The New General Data Protection Regulation – Privacy in the Industry 4.0
Table of Content
- 1 What you need to know about the EU GDPR
- ▪ What is personal data?
- ▪ The principles of the GDPR
- ▪ Rights of the data subject – How companies have to handle personal data
- ▪ Who is responsible for protecting personal data?
- ▪ Who needs a data protection officer and internal documentation?
- ▪ If the worst comes to the worst: risk management and penalties
- 2 A historical moment – Privacy in the industry 4.0
- ▪ The cloud brings flexibility as the model of the future
- ▪ Encryption and the GDPR
- ▪ Boxcryptor encrypts your data – Risk management for the GDPR
- ▪ What now? 6 steps to start adjustments to the GDPR
The two year phase of adapting to the new General Data Protection Regulation (GDPR) is now in full swing. The 25th of May 2018 is the day that all data protection arrangements in companies have to be changed accordingly, without exceptions. The GDPR does not only affect European businesses, but every company or organization that processes personal data of European citizens.
You and your company are probably right in the middle of adjusting to the new privacy regulations. This article will help you figure out which changes are relevant for you. We take a closer look at the GDPR and bring clarity to the jungle of paragraphs. After all, the official text contains 88 pages and, therefore, is more than four times longer than its predecessor, the Directive 95/46/EC. But most important: We want to show you why the adjustment phase to the GDPR is a great opportunity for the future of your company. This is the perfect moment to lead your business responsibly into the Industry 4.0.
1 What you need to know about the EU GDPR What is personal data?
First, it is important to know what the purpose of the GDPR is. Its main objective is to define the rules about the protection of personal data. However, when exactly is data personal?
“‘Personal data’ means any information relating to an identified or identifiable natural person” (GDPR, p. 33). There are certain identifiers, such as name, identification number, location data, or factors, such as your physiological, genetic, mental, economic, cultural or social identity.
As soon as a person is directly or indirectly identifiable by the data you process, the data is personal.
The principles of the GDPR
The general principles of processing personal data require that it is processed transparently. The purpose of processing has to be clear and legitimate. The amount of processed data has to be kept to a minimum, depending on the purpose. The data has to be accurate and the storage time has to be limited to a period that is bound to the purpose. Addition- ally, integrity and confidentiality of the data have to be protected. In short:
- ▪ Lawfulness, transparency
- ▪ Purpose limitation
- ▪ Data minimisation
- ▪ Accuracy
- ▪ Storage limitation
- ▪ Integrity and confidentiality Your company has to be able to demonstrate compliance with those principles (‘accountability’), which means that focus has to be the on documentation of the procedure of processing personal data.
You have to be able to inform the data subject about what you process, how you process it, for how long and for which purpose. It has to be verifiable that the data has been deleted after the period that is bound to the purpose, and that there have been measures to protect the confidentiality.
Another important point for companies is the right of the user to con- sent. The “request for consent shall be presented in […] an intelligible and easily accessible form, using clear and plain language.” (GDPR, p. 37) The subject can withdraw his or her consent at any point in time.
Rights of the data subject – how companies have to handle personal data
With the new GDPR, it becomes more important to inform the customer or the person whose data you process, about what happens to their data. What you have to be aware of is summed up in the following points:
- ▪ Transparency: The data subject has to be able to find out what data is being stored.
- ▪ Whoever processes data is obligated to provide the data subject with information. The subject has a right to disclosure.
- ▪ Right to erasure: The ‘right to be forgotten’ is an important addition to the new GDPR. Under clearly defined circumstances the “data sub- ject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without un- due delay” (GDPR, p. 43), for example, when the subject withdraws its consent.
- ▪ There is a right to restriction of processing. In which cases this ap- plies is defined clearly in the GDPR.
- ▪ Right to data portability: This is new as well. The data subjects have the right to obtain their data “in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller” (GDPR, p. 45). When “technically feasible” the subject has the right to have the data transmitted from one controller to another. This limitation to technical feasibility is a courtesy to companies, when the transmission of the data would pose disproportionate challenges. However, if the technical requirements are given, this service has to be provided.
- ▪ Right to object: For reasons that are defined in the GDPR, a data subject can object to the processing of personal data. Who is responsible for protecting personal data? The responsibility to comply with the GDPR lies with companies that pro- cess personal data. There have to be “appropriate technical and organisational measures to ensure and to be able to demonstrate that pro- cessing is performed in accordance with this Regulation.” (GDPR, p. 47) Examples of these measures are pseudonymisation or encryption. “Taking into account the nature, scope, context and purposes of pro- cessing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.” (GDPR, p. 47) If the responsible controller is not in the EU, for example when a US company processes data of European citizens, he has to designate in writing a representative in the Union.
Who needs a data protection officer and internal documentation?
Companies have to designate a data protection officer, when one of the following applies:
- ▪ When the processing is carried out by a public body (except courts)
- ▪ When the core activities of the processer “consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale”
- ▪ When special categories of data or “data relating to criminal convictions and offences” are being processed (GDPR, p. 55) Companies that process data are obliged to keep records of processing activities, unless they have less than 250 employees. Smaller businesses are not to have any disadvantages because of the new GDPR, therefore “the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation.” (GDPR, p. 3) If the worst comes to the worst – risk management and penalties In case of a violation of the protection of personal data, the responsible party has to report it to the supervisory authorities within 72 hours after getting notice of the incident. What kind of information has to be handed to the supervisory authorities is specified in the GDPR. If there is a high risk for the data subject, it has to be informed about it immediately. If the company fails to report an incident by this time, there will be penal- ties as well. “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” (GDPR, p. 82)
The penalties that come with the GDPR are much higher than before. The official text makes it clear that penalties are supposed to be “effective, proportionate and dissuasive” (GDPR, p. 83)
The amount of the fine depends on several factors, such as the nature, gravity, and duration of the infringement, the intentional or negligent character of the infringement, or any previous infringements by the controller or processor. However, there are also mitigating factors, such as any action taken by the controller to mitigate the damage, or the degree of cooperation with the supervisory authority.
