The 25thof May 2018 is approaching fast and from that date onwards, organisations must be GDPR proof. GDPR is the acronym for General Data Protection Regulation, the new legislation from Brussels. At present, consumers must prove that their data have been misused, whereas under the GDPR the burden of proof shall lie with organisations. Organisations are currently asked to use customers’ data cautiously. The balance in terms of right to privacy must be redressed. By means of the ‘privacy by design’ approach, when starting a new system or functionality, privacy must be taken into account.
Privacy by Design
Privacy by Design means that privacy must be guaranteed. Personal data must be handled with care. This should be actively enhanced with existing and/or new functionalities or technologies – the so-called ‘privacy enhancing technologies’ (PET). Customer data are stored in many systems, but to what extent is this still monitored, to what extent is this still necessary and are these data up-to-date?
The time of capturing as much information as possible is behind us. Whereas in the past it was more the rule than the exception that as much information as possible was captured about customers, we should now be asking what value that amount of information would actually add. Especially not only from the point of view of maintainability. What are the hobbies, which seminars have been participated in, which route does the relevant customer walk through the shop, etc. are just a couple of examples and these are cases where the data fall under the heading of ‘privacy’. It should continually be asked what value is added by these data. Data may now only be recorded with the consent of the relevant person.
Organisations are being forced to reduce the amount of personal data captured. Large amounts of data are requested and stored, but after just a few months are no longer up to date and can therefore no longer be used. Customer-specific data are becoming ever more transient. Not the factual information, but the interpretation of various sources of information and the correlation can be used at the right time. The less information pertaining to customers captured, the better. Less is more!
By means of Privacy by Design, an approach is chosen to process and store customer data safely throughout the design and execution process (of a system or project). Only the information relevant to the process is captured and that is allowed. This not only applies when building a new system that uses or captures personal data; but also give thought to using the data already available for new purposes at a later stage. There is also a reporting requirement if data are leaked.
There are many advantages from choosing Privacy by Design. Of course, the legal requirements of the General Data Protection Regulation must be complied with, but this also raises awareness within the organisation regarding careful handling of privacy-sensitive data. Customer data must be safe within an organisation.
Any issues that arise can be identified and addressed at an early stage. This will prevent the issue from worsening and ultimately huge efforts being required to resolve the issue. Also think of the role of the Data Protection Officer; an important element in ensuring GDPR compliancy.
With the help of the Privacy Impact Assessments (PIAs), privacy risks in a project will become transparent quickly. This enables immediate action to be taken to balance out or prevent sizeable risks and costs at an early stage.
Various existing systems have limitations and are therefore not GDPR compliant. Various organisations are working towards becoming GDPR compliant on time.
Legislation already exists and this must be complied with as from the 25th of May 2018. We have to wait for the first case law to obtain a clearer picture of how it has to be translated to everyday practice. But more attention and diligence in respect of privacy has definitely been accomplished.