This article is the last continuation of the GDPR principles series. In the previous articles you could read about the purpose limitation principle and data minimisation or accurancy and data retention periods. Now let’s learn about data security and Accountability.
Controllers are responsible for ensuring that personal data are kept secure, against both external and internal threats. This goes to the heart of protecting the privacy of individuals. Data controllers and processors need to assess risk, implement appropriate security for the data concerned and, crucially, check on a regular basis that it is up to date and working effectively. The personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. To sustain data security the controllers should implement appropriate technical and organisational amount while taking into account (previously described- link) the state of the art and the cost of implementation.
“Identifying data subjects”: Third parties might attempt to exercise data subject’s rights without proper authorisation to do so. The controller is therefore permitted to ask the data subject to provide proof of his identity before giving effect to his rights. The controller must use all reasonable efforts to verify his identity. If the controller has reasonable doubts about the identity of the data subject, he may request the provision of additional information, but is not required to do so. If the controller cannot identify the data subject, he is an exempt from the application of certain rights of such data subject.
Example: A bank client sends an application to exercise his right to access personal data, but provides only his name. In such case, the bank has to require another appropriate tool to identify the data subject without any doubts, not only because there might be dozens of clients with the same name. We may not expect sending a scan of ID would be sufficient, if we consider the requirement of taking into account the state of the art. We would suggest using some online identity proof or visiting the bank in person.
The final principle of GDPR states that data controllers must be able to demonstrate compliance with the other principles. It is not enough to comply, you also have to be seen to be complying. You will have to implement not only internal and publicly-facing policies, records and notices, but also technical measures and fundamental personnel and strategic changes to your processing operations. Manifesting accountability might be an overwhelming project. It is necessary to adjust appropriate measures.
This principle makes itself felt in all rights of data subjects, but only if they are applied well. And that is why the last example will be more complex than usually.
Example: An organisation has to implement comprehensive privacy policies and notices for individuals displaying full individuals’ details of processing. It needs to prepare additional documentation which addresses new rights now available to individuals and automate the notifications where needed. Then the organization should move to the system where compliance is expressed in concept of privacy by design and by default as part of the accountability. The system means to consider data privacy throughout the entire lifecycle of all project and systems. Another requirement is technical compliance, such as pseudonymisation and encryption practices, again the organization has to make a decision what solution is appropriate. after assessing all demands of GDPR. Then it has to be able to restore systems after the incident and to report the breach within certain periods. In some organisations, the integral part for achieving the accountability will be appointing a Data Privacy Officer.
Those are only some of the basic examples of GDPR solutions and they will vary among different organisations. Although, there are some recommended steps forward you should take. Mapping the data in your organisation, assessing the risk and measures to eliminate it; and essentially get the backing from your organisation’s executives.
If you are using proper identity management software, it is probably ensuring the compliance with all GDPR principles. If not, you should consider the deployment of such tool.