5 key principles of data privacy that organisations must follow with GDPR
by Richard Porter, UK Sales Manager at Human Inference
The European Union’s General Data Protection Regulation (GDPR), set to come into force from 25 May 2018, has primarily been viewed as a data security challenge.
However, its effects go much deeper. Data privacy means not only securing data, but also ensuring that it is stored appropriately, that customers have access to their data when required, that any data stored is accurate, and that – if requested – data will be removed or transferred.
An organisation that has focused on security to the exclusion of all data management concerns could still find itself at risk of not meeting GDPR compliance.
There are five key principles of data privacy that organisations must follow if they are to ensure compliance:
1. Storing data appropriately
Article 5 of the GDPR states that data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”
Essentially, data cannot be stored after it has served its initial usefulness. The challenge for organisations is ensuring that, when this period has passed, not only is all relevant data removed, but that it is done promptly.
Any lingering items of data an organisation isn’t aware of could prove a breach of the GDPR.
2. Giving customers access to their own data
Article 15 of the GDPR enshrines a consumer’s right of access: that they can “obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data,” as well as information such as why the data was processed, who has access, and what rights the individual has.
Organisations need to be certain that when a legitimate request is made, they can provide ready, comprehensive access to all relevant data and other information.
3. Amending inaccurate data
Article 16 of the GDPR gives a consumer “the right to obtain without undue delay the rectification of inaccurate personal data concerning him or her.” This includes the right to have incomplete personal data completed, including by providing a supplementary statement.
For organisations, this means opening up the personal data they store to modification by consumers, without risking any modification making the data itself unusable.
4. Data erasure
As well as correcting inaccurate personal data, the GDPR has also introduced the “right to be forgotten”.
Article 17 states that a consumer has the right to obtain the erasure of personal data concerning them without undue delay. While this is only permitted under specific grounds, when a request for erasure is made, organisations need to act quickly.
There is also the situation where an individual might want their data erased for one service or process, but not another. In this case, organisations need to be certain they erase the relevant data, while leaving the other service or process untouched.
5. Transferring data
In an increasingly digital economy, consumers will want to re-use their data with a multitude of services.
Article 20 of the GDPR recognises this: stating that a consumer has the right to receive personal data concerning him or her, in a structured, commonly used and machine-readable format; and has the right to transmit those data to another organisation without hindrance.
This is one area where obeying the GDPR would be of huge benefit to organisations regardless of compliance: consumers who increasingly want to use multiple services, or switch repeatedly, will have a much more favourable opinion of those organisations that let them do so seamlessly.
The ultimate challenge
The five key principles highlight a single risk. If customers’ data is fractured and inconsistent, organisations will have less unified control. Without this control, it will not only be more difficult to meet GDPR demands.
It will also be much harder to use that data in order to create services that attract and benefit consumers; meaning organisations will also lose a competitive advantage.
The aim should be to create a single ‘Golden Record’ for each customer: a unique overview that describes the individual’s personal details, their history with the organisation and any other contextual information in an easy-to-share format.
If the organisation is confident there is no potentially sensitive data out of its control, then it can focus on using data to improve or expand on the services it offers.
The security question
A Golden Record can still be a valuable asset when ensuring the security of customers’ data. First, there is access control. Controlling access to a single Golden Record is much simpler than controlling access to multiple, disparate data stores.
Simply put, the fewer people that can access, view, modify, remove and export data, the safer that data is.
A true Golden Record will also have a verifiable audit trail, meaning every action taken and modification made can be tracked and suspicious activity quickly recognised and investigated.
Data controllers can gain a greater understanding of what changes or efforts at access have been made, where, when and by whom; allowing them to gain a greater understanding of data use, and identify the signs of suspicious behaviour.
2018 and beyond
Ultimately, the aim of the GDPR is not only to ensure privacy, but also to make it easier for organisations to do business across Europe.
Creating a Golden Record that obeys the needs of the GDPR will not only make an organisation compliant, and better able to attract and serve customers across the continent.
It will also create a single view of the customer that can be used to support smart data management across the business.