Pieter Rijlaarsdam
Read all my blogsGDPR (General Data Protection Regulation) is the ‘new’ European Union law on data protection of European Citizens.
Considering the digitization of information over the past decades and the increased power of the internet, it should come as no surprise that governments act on behalf of the citizens to protect their privacy.
The GDPR protects EU citizens through a set of rights around personal data with a law violation penalty of up to 4% of the annual global turnover or €20.000.000. This indicates the seriousness of the ‘new’ law.
The GDPR describes actions and principles which companies must implement, such as:
Data Protection Officer
Breach Notification
Data Portability
Right to Access
Right to be Forgotten
In practice
So much for the theory. In practice, some measurements can be implemented easily, such as assigning the DPO and implementing a process for Breach Notification.
But what about the ‘Data Portability’, the ‘Right to Access’ and the ‘Right to be Forgotten’? This can be somewhat difficult in practice.
Right to Access
Let’s start with the ‘Right to Access‘. Someone knocks on your customer service door and says ‘Tell me what you know about me’.
First, the person should be identified (to prevent a case of data leakage).
Then all information on the individual should be gathered and presented.
But how do you know what ‘all’ information is? And what if other individuals are also contained in the same datarecord?
Also be aware that information can be scattered over several systems in your landscape. Should a process or a system gather all information based on a set of keys?
What if a person says he owns a certain emailaddress, is it safe to conclude that all information related to the emailaddress is subject to the inquiry? Not many companies have a clean golden record on their customer.
Right to be forgotten
Then the ‘Right to be forgotten‘. This part is based on the ‘Privacy by Design‘ principle, where you only store the data that is considered relevant for the process you have gathered it for. So, if you store an email address or telephone number for the purpose of service or warranty, the email address and telephone number should be erased after the service or warranty period is passed. This would be a pretty straightforward case.
But what if there are multiple business rules on a single piece of information. Some might require the information to be kept, and other might require the information to be forgotten. This can be complex.