SteadyHOPS and the GDPR
The General Data Protection Regulation (GDPR) and Data Protection Act of 2018 (DPA) are complex, in depth, complementary legal documents which act as a code of conduct for businesses involved in the processing of personal data. Henceforth these regulations will be referred to as the GDPR. There are many aspects of compliance with these regulations and the best place to keep up to date and understand aspects of compliance is the Information Commissioner’s Office’s (ICO) Guide to General Data Protection Regulation. This article highlights the aspects of compliance that SteadyHOPS provides.
The GDPR outlines several underlying principles that guide both the regulation(s) and your compliance with them. They are:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
Compliance with some of these principles must be covered through organizational, technical, and procedural elements that all come together to form a privacy by design approach. SteadyHOPS is a commercial solution that assists with compliance of certain aspects of the GDPR and most notably applies to the accountability principle.
The accountability principle states that organizations must take accountability for their role in protecting the personal data of citizens and compliance with the regulations. It is the organizations responsibility to put in place the appropriate measures and maintain records of compliance. SteadyHOPS serves as the main touch point when corresponding with citizens regarding their personal data and it’s processing and provides record keeping of the in-system interactions you make when complying with the regulation and fulfilling various requests from citizens as part of compliance with the regulation. In short it can help you demonstrate your compliance with the accountability principle in the event of a reported privacy concern and subsequent investigation.
SteadyHOPS Data Subject Request Portal
The GDPR grants certain rights to citizens regarding their personal data. Some of these rights include the right to make certain requests of a data processor, for which the processor must comply. These include:
- Right of Access Requests
- Right to Rectification Requests
- Right to Erasure Requests
- Right to Restrict Processing Requests
- Right to Data Portability Requests
- Right to Object Requests
- Right to Challenge Automated Decision Making or Profiling
Your organization should develop a process for handling each of the request types internally and ensure it’s documented. Documenting compliance is a key aspect of GDPR, and we will be covering each of these request types in depth in future articles. Requests must be fulfilled, or a notification of additional processing time must be sent to the requester within 30 days of the initial request. SteadyHOPS can provide an online electronic touch point for citizens to interact with your organization regarding these requests. This ensures a request is captured in writing and the system allows you to seamlessly document the way the request was complied with and the timeline for fulfillment. A data privacy request portal is a great way to show that your organization has invested in compliance with the regulation and provides a means to demonstrate accountability and transparency in your organization. For more information take a look at our product page.
This article will discuss how a one way hash function can be used in the context of privacy compliance for regulations like the GDPR. Storing customer’s personal data is an inevitability for scaling businesses in today’s technical world. One way hash functions are a useful tool to store sensitive customer data such as passwords and…
The accuracy principle states that controllers and processor should make reasonable efforts to ensure personal data is accurate. They must allow citizens to challenge the accuracy of data and take steps to rectify or erase the data associated with the challenge. Verification is sometimes needed to ensure data is accurate. Controllers and processors should consider the impact to the individual and whether they collected the data or the user provided it when determining appropriate verification steps. Organizations should document challenges and their responses thoroughly and in a timely manner. They should also document the thought process for determining whether personal data needs to be verified and the verification steps taken if necessary.
Data minimization is the concept of collecting the minimum amount of data needed to carry out the stated purpose and no more. When conducting a data minimization evaluation you must ensure that the data collected is adequate and relevant to your stated purpose as well as limited. The onus is on the organization to document compliance with this principle. We recommend documenting a review of this principle each time new personal data is collected or processed. Conduct at least an annual audit of personal data that has been collected or processed to ensure that changes in the business have not impacted compliance with the data minimization principle.
The GDPR’s purpose limitation principle constrains the use of personal data to the original purposes or those purposes compatible with the original purpose. There are a handful of pre-approved compatible purposes such as archiving purposes in the public interest, scientific and historical purposes, and statistical purposes. Under the GDPR, the burden falls on controllers and processors to document their purposes and reasoning behind them. These must be documented externally to be transparent to the end user, and internally with regular audits. Care must be taken when deciding a purpose is compatible with the original. An analysis must be conducted to determine compatibility and it’s a good idea to document the reasoning behind claiming a purpose is compatible with the original. Make sure to consider linkages to the original purpose, and consequences to the end user.
The first principle of the GDPR, Lawfulness Fairness and Transparency focuses mostly on the underlying reasons for collecting and processing personal information and how it will be used. It outlines the need for a lawful basis for processing and discusses the 6 bases for processing that have been identified. The bases of consent is the most recommend basis and organizations would do well to ensure they establish proper consent collection mechanisms. It ensures that data is collected fairly and that the collection does not present unjust injury to an individual or group of individuals, regardless of how many other individuals are unaffected. It ensures that organizations are being transparent in the way they inform their users on the type of information that is collected and the way it will be processed and used. The responsibility lies within the collecting organization to document compliance with principles of the GDPR. Establishing a process for documenting a lawful basis for processing, fairness, and transparency in collection will leave organization prepared for regulatory scrutiny, help avoid lawsuits and fines.
Before the Cloud Large capital outlays to begin a digital transformation have historically been a barrier for small and medium sized businesses to compete with larger corporations. The cost of servers, data center space, and skilled personnel to configure and manage hardware alone can be enough of an expense to pull the plug on a…