“Data protection is a freedom right” this message was sent by the Guarantor for the Protection of Personal Data that informs citizens about new content in defence of privacy. With the arrival of May anxiety increases. The Gdpr has undermined all, from SMEs to large multinationals, without exception.
The UE 2016/679 Regulation will enter into force on 25th May 2018. The GDPR, General Data Protection Regulation, introduces new methods for processing personal data with more decisions from users. You may have noticed the message launched by social networks communicating the changes provided in the regulation and inviting users to read and agree to the new terms within an established date in order to continue using the service.
The Regulation will provide many innovations for users, companies, public and private entities, free professions and associations, to put a brake on excessive use of data, more or less voluntarily given by the users, on the web.
- Pseudonymisation: Data protection by design and by default. Data protection by design and secure by default belongs in article 25 of GDPR. The data controller must process the data in order to ensure and to clarify to the owner the modalities and purposes related to that specific data. Blockchain is the technology that can best support this claim as in the chain are stored data that are not related to the individual.
- Accountability: It is the main principle for public and private companies that have to communicate the violation of personal data to control authority (data breach) that could cause physical, material or immaterial damns to individuals; otherwise substantial penalties will be faced.
- Data Protection Officer: who works with the data controller. GDPR Art.37 established that the data protection officer intervenes when data processing is carried out by a public authority, when regular and systematic monitoring is needed on a large scale or when treatment involves special categories of personal data.
- Data portability. Your personal data may be transferred from one processor to another. Obviously not referring to personal data but to particular categories of data that may not be transferred to non-European countries or organizations which do not meet the safety standards for the protection.
- Right to be forgotten. Anyone can withdraw consent to use personal information when data are no longer needed for established goals or in cases where the person wants to delete personal data from archives and third-party database, with no exceptions.
These are just some of the changes introduced by GDPR which ensures the privacy of users with regard to the processing and free movement of personal data.
There are several practices which public and private companies, small businesses and large corporations must adopt. First of all, the entities involved in processing of personal data must inform user about using the data collected, the methods and the purpose of treatment clearly and simply avoid leaving space to misunderstandings. The data will no longer be visible only to a single machine so in order to be compliant a distributed system for GDPR and accessing data has to be defined, like a Cloud system that will avoid you to suffer penalties equal to 4% of turnover and to stumble in improvised solutions which do not meet the requirements.