you must think in advance about your trip details. In case of data processing, requirements are very clear and ... restrictive.
Therefore, when planning your data processing, you must ask yourself whether you abide the rules of minimizing and limiting data. In practice, you need to answer the following questions:
- Is the data you are planning to collect sufficient for the intended purpose?
- Is the data you are planning to collect adequate to the intended purpose?
- Is the data limited to what is necessary for the intended purpose?
- Is it ensured that the data collected for this purpose will not be used for other purposes?
- Is it possible to submit a request for resignation from processing for purposes not related to the original purposes for which the information has been collected, but you are still processing it because you have a legitimate interest which you have already informed the data subject about?
It is also important to determine how you will pack your backpack - will your data be structured or not? Why? Because, as with a backpack - packing is crucial for your comfort, both in terms of the weight and ease of access. The manner of data ordering will have a direct impact on their management, and in the future – on the implementation of your obligations. How you organize them will later on impact how you retain your responsibilities to the data subject.
And one more thing… You'll probably be particularly careful about packing your camera and wallet, won’t you? The same applies to data. You need to know if you are only going to process ordinary or also sensitive data. And if you deal with sensitive data, you need to be more cautious.
By the way - what is sensitive data? It is data that relates to particularly sensitive issues, such as:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of unique identification of a natural person
- Data concerning health or a natural person’s sex life and/or sexual orientation.
When planning your personal data processing, you need to remember that GDPR says directly: Processing of (sensitive) personal data (…) shall be prohibited. You should therefore consider whether there are clear grounds for processing sensitive data in your process, i.e.:
- data subjects have given their written consent; or
- it is necessary to provide care to the data subject; or
- is compulsory under the labour law or for the application of social security; or
- the data subjects have made this data public; or
- it is necessary to establish, enforce or defend the law; or
- it is necessary for scientific research.
If so, it's time to answer the following questions:
- Is ordinary data differentiated from sensitive data in collections?
- Is the processing planned so that sensitive data are "touched" only when it is necessary?
To sum up, our backpack should have separate pockets, and one of them (the one for sensitive data) should be very well-hidden inside.
There is also the question of who is carrying the backpack. It's nice if someone relieves us. According to GDPR, you can ask the processor for help. Remember, however, that according to art. 28:
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Therefore, when planning the involvement of other entities (data processors) in data processing, you need to consider the requirements that will be imposed on these entities. Paying attention to that aspect during the planning stage (privacy by design!) will allow, for example, to create an appropriate data structure so that the processor can access only those that are really necessary for the intended purpose.
First aid, insurance... - safety first!
Nobody can deny security being the most important aspect. How you prepare depends on your destination. When going to the tropics, you will think about vaccinations. A map, compass and GPS are necessary for lonely traveling around the mountains and forests. Your experience, destination and other factors will determine how you prepare your trip. And the same happens with GDPR - a risk-based approach is applied. It is up to the administrator and the processor to choose technical and organizational measures adequate to the identified risk. GDPR does not tell you whether a first-aid kit is enough or if a life policy is needed. When designing your data processing (and already having the above answers listed) you can assess the risks and plan protection measures.
You can reach for available solutions, such as:
- pseudonymisation - it is the cheapest and, at the same time, a very effective form of security, or
- encryption, or
- access control.
The following questions will certainly help you:
- Is encryption applied for data in rest?
- Is encryption applied for data in transmission?
- Is pseudonymisation applied whenever/ as soon as possible?
- Is access to data under control?
- Is access to data limited to authorized personnel only?
- Is sensitive information restricted in access?
- In case of third parties access - is there DPA with adequate security measures?
- Is access personally identifiable?
- Is there password policy required?
- Are there any other authentication requirements?
- Are there restrictions planned to control merging sensitive data with unprotected?
- Is there a mechanism planned to give users access to their information to control their data accuracy?
Since we are talking about data security, you also need to think about how you ensure accountability? You have to remember about your obligation of showing that you are processing personal data correctly -and this demonstration will take place by collecting evidence.
If you are going to collect consents, have you planned a mechanism to document their collection? Will you collect logs based on which you will be able to show who, when and on what basis introduced/modified/deleted the data?
The above questions are just examples because when planning your processing, you need to remember that you have to prove, according to the principle of accountability, that you process personal data in a lawful, reliable and transparent way, with data limitation and data minimization, data correctness, proper retention, and finally the integrity and confidentiality of the data being processed.
Finally, you need to think about the backup of the data being processed - it is also an important element of their security. And again, questions that will help you grasp the topic:
- How often do you or your service provider back up your data?
- Does the scheduled frequency reflect live data?
- Will the planned solutions be regularly tested?
- How is the backup frequency relevant to your obligation to retain data or provide the entity with the right to forget?
- And if someone helps you with the backup service, do you have appropriate DPA agreements with data security guarantees?
Exotic trips are fascinating. Nevertheless, when you are going to distant, unfamiliar areas, it’s obvious that you want to feel secure and find out about local customs. Knowledge about the level of safety in a given location can help you make a decision of whether to go there or choose a different destination. If you decide on a certain risk, you need to prepare carefully for such a journey.
Similarly, speaking of GDPR- the issue of transferring personal data to a third country requires special attention. Before transferring personal data to a third country or an international organization, you need to check if the transfer to a third country is allowed.
A distinction must be made between safe and unsafe third countries. Safe third countries are those for which the European Commission has confirmed an adequate level of data protection on the basis of decisions on adequate protection. If not, there is an option of standard contractual clauses, or in the case of data transfer within the Group using so-called "binding corporate rules". It is also possible to obtain the consent of the person whose data we plan to transfer to a third country.
Therefore, here are several questions that will allow you to embrace the topic.
- Is the transfer to a third country planned?
- Will it be safe?
- Will contractual clauses / corporate rules / entity consent apply?
- Does the information obligation reflect the transfer mechanism?
So that's it, we're ready to go!
A few words of summary. Planning data processing is a sequence of consecutive and consequential steps. However, the most important thing is always to understand the purpose of personal data processing. It is up to a well-defined goal to determine whether we will be able to design the processing process well. Privacy by design is a very important foundation, without which it is impossible to create a good product or to meet GDPR requirements. And finally, when planning personal data processing - one should think not only about privacy protection (because it is not enough) but first of all about respecting it.
Now, it is time to wish you a successful and peaceful journey :)