Click to learn more about author Richard Macaskill.
We all know GDPR is on the way and, to date, most of the articles have been industry-focused, talking about the affect it will have on companies and organizations that gather, hold and process data. I recently wrote about why DBAs should care about it, and advised that you should start your GDPR journey now by finding out where your data is, what exactly that data is, and who is accessing it.
Soon, however, the wind will start blowing from another direction, that of what the GDPR calls ‘data subjects’. People, individuals, your customers, even your own employees. These ‘data subjects’ will wake up to the rights GDPR grants them and realize they should care about it too.
And they should. Yahoo recently admitted that a data breach four years ago leaked the account details of every one of its three billion customers, not the one billion it initially claimed. The head of the intelligence monitoring service in the UK, GCHQ, said just last week that keeping the UK safe from cyber-attacks is as important as fighting terrorism.
GDPR is introducing new rights at the same time that the threats to data are the biggest they’ve ever been. The more leaks and breaches there are, the more your customers will learn that GDPR grants them six specific rights, and the louder they’ll ask how you’re meeting those obligations.
It’s probably a good idea to understand what those rights are, so that you can explain how you’re meeting them.
The Right to Privacy
This is the biggest and the most telling. GDPR requires that data protection safeguards are integrated into products and services from the earliest stage of development, with privacy always the default option. Privacy by design will become a legal requirement, and only data absolutely necessary will be allowed to be held and processed.
The Right of Consent
Organizations will no longer be able to process the personal information of individuals unless they have been freely given a specific, informed and unambiguous indication of consent, either by a statement or by a clear affirmative action. Long terms and conditions worded in complicated legal language will no longer be accepted. Instead, clear and plain language will be required, as well as making it as easy to withdraw consent as it is to give it.
The Right of Access
This right is all about transparency and means that individuals have the right to be informed when data is collected about them, where from, what it is, and for what purpose. It goes further. A copy of all of the data held also has to be provided, free of charge, on request, in electronic format.
The Right to be Notified
GDPR requires organizations holding data on individuals to notify them if a data breach is likely to result in a risk to their rights and freedoms. This also has to be done within 72 hours of discovering the breach. This sounds innocuous, but think of what happened to Yahoo, and then try and calculate the cost of notifying millions, possibly billions of customers, in such a short time-frame.
The Right to Transfer Data
GDPR brings portability to data, giving individuals the right to have their data transferred elsewhere in a ‘structured, commonly used, machine-readable and interoperable format’. It doesn’t go further in specifying the format, but it does raise the issue that sectors like banks and utility companies will probably need to agree a common format to avoid confusion.
The Right to be Forgotten
The big one. From next May, Individuals will have the right to request that their personal data is erased without undue delay, and no longer disseminated or processed by third parties. This is not an unlimited right, but must be balanced against legal freedom of expression, the public interest in health, scientific and historical research, and the exercise or defense of legal claims. Expect confusion here, and probably a court case or two to establish its boundaries.
Now is a good time to think about the kind of personal data your company or organization processes, and how you’ll answer questions from customers when they become aware of their new rights.
This is the second post in a series about GDPR. In my next post, I’ll be talking about what Privacy Impact Assessments are, how you complete them, and why they’re the first concrete step you need to take now.