Close

HPE Aruba Networking Blogs

GDPR: Control Over My Personal Data, My Fundamental Right

We have long acknowledged fundamental rights like freedom of speech, freedom of thought, and freedom of religion, but what of the right to protect personal data?   According to European Union's General Data Protection Regulation (GDPR), which goes into effect on 25 May 2018, protection of natural persons in relation to the processing of personal data is also a fundamental right.

GDPR puts the right to control personal data into the hands of the person generating the data in lieu of the data collector. The implications of this Act are far ranging and very impactful for technology companies operating in or with Europe, and the expectation is that non-European countries will also adopt similar regulations.

selfie.png

Under GDPR any information related to a natural person or 'Data Subject', which can be used to directly or indirectly identify that person, is considered personal data. Personal data encompasses one's name, image, e-mail address, bank details, social networking posts, medical information, and computer IP address.

A Data Subject is a natural person whose personal data is processed by a controller or processor. Every Data Subject has the right to protect his or her personal data at all times, regardless of how those data are conveyed or stored.

A "Data Controller" is an entity that determines the purposes, conditions, and means of the processing personal data, and a "Data Processor" is the organization that processes the collected data on behalf of the Controller. A "Data Protection Officer" is an expert on data privacy who works independently within an organization to ensure that it is adhering to the policies and procedures set forth in the GDPR. The public authority that is established by each member state to ensure consistent monitoring of processing of personal data, equivalent sanction and cooperation between member states is known as a "Supervisory Authority."

A "Breach" refers to the accidental or unlawful access to, destruction, or misuse of personal data.  Notification must be issued to affected individuals and organizations within 72 hours of the detection of a Breach.

The Regulation

If an organization did not obtain consent to process individuals' data, or violates core of GDPR privacy concepts, then it can be fined up to 4% of annual global turnover or €20 Million, whichever is greater.

Consent

Most people do not read the legal agreements associated with installing apps or accessing Web sites, because of its opaqueness and verbosity. Instead they simply click on the "I Agree" button.  GDPR requires that consent be requested and explained in an intelligible and easily accessible form, using clear and plain language. It must also be as simple to withdraw consent as it is to grant it.

Consent form.png

GDPR Rights

GDPR grants users the right to access personal data including how your data are being handled, and if/how your data are being processed.  The Controller must provide a copy of this information in electronic format, as well as the personal data, free of charge. This change represents a dramatic shift in data transparency and the empowerment of users.

GDPR also grants the right to be forgotten. Today when we browse a Web site we have no control on how our actions and interest are captured, e.g., they might be sold back to us in the form of advertisements and recommendations. Also known as "Data Erasure", the Right to be Forgotten entitles users to have the Data Controller erase his or her personal data, cease further dissemination of the data, and prevent third parties from processing the data.

"Data Portability" is the  right to see all stored versions of your personal data stored and order the data to be moved to another Data Controller. GDPR includes the right to data Portability, such as moving all your digital medical records from one hospital to another. Try doing that today and you'll understand how powerful and far reaching this right is.

Finally, GDPR provides "Pseudonymisation", an entity can only store and process Pseudonymised data without reference to an individual unless that individual considers to allow non-anonymized data storage & processing.

Building a secure future

Technology is a double edged sword. With technologies like Big Data analytics, Machine Learning (ML), and Artificial Intelligence (AI), we run the risk of a world devoid of privacy regulations.  GDPR helps avoid such a scenario by making companies accountable for the way in which they use data about you.  With right regulation the next generation Internet will allow individuals and businesses to flourish without ambiguity. With GDPR and similar privacy regulations, emerging technologies like Blockchain, Big Data, ML, and AI can build the foundation for a secure digital future with privacy and security at its heart.

Learn more

Deepen your knowledge of GDPR.

Read my previous blogs on blockchain:

Blockchain, IoT and Emerging Blockchain Technologies

Can Blockchain Scale to Meet Enterprise Needs?