Privacy by design is based on embedding privacy measures and privacy enhancing technologies directly into the design of IT solutions. But as the needs of customers change, as well as the need for the customers’ privacy, privacy by design is more than just adding some code into a form or embedding some technological components into hardware and software. Privacy by design also has to do with the organization itself.
The General Data Protection Regulation (GDPR) addresses data protection (privacy by design) as a legal obligation for data controllers and processors. It states an explicit reference to pseudonymisation, anonymization and data minimization of all personal data, by default.
Does it mean we need to revise old code? Should an extra layer of code be implemented to manipulate or redact sensitive data, or will simply adding some sort of pop-up like the cookie-notice do the trick?
There is a bit more to it, I’m afraid. The whole idea behind the GDPR is to take responsibility and ownership of sensitive data. A customer can, at any given time, ask questions about the information you, as a business, have stored about him. The customer can also request to have his data changed or completely removed. And the organization has to be able to prove it have carried out the request.
The right to erasure
Probably one of the most talked about aspects of the GDPR is the ‘right to erasure’, also known as the ‘right to be forgotten’. Article 17 of the GDPR states:
Data subjects have the right to obtain erasure from the data controller, without undue delay, if one of the following applies:
- The controller doesn’t need the data anymore.
- The subject withdraws consent for the processing which he previously agreed to.
- The subject uses his right to object to the data processing.
- The controller or its processor is processing the data unlawfully.
- There is a legal requirement for the data to be erased.
- The data subject was a child at the time of collection.
If a controller makes the data public, then he is obligated to take reasonable steps to get other processors to erase the data. When a website publishes an untrue story about an individual, for example, and later on is ordered to erase it, it also must request other websites to erase their copy of the story. At the same time, there are some exceptions to Article 17, for example when the data is part of scientific or historical research archives, when there is a legal ground to keep the data (for example in the financial sector) or when the data supports legal claims.
Always keep track of the data
To protect their data, businesses manage data backups. That may lead to tricky situations. Imagine a customer requests to have his data removed completely and the company complies with that request. But later on, the company restores the data backup following a hiccup in its IT operations – and the personal data reappears… Then what?
First of all, the organization needs to understand where all the personal data resides. Following that, an assessment must be made of what can be, should be, can’t be and is infeasible to be erased. This is where the exceptions may apply, such as the legal requirements for data retention. Following the customer’s request, the controller should remove the personal data of the live online systems. The personal data should be kept in an offline archive, thus protecting it in a locked down state, meeting the retention requirements, as well as the desire of the subject to be forgotten.
Neither black nor white
Every organization, business, customer, every record and every piece of technology used requires a case-by-case assessment. Do you have a justifiable position when you are facing a regulator or when you find yourself in court? Are you confident that you did the best you could, can you prove you have done everything needed to remove the data of the requester? Focus on answering that question and you should be okay. Then, focus on redesigning the software to build in these features. Start new projects with all above in the back of your mind, and privacy by design will be implemented at the core of the code right away.
Author: Rutger Saelmans, 3 april 2018