May has already come and from 25th May, personal data management will undergo some changes. Are you familiar with GDPR? Do you know what this is all about? Well, there is some obvious answer that may come to our minds and there are many valuable benefits behind this new regulation. Let’s start from the very beginning.
How did it come about?
We all live in the digital world where data collection is an element of everyday life. The problem is that not too many of us really trust online companies and all what we hear around doesn’t help. Do we really know what is going on with our personal data? Where is it stored or what is it used for? Is our personal data safe? What does it mean that personal data is safe? The number of doubts is justified looking at the last 2 decades when a number of new forms of communication and other online activities have appeared bringing us closer to e-society. In this rapidly changing environment, people deserve to have full knowledge as well as effective control over their personal data. We should all perceive protection of personal data as a crucial value on the way of our business, not for the legal reason only, but especially for the most important value - trust.
What is the change?
GDPR is trying to response to this need. It is rather an evolution of the existing general regulation (based on the UE Directive), but due to different standards of its implementation in each UE country, it can be a significant challenge, especially for the controllers who operate on other liberal local markets. One of the most important goals of the regulation is to create a consistent standard by creating a clear foundation to the processing of personal data - common principles (Article 5), named as: transparency, purpose limitation, data minimization, accuracy, storage limitation, data integrity and confidentiality. These 5 common rules in practice equate companies which until now have had a different approach to personal data protection.
By following these rules, we as a GDPR compliant company are obliged to:
- obtain and process the personal data in a fair manner - giving people clear and legible information,
- ensure that the data is adequate, relevant and not excessive,
- keep and process data only for specific and lawful purposes,
- keep it safe,
- obtain and keep accurate and up-to-date and no longer than needed,
- make the processing transparent and prepared for subject requests.
So, coming back to the question what is this for? It is aimed at helping both parties-people and business to raise the culture of personal data management. The big day – 25th May, is not going to be just a single event but the beginning of a long term process. Objectivity will incorporate the process from its very beginning. Privacy by design and by default is something we need to have in our blood to support the growth of culture and to support growth of healthy e-society by such a small-big brick like:
- clear boundaries,
- minimization of the retention period,
- minimization of the data sensitivity,
- ensuring that users get the maximum privacy at start and no further configuration is needed,
- ensuring that notice is given before or at the point data is collected,
- ensuring access to privacy notices in formats and languages appropriate for the target group and in plain language,
- ensure customer access,
- ensure data security by preventive measures.
Other benefit is to eliminate the entire magic envelope that was so far the catchword “cloud”. Under the GDPR, if personal data is processed in cloud, the provider is considered as processor with all its consequences and all responsibilities. It also means that controllers will be more demanding since the controller shall use only processors that provide ‘sufficient guarantees to implement appropriate technical and organizational measures’ to meet the requirements of the GDPR.
Another significant point is that due to GDPR approach, companies based outside of Europe will have to apply the same rules when they offer goods or services on the EU market - what is another step to equality in our e-society.
Although GDPR is a challenge, Objectivity looks forward to contributing to the creation of a new personal data management culture and to co-creating e-society with our clients based on new rules.