In continuation to my previous part(Part 1) of the article that covered the basics of GDPR, we will see in this article what it takes you as a data processor to confirm with the GDPR regulations, and what rights does the individuals own & what steps you need to do follow in each case. This article should help you in understanding the principles of GDPR & ensure that the system you design complies with GDPR.
If you are a data processor or data controller(check Part 1 to understand what a data processor/controller means), who has access to personal data of any individual who is an EU resident, then following principles should be your heart of approach when you process/hold personal data.
Lawfulness, Fairness & Transparency
You should identify valid grounds for collecting & processing personal data, use the data in a fair way ie match the way that is mentioned, & transparent in declaring what data is processed & how it is processed.
Personal data you have collected should be adequate, relevant to the purpose it has been collected & limited to what is necessary & not any excess data should be collected.
You should ensure all the personal data is accurate & kept up to date. You should build a rectification process in your data management system to update any changes to the data or to erase it if required. The data should never contain any misleading information.
You should not hold the personal data longer than you require it. Periodical review of data, retention & erasure of data should be done properly. Individual has the right to erase the data if you no longer need the data.
Integrity & Confidentiality
You should have proper measures in place to protect the personal data from unlawful processing or accidental loss or damage. This is also known as the security principle of GDPR.
Below are the rights that any individual posses when he/she provides personal data to you & what steps you need to take in each of the case
Right to be Informed
individual has the right to be informed about what data is collected & how it will be processed. This is one of the key principle(transparency) of GDPR. As a data processor/controller you need to inform individuals the purpose of processing that data, how long will it be kept & who the data will be shared with.
Right to Access
Individual has the right to access his/her data. Individuals can submit access request verbally or in writing. Organisations should produce the requested information within a month although there are exceptions like excessive or repetitive.
Right to Rectification
As with the right to access, the individual has the right to request to rectify any information that he founds to be wrong that is held by the organisation & the same one month rule applies to this.
Right to Erasure
Individuals can request to erase the data when its no longer necessary, the individual withdraws consent or there is any circumstance that the data is unlawfully processed or doesn’t meets the lawful ground.
Right to Restrict Processing
Individuals can request to restrict processing of their personal data in certain circumstances like when individual contents the accuracy of the data or when information is no longer needed but the organisation needs it to establish a legal claim.
Right to data Portability
This rights allows the individual to obtain & reuse their personal data across multiple systems. This applies only to the data the individual has given consent to use.
Right to Object
Individuals has the right to object the processing of their personal data collected on legitimate grounds or in the interest of official authority.
Rights related to automated decision making including profiling
There are provisions within GDPR to process individual data automatically without any human intervention like processing data to make predictions about the individual. GDPR has additional rules to protect individuals where they can challenge the processing. There are limitations where this kind go processing can be carried out.
This brings us to the end of the principles that has to be followed by data controllers & the rights that any EU individual posses while providing his personal data to any organisation. These are explained at a very high level. For each of the rights, there are various clauses & extended articles that you may need to refer to. In my upcoming article we will see how we can best implement these compliances in Office 365 & Azure. Feel free to leave your comments below.