While penalties higher than one million were very rare under the last data protection directive, they could become more common with the GDPR. Depending on the type of violation, companies can face penalties between 10 and 20 million Euros; or 2-4% of the total annual turnover of the preceding financial year, whichever is higher.
Implementing data protection that complies with the GDPR therefore is an existential must for companies that cannot afford such penalties.
A historical moment – Privacy in the industry 4.0
The new General Data Protection Regulation is a chance for your company. There is a tremendous change taking place, summarized under the term Industry 4.0. Companies have to adjust their data privacy arrangements by May 2018 some way or another. This is why now is the perfect moment for innovation in your company, for pushing modernization and digitalization. The new GDPR is nothing but a reaction to a steadily advancing, structural change. Whether the regulation goes far enough and is suitable for future technical advance, will show.
The cloud brings flexibility as the model of the future
A big topic that companies are facing is the rapid change of data storage, data management, workflows and teamwork. New technical possibilities simplify internal as well as external communication. Larger and larger amounts of data have to be processed by companies, technical innovations hit the market faster and faster. The intervals in which you have to update software and hardware, or get new work equipment, are getting shorter and shorter.
The cloud is the buzz word of the Industry 4.0, because it is the modern solution for teamwork and data storage. Once the cloud is set up, it brings peace and flexibility to the short life span of technical devices. Not you, but your cloud provider takes care of the software and hardware being up-to-date.
Many businesses still shy away from the cloud, mostly for reasons of privacy and concerns about compliance and data security. But cloud secrity is possible, since cloud providers respond to the doubts and fears of their potential customers and external cloud security solutions specialize in managing cloud risks. Leading cloud providers, such as Dropbox, Box, and Amazon offer the possibility to store data in the country you prefer. Dropbox has a technology partner program with official software solutions that respond to the needs of their customers.
Encryption is an important factor of the new privacy law of the GDPR
According to recent prognosis, the rise of the importance of cloud technology for business is unstoppable. Now is the perfect time for this and we can help you with that.
If you make certain arrangements – and because of the GDPR, you have to evaluate and make arrangements for privacy, anyway – data privacy in the cloud, compliant with the GDPR, is no problem.
The magic word is encryption, which turns personal data into unrecognizable character strings, and makes it unreadable for anybody who is not supposed to have access to the data. One could argue that encrypted data does not count as personal data, because data subjects are not identifiable anymore. The GDPR lists encryption as a measure to reach a “level of security appropriate to the risk” (GDPR, p. 51).
Boxcryptor encrypts your data in the cloud – measures for privacy by design after the GDPR
Encryption is an explicit part of the GDPR and brings the required level of protection for your cloud. When encrypting data, businesses meet the principle of ‘integrity and confidentiality’. They guarantee the confidentiality of personal data and reduce the risk of harmful data breaches. Consequently, companies avoid painfully high penalties.
Privacy by design is the key here. It is helpful for your GDPR compliance when you adopt technical and organizational measures that enhance privacy from the start. What kind of measures are meant does not become too clear. The only ones explicitly named are state-of-the art encryption and pseudonymisation.
If the worst case occurs and your business faces a complaint, you avoid or lower the penalty through verifiably conducted risk reduction with encryption. One example: If you store your data at Dropbox, Box, or Google Drive and encrypt it with Boxcryptor, your data will be compliant with confidentiality clauses in the GDPR. Additional SLA’s (Service Level Agreements) with your cloud provider can enhance the level of control additionally.
Boxcryptor is an encryption solution for all established cloud providers. The data is encrypted client-side – before it leaves your device and is synchronized to the cloud. Our software has zero knowledge standard, which means that you alone hold the key to decrypt the data. Most cloud providers offer encryption, too, but they hold the keys to decrypt the data again. Boxcryptor offers extensive features for company and busi- ness customers for all team sizes. It is easy to familiarize your employees with the new security software, what many satisfied customers can con- firm. We offer comprehensive support and enable you to get to know our product in a 30-day-trial.
Why don’t you test our product with our free single license? You will notice how user-friendly state-of-the-art encryption can be.
The adaption phase for the GDPR is the perfect time to evaluate your cloud security, or to safely lead your company into the cloud and therefore into the industry 4.0.
What now? 6 steps to initiate adjustments to the GDPR
1 Congratulations: You already accomplished the first step by reading up on the GDPR.
2 Now start an audit of all personal data you process at your company. What data do you store, who is responsible for the security of the data? The information above helps you find potential vulnerabilities.
3 Get help: Either appoint an internal security expert or find an external partner.
4 Document all the precautionary measures you take in the next two years, since these can be mitigating in the worst case. Tools that were specifically designed to assist organization with GDPR adoption can be helpful in this process.
5 Do you store data outside the EU? Do you work with partners out- side the EU and do you exchange data with them? Make them aware of the GDPR and sort out the question of responsibility.
6 Download Boxcryptor for free and get to know the encryption soft- ware “Made in Germany”. If cloud encryption is necessary for your business in the future, you will already know the solution of your choice.
Official Journal of the European Union: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 (http://bit.ly/28ZC0ul)