The data controllers carries primary responsibility, along with any data processors to protect the data subjects under GDPR. Businesses who sells IT equipment even if that equipment processes personally identifiable data have far less stringent obligations. However to remain competitive offering GDPR compliant features makes good business sense. This normally involves development in two areas Subject Access Requests and Data protection. We at DigiTorc have worked with businesses that have made GDPR compliance a cornerstone of their marketing campaigns and brought in valuable new orders and reactivated old clients.
The main route is offering GDPR features to enable a business perform Subject Access Requests (SARs). By developing new APIs and repackaging existing functionality IT equipment suppliers can position their solution as being GDPR complaint.
Specifically, SARs are a response to these new or enhanced rights to information about themselves:
- a right to ask for a copy of their personal data
- a right to ask an organisation to correct any information held about them that is inaccurate;
- a right to request erasure of information in certain circumstances;
- a right to data portability in a commonly used format;
- a right to restrict processing and a right to object to processing activities in certain circumstances;
Across Europe and beyond, businesses are demanding that any IT system which contains personal data, has a methodology to perform SARs with a minimum of human intervention and with an automatic logging feature.
Another major response by IT equipment suppliers, is “privacy by design”. Here suppliers will look at introducing suitable technical solutions to protect data from unauthorised access. There are three primary approaches, encryption, anonymising & pseudonymising data.
Encryption reduces risks associated with data breaches, since data will not be accessible without the correct key. The GDPR states authorities should be notified of any data breach within 72 hours. The individuals affected by the data breach should also be notified, unless the data is encrypted and the organization can prove there is no way for said individuals to be identified from the stolen data.
Anonymising & pseudonymising data may be useful in some circumstances. Irreversibly and effectively anonymised data is not “personal data” and the data protection principles do not have to be complied with in respect of such data. Pseudonymised data remains personal data as it only provides a limited protection for the identity of data subjects in many cases as it still allows identification using indirect means.
Methods of encryption for data at rest and/or in motion are not defined in GDPR, the decision about using Triple-DES, AES or any of the other encryption types depends on the business and the nature of the data. The same goes for anonymising & pseudonymising data. The technical solution should be matched to the risk of a breech using a risk based approach.
It should be remembered that while, GDPR covers personally identifiable information (PII) there is a critical subset of PII called special data (Article 9). This used be called sensitive data and covers racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Naturally special data should receive a higher level of protection than regular PII.