This text is taken from the White Paper Use of Rever’s solutions in order for enterprises to be compliant with the EU General Data Protection Regulation, download available here.
In the current context where the word « GDPR » and its imminent entry into force make IT managers and legal departments of companies hold their breath, it is worth recalling the basics of the new regulation concerning the « protection of the individuals and establishing the obligations of those processing and those responsible for the processing of the data, as well as the transfer of personal data to third countries and international organizations. »
Let's concentrate on the two themes that concern all organizations from the moment they possess information on individuals :
Rights of individuals
The rights of the individuals in their relations with private or public organizations are defined as follows :
- Individuals have the right to know the name of the enterprise which is processing their personal data and also the following informations :
- the processing purposes.
- the categories of the concerned personal data.
- the existence of an automated decision-making, and in such case, useful information regarding the underlying logic and the importance and consequences of processing provided to the person concerned.
- Individuals have the right to receive the information whether the data was obtained directly or indirectly, and also the source of this information.
- Individuals have the right to receive a copy of their data in intelligible form.
- Individuals have the right to ask for deletion, blocking or erasing of their data.
The European regulation imposes a number of obligations to enterprises which are summarized as follows :
- Respect of the individuals’ rights :
- Enterprises are required to inform individuals when they collect personal data about them, what the processing is going to be used for, to whom their data may be transferred.
- Only legal personal data can be collected.
- Personal data must be accurate and updated where necessary.
- Enterprises must ensure that data subjects can rectify, remove or block incorrect data about them..
- Personal data protection :
- Enterprises must protect personal data against accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks. They shall implement the security measures which must ensure a level of protection appropriate to the data.
- Obligations towards processing :
- Personal data must be collected for explicit and legitimate purposes.
- Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.
- Personal data that identifies individuals must not be kept any longer than strictly necessary.
- Other obligations :
- If required by the national data protection authority, enterprises must establish a “Privacy Impact Assessment” (PIA).
- Enterprises must have a Data Privacy Officer (DPO).
- Entreprises must collaborate with the national data protection authority.
In this context, it is necessary to be able to build a « classification plan » for personal data. This plan is specific to every enterprise and depends on the type of data collected.
For instance, the diagram below shows the various categories of personal data classified from the least sensitive (in blue) to the « forbidden » data (in green) :
In a general way, the expression « personal data » means any personal data or related information. See under 3.1 of our white paper for more details on the definition of personal data.