Personal data protection – a fashionable subject or an actual need?

The increasing exchange and exposure of personal data withing the European Union has made the European Parliament adopt a regulation on protection of individuals with regard to personal data processing and free movement of that kind of data (GDPR), to protect every individual’s fundamental rights and to prevent the abuse of personal data.

Due to rapid technological development and globalization  new challenges in protecting personal data have appeared. The extent of personal data gathering and exchange is increasing, as well as the cross-border flows of personal data. Data is being exhanged between both public and private participants, and national authorities of member states, which have to conduct it, in order to carry out their obligations.

Individuals can be attached to network identifiers, provided by their gadgets, applications, tools and protocols, such as internet protocol address, cookie identifiers or other identifiers, like radio frequency identifications tags. That way, certain traces, combined with unique identifiers and other information received by the servers, can be used for creating individuals’ profiles and identifying them.

Do we really have to protect personal data?

Individuals are making their personal data available publicly and globally. Every time you open your bank account, register on a social network or a web page, book a hotel or a flight online, you are selling your basic personal data: your name, address, profession, the company you work for, your credit card number…

What happens to that data? Can it fall into hostile hands? Should you protect it and are you aware of your rights regarding your personal data?

Based on that data, someone can start a fraud, shop on your account, enter your everyday routine and habits, learn about your interests and get to know you more than you’d want.

Personal data protection and respecting personal life are basic human rights. The European Parliament has always been persistent in achieving balance between strengthening security and protecting human rights, including data and privacy protection. The data protection reform will strengthen the citizens’ rights, improve their control over their own data, and secure their privacy in the digital era.

The Protection of individuals with regard to personal data processing regulation

Every day huge amounts of personal data is exchanged between businessmen, state institutions and individuals. Not respecting the rules of personal data protection in different countries could threaten the international data exchange. Individuals won’t share their data outside of their country unless they are certain of acceptable levels of protection in other countries.

Because of that, rules, that ensure the same level of personal data protection in all European Union countries, have been established. That way, you are ensured safe data exchange and you have mechanisms for dealing with violating the rules. Everybody has the right to make a complaint and to receive an indemnity in case of abuse, anywhere in the EU.

The European Union has adopted a regulation on personal data protection, that will be put into effect on the 25th of May 2018, and whose goal is to restore citizens’ control over their personal data and to simplify the regulatory framework for the employer. Personal data protection is one of the key prerequisites for a successful completion of a unique digital market, which is the European commission’s priority. That will enable complete realization of all digital economy’s advantages.

According to the EU legislation, personal data can only be gathered according to law and strictly defined conditions. Also, organizations that collect and manage personal data are obligated to protect them from abuse and have to respect certain rights of the data owner, which the EU legislation guarantees.

In order to assure the best possible protection of personal data even outside of the EU, this regulation also has particular rules for transferring personal data outside of the EU.

Member states have the liberty to individually define special conditions for processing the personal identification number and personal data of employees, regarding employment, especially when employing and executing work contracts.

Applying the Personal data protection regulation

This Regulation is applied to the processing of personal data, performed by institutions, authorities, Offices and agencies of the European Union. It is not applied to the processing of personal data performed by natural persons under strictly personal or domestic activities, that are not connected to a professional or commercial activities. That means that, if you are exchanging your personal data amongst your friends, you won’t act according to this Regulation, but when you are sharing your personal data on different web-sites, the service providers that are enabling the data exchange have to ensure it’s adequately protected.

So, the Regulation is applied to the personal data collection managers, and they can be either natural or legal persons, national or other authorities, such as banks, insurance companies, telecom operators and all other managing large amounts of personal data. When the purpose and the way of processing are prescribed by law, the manager of personal data collection is assigned by the same law as well. It is important to keep in mind that every structured set of personal data, that is available according to several criteria, regardless to if it’s in computer personal data bases or in other technical tool or even manually, is viewed as a personal data collection.

How to fulfil the conditions of the Personal data protection regulation?

In practice, when defining security measures, the beginning is estimating the risk, and those kinds of guidelines are received when applying the Regulation. It indicates the necessity of identifying risks connected to the processing, estimating the risks, regarding their origin, nature, probability and weight, as well as identifying the best risk cut practices. It is important to define a procedure plan for managing the high risks, in which all the needed security measures would be listed and according to it, put into effect.

Risk reducing measures should be organizational and technical. Organizational measures include defining internal politics and codes of conduct, certification, education and awareness of the employees, enabling the examinee to follow data processing, while technical measures include pseudonymisation of personal data, making certain data unavailable for users or temporarily removing the published data, including the security measures into the development of applications and other products being used, and following all access to personal data through logs, as well as many others. As a universal solution for systematically applying all the needed security measures, there is the ISO 27001 norm. Effective fulfilment of all provisions of the Regulation is enabled by applying that norm for systematic management of information security.

Possible sanctions

For violating the basic principles of personal data processing, examinees’ rights, transferring personal data outside of the European Union, not following commands, temporarily or permanently limiting the processing or suspension of the data flow or withholding access, fines up to 20 000 EUR can be imposed, or up to 4% of the total annual turnover on a global level for the previous financial year.

Fines up to 20 000 EUR or 4% of the total annual turnover

Sanctions are extremely high and no organization should take that risk. Implementing all the necessary precautionary measures is much more profitable and brings many other advantages in the long term, like retaining and obtaining users, their satisfaction and better prosperity of the company. Because today protecting personal data is not a whim, but a dire need.

The deadline for implementing the GDPR regulative is relatively short. If the organization is big or technologically not as advanced, it is advised to start preparing the organization to the new regulation. Companies and organizations have to do a revision of their own systems, and if needed, additionally invest in the equipment, software and knowledge to assure their users’ personal data and all other security aspects. CROZ is collaborating with leading world manufactures of security technology and has an experienced team of experts and partners such as ZIH, that can help you find the best security solutions possible and ease the adapting process according to the Personal data protection regulation.