The GDPR has already generated a fair amount of controversy, court cases, and millions in fines. The protection of data and privacy become even more important due to the COVID-19 pandemic.
This blog post aims to closely look at the most pressing questions related to GDPR compliance for businesses as well as concerns arising as it relates to the GDPR enforcement in times of the coronavirus lockdown.
General Data Protection Regulation (GDPR) is an enacted legal instrument of the European Union (EU) for the protection of personal data and privacy in the EU. It came into force on 25 May 2018 and is expected to become one of the most used pieces of legislation on which IT and telecom companies focus on their activities.
The GDPR has jurisdiction over the countries in the European Economic Area (EEA), which, in addition to all EU countries, includes Norway, Iceland, and Liechtenstein, as well as the territory of Switzerland. Although the United Kingdom withdrew from the EU, the GDPR is still in place there and is likely to continue to be enforced there in the foreseeable future.
The GDPR defines many legal concepts in the field of personal data protection and privacy. Personal data is a collection of any information relating to an individual, including name, identification number, location data, online identifier, physical, physiological, genetic, mental, economic, cultural or social characteristics of that person. Note that data on legal entities (companies, enterprises, organizations) is not personal data as it is all legally defined as public information.
The definition of a controller under the GDPR is any person who "determines the purpose of data processing". In most cases, it will be the company that owns the developed product (online store, application). In addition to the “controller”, the GDPR defines "processors" - any other companies or individuals that perform data processing in accordance with the data processing agreement with the identified controller.
The COVID-19 epidemic has forced many companies to shut down or ask their employees to work from home. This has created a huge challenge for GDPR compliance since some companies must circulate valuable data offsite. Many companies have switched to cloud-based services and protected VPNs, which makes the organization of this ‘distributed’ office functionally easier. However, there are important GDPR provisions to keep in mind. One of them is in compliance with the principle of Privacy by Design.
Privacy by Design (PbD) - an approach in system engineering which involves the inclusion of personal data protection and a privacy element in the software development lifecycle (SDLC) at the planning stage, rather than at the end of development. The concept of PbD was first formulated by Ann Cavoukian, an Information, and Privacy Commissioner for the Canadian Province of Ontario, in 1995, and has since been refined and adapted by many other countries. Compliance with the PbD is one of the major requirements of the GDPR. The PbD principle was also extended to include both technical and organizational measures for compliance. All companies are required to keep their data safe by using technical tools (cybersecurity, encryption, data anonymization) as well as adopting certain organizational protection measures.
Some of the most current decisions by the EU National Data Protection Authorities (DPA) provide an overview. On 5 May 2020, a Romanian DPA fined a bank for using WhatsApp to send and receive documents containing the personal data of their clients. The DPA decided that it ‘did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing’.
Another case occurred in Denmark. The Danish DPA fined the local governments of two Communes for breach of the GDPR. Work computers of the communes which had contained the personal data of 1600 government employees and 20,000 citizens were stolen. The DPA established that the data did not have sufficient encryption and could be illegally accessed by the thieves. This is especially relevant to current situations when many employees are asked to take their work computers home. The communes had to pay a total fine of $22 000 for violating the GDPR.
So, what measures should companies implement? There isn’t a single defined list per se that is recommended by the EU, but the analysis of motivation behind DPA’s decisions paints a clear picture.
Axon Development Group has experience of delivering GDPR-compliant products. Our developers, analysts, lawyers, and managers are all familiar with the challenges of GDPR compliance and know how to deal with them.