With a lot of buzz around the new GDPR regulations, it is vital for us as developers or solution providers to understand it and how we can better enable such compliances in our applications. Especially while using services like Microsoft Azure & Office 365, there are plenty of resources available that you could better use to develop compliant systems.
In this article, we will try to understand what GDPR is & how we can build GDPR compliant systems by leveraging the features in Azure & Office 365. This "simple to read article" will brief you on all basic aspects of GDPR, what data it applies to, who is responsible and more.
How did it all start
The European Commission initiated the plans for data protection reforms across the European Union in order to make Europe complay with the digital transformation. One of the key initiatives in that reform is the General Data Protection Regulation or the GDPR as it is widely known. The initial proposal for the GDPR was released in January 2012 & 25th May 2018 is the last date for organizations to be compliant with the regulation.
What it is
GDPR is a regulation on data protection and privacy for all individuals within the European Union and the European Economic Area. It mainly concerns the individual or personal data, how it is stored and processed. The regulation contains provisions & requirements pertaining to handling data that belongs to individuals, which applies to all enterprises irrespective of the location of the business.
Whom it applies to
This regulation applies to anyone who is collecting and managing the personal data of online visitors. The broad categories include
- Data Controller
An organization that collects personal data from any EU resident (It may be you if your application collects personal data from an EU resident)
- Data Processor
An organization that processes personal data on behalf of the data controller (Say Microsoft, if you are storing all your data in the Microsoft Cloud)
In certain cases, this regulation applies to organizations present even outside the EU if they collect or process data of an EU resident. The regulation doesn’t apply to data that is processed personally that has no connection with any professional or commercial activity.
What Data does GDPR apply to?GDPR applies to two categories of data,
- Personal Data
Any information relating to a person that can directly or indirectly identify the person. For example data including name, identification number, location data, online identifier & even IP address are included in personal data.
- Sensitive Personal Data
GDPR refers to sensitive personal data as ‘Special categories of Personal Data’. These include genetic data and biometric data where it can be used to uniquely identify a person.
Its impact- For Business
With GDPR being in effect, there is one data regulation that is followed across the EU that applies to any organization doing business within the EU, leaving even organizations outside EU but having business within the EU. But having said that, having one law across the EU, simplifies the overseeing process & having one supervising authority will make it simpler & cheaper for businesses to operate.
- For Individuals
With regular threats through the means of hacking, individual's data is exposed in several ways, be it their personal identification details, email credentials, photos and more. Most of this happens as the individual not understanding what data is accessed & how it is used by any system. With GDPR in place, individuals have the right to access their personal data in the systems at ease & know how the same is processed. Also the individual gets noticed by the organization whenever his/her data is hacked.
In this section, we will see what it takes for you as a data processor to conform with the GDPR regulations, what rights the individuals own , and what steps you need to do follow in each case. This article should help you in understanding the principles of GDPR & ensure that the system you design complies with GDPR.
If you are a data processor or data controller (check Part 1 to understand what a data processor/controller means), who has access to personal data of any individual who is an EU resident, then the following principles should be the heart of your approach when you process/hold personal data.
- Lawfulness, Fairness & Transparency
You should identify valid grounds for collecting & processing personal data, use the data in a fair way; i.e., match the way that it is mentioned, & transparent in declaring what data is processed & how it is processed.
- Purpose Limitation
Be clear on the purpose of processing the data, document the same & specify the same in your privacy policy for individuals. If you are using the data for any new purpose, then it should fall with in the original purpose, or you should have a clear basis of law or get consent again.
- Data Minimization
Personal data you have collected should be adequate, relevant to the purpose it has been collected & limited to what is necessary & no excess data should be collected.
- Accuracy
You should ensure all the personal data is accurate & kept up to date. You should build a rectification process in your data management system to update any changes to the data or to erase it if required. The data should never contain any misleading information.
- Storage Limitation
You should not hold the personal data longer than you require it. Periodical review of data, retention & erasure of data should be done properly. Individual has the right to erase the data if you no longer need the data.
- Integrity & Confidentiality
You should have proper measures in place to protect the personal data from unlawful processing or accidental loss or damage. This is also known as the security principle of GDPR.
Below are the rights that any individual possesses when he/she provides personal data to you & what steps you need to take in each of the cases
- Right to be Informed
Individual has the right to be informed about what data is collected & how it will be processed. This is one of the key principles (transparency) of GDPR. As a data processor/controller you need to inform individuals of the purpose of processing that data, how long will it be kept & who the data will be shared with.
- Right to Access
Individual has the right to access his/her data. Individuals can submit an access request verbally or in writing. Organizations should produce the requested information within a month although there are exceptions like excessive or repetitive data.
- Right to Rectification
As with the right to access, the individual has the right to request to rectify any information that he finds to be wrong that is held by the organization & the same one month rule applies to this.
- Right to Erasure
Individuals can request to erase the data when it's no longer necessary, the individual withdraws consent or there is any circumstance that the data is unlawfully processed or doesn’t meet lawful grounds.
- Right to Restrict Processing
Individuals can request to restrict processing of their personal data in certain circumstances like when an individual contests the accuracy of the data or when information is no longer needed but the organization needs it to establish a legal claim.
- Right to Data Portability
This right allows the individual to obtain & reuse their personal data across multiple systems. This applies only to the data the individual has given consent to use.
- Right to Object
Individuals has the right to object the processing of their personal data collected on legitimate grounds or in the interest of official authority.
- Rights related to automated decision making including profiling
There are provisions within GDPR to process individual data automatically without any human intervention like processing data to make predictions about the individual. GDPR has additional rules to protect individuals where they can challenge the processing. There are limitations where this kind of processing can be carried out.
This brings us to the end of the principles that have to be followed by data controllers & the rights that any EU individual possesses while providing his personal data to any organization. These are explained at a very high level. For each of the rights, there are various clauses & extended articles that you may need to refer to.
In my upcoming article, we will see how we can best implement these compliances in Office 365 & Azure. Feel free to leave your comments below.