Who will get the control of personal data after GDPR?
Thursday, January 11, 2018 by Ales
Who do we trust our personal data with?
More rights for users
The data will still be collected and stored, but there will be made some important amends to how one will give consent and the possibility to withdraw that consent will be introduced. Even more, the language of the consent will have to be given in a clear and plain language.
Other important rights will include:
- Breach notifications will become mandatory in all member states where a data breach is likely to result in a risk for the rights and freedoms of individuals.
- We as subjects will have the right to demand a confirmation from data controllers whether the personal data about us is being processed and for what purpose. A data controller is a natural or legal person, public authority, agency or other bodies which, alone or jointly with others, determine the purposes and means of the processing of personal data.
- The data erasure or the right to be forgotten entitles each subject to request the data controller to erase the personal data, stop with the further dissemination of the data and also stops third parties from further exploiting the data.
- Data portability means that the subject has the right to receive the personal data concerning them and also having the right to transmit that data to another controller.
- A concept of privacy by design has existed for a couple of years now, but only now with the GDPR becomes a legal requirement. This means that data protection should be included from the onset of designing a system. And not just adding it later. The concept of data minimization is also added, meaning that controllers should hold on and process only the data necessary for the completion of its duties. And they should also limit the access to personal data to processors. To clarify, a processor is a natural or legal person, public authority, agency or other bodies which processes personal data on behalf of the controller.
What is expected to be done?
GDPR is much more than just a set of technical solutions. It has deeper and broader implications and extends itself also on organizational, legal and process level. There are no shortcuts to be GDPR compliant, but it shouldn't be too complicated either. There isn't, and probably won't be, a single, generic solution for all "needs". However, it is to expect that further work on GDPR module will be done and new features added. The download count is still quite low, but we should wait to see what happens.
But one can't expect a one size fits all solution. Each individual Drupal website will need a tailored solution to be GDPR compliant. The list of what to do to be compliant is quite extensive. Instead, I will focus myself on what not to do, what are the practices you should avoid by all means:
- Users agree on a certain scope of purposes the data about them will be used. Don't use the data for purposes users haven't agreed to.
- Collecting too much information about your users could present a violation. You should collect only the data you absolutely need. If not delivering someone goods you probably don't need their home address.
- Logging personal data is another on a not-to-do list. It would definitely be a hassle to get rid of the personal data from log files, but you should find a way. Personal data includes also the IP address.
- If you assume 3rd parties are compliant, stop. It is your responsibility if there is a breach in one of the 3rd parties or processors you send data to.
- Having an ISO 27001 certification is a good start, but it doesn't guarantee compliance. Other measures and activities also to be taken into consideration.
Websites will have to comply with new regulations and (re)consider how they gather data and for what purpose and also the storage functionality. This could involve a substantial amount of work and database changes. But because of the non-compliance fines which are quite high, one will have to invest in it.
If you have a Drupal website, have clear guidance about what needs to be changed, and you are unsure about how to make the necessary technical and developmental changes, then please get in touch and see how we can help.