The scope of the GDPR
By applying the rights of persons, the GDPR grants the consumer/citizen a right to information, control and object as to the use of their personal data by private and public businesses. In this context, it's important for the consumer/citizen, as well as for businesses, to understand the underlying principles (see the first post of this series), the necessary implementation and the tools to use.
In order to clarify these concepts, let's take the example of a tax return :
- "Treatment" defines the objective, namely "the calculation of the tax" ;
- The "applications" are the different frames of the form, each of them corresponding to a calculation component ;
- For data, the "type" is the label of the fields to fill in ;
- "Values" are the answers of the taxpayer ;
- The "localizations" are the physical localizations on the form, a same "data" can be repeated in several "locations" on the form.
The rights of individuals
As we can see, the exercise of the right of individuals imposes de facto to companies to possess the knowledge of the different localizations of data : how to make sure otherwise that data that need to be rectified are indeed modified in the same way in all the concerned applications ? In the same way, the knowledge of applications is absolutely necessary considering that they alone make it possible to carry out the modifications or deletions without risk. The table here below summarizes the basic and essential knowledge elements in order to answer appropriately to the rights of individuals as provided in article 12 of the General Data Protection Regulation.
To comply with GDPR concerning the rights of data subjects, companies must :
- Identify personal data in the overwhelming amount of data that they collect ;
- Classify the identified data inside the different categories anticipated by GDPR (sensitive data, data restricted to public authorities…) ;
- Localize the multiple instances of identified data on the full scope of use ;
- Link each of the different localizations of identified data to the applications on one hand, and to the processings on the other hand.