GDPR Regulation

Sources

What is the GDPR regulation

GDPR stands for General Protection Regulation and it is a collection of laws on data protection and privacy introduced in the European Union (EU), that applies to every entity that collects and processes information on any subject within the EU. An entity might be any organization, either public or private, and a subject might be a citizen of any of the member countries of the EU. The law is in place to protect people's fundamental right and freedom, namely their right to protect their personal information.

The GDPR laws requires careful consideration with regards to information technology (IT) systems, which oftentimes revolves around user information. The GIRAF project is no exception to this, and it is therefore required to take into account what data is collected, stored and how it is used. The GDPR is concerned with data that is categorised as personal information.

Definitions and concepts

  • Personal data: Is information that identifies an individual.
  • Processing: Any one or set of operations which is performed on personal data, whether or not by automated means.
  • Data subject: Is a person based in the EU.
  • Data controller: Is a natural, legal person, organization, public authority, agency or other body, which determines the purposes and means of the processing of personal data, and should be able to prove it.
  • Processor: Natural or legal person (such as an organization), public authority, agency or other body, which processes data on behalf of a data controller.

Types of personal information

GDPR deals with two types of personal information, ordinary and sensitive. Treatment of sensitive data is more limited in terms of the law.

Ordinary personal information Sensitive personal information
Name Race and ethnicity
Address Political beliefs
Identification number Religious or philosophical beliefs
Location data Union membership
Online identification Genetic data
Economic Biometric data for identification of a person
Taxes Health information
Debt Sexual relationship and sexual orientation
Social issues
Sick days
Family
Home
Car
Exam
Application
CV
Work

The essential principles

  • Processing of personal information should be performed in a legal, fair and transparent way.
  • Only sufficient, relevant and limited to what is necessary in relation to the purpose to which they are addressed (‘data minimization’).
  • Be correct. There needs to be taken reasonable steps to make sure that the personal information processed is correct information, that is, it is required that the data controller ensures the correctness of the data with regards to the purpose it is processed in relation to and any incorrect information should be corrected or deleted.
  • There needs to be taken reasonable steps to ensure the integrity, confidentiality and security of personal information. For example, it needs to be ensured that correctness is persisted through time, that no unauthorized access to the data should be possible, and that all personal data is processed by adequately secure means. Such steps should be ensured by the data controller, by measures at both the organizational and technical level.
  • The personal information should not be stored longer than what is necessary to fulfill its purpose, and afterwards it should be deleted or anonymized such that it is simply information.

There has to be legal basis, to process personal information. Lawful purposes for doing so, are as follows:

  • If the data subject has given consent to the processing of his or her personal data
  • To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract
  • To comply with a data controller's legal obligations
  • To protect the vital interests of a data subject or another individual
  • To perform a task in the public interest or in official authority

  • For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children)

  • For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children).

The GDPR regulation provides the data subject with an array of legal rights, related to the data and processing thereof. The data subject must be informed about:

  • The extent of the data collection
  • Transfer of data to any third-party and/or parties outside the EU Automated decision-making, based solely on algorithmic basis
  • Their privacy rights under GDPR, including right to
    • Revoke consent
    • Access to view the data, and an overview
    • Data portability, such as gaining access to a portable copy of the data, and in some cases to request that personal data be transferred from one data controller to another
    • Be forgotten, i.e. to have personal data deleted and erased, if conditions mentioned in the regulation is fulfilled
    • Correction of wrong personal information
    • Restrict the processing of personal data, if a number of conditions is met
    • Contest being subject to automated decision-making, based solely on automated processing, such as profiling
    • File complaints with a Data Protection Authority (DPA) over processing of personal information, with the only exceptions to this right being that:
      • Legal or official authority is being carried out
      • ‘Legitimate interest’, where the organisation needs to process data in order to provide the data subject with a service they signed up for
      • A task being carried out for public interest

Children specific regulations

If the child is under the age of 16, it is only legal to collect and process data if a parent with custody of that child, gives the permission to do so. It falls under the responsibility of the data responsible to ensure with reasonable effort that this is done. The individual countries might enact national regulation that puts this age down to 13 years.

Controller and Processor

The data controller might be a company that seeks to collect and process personal information, while a data processor might be another company that provides a cloud-service that the data controller company wishes to use.

  • Data protection principles and measures must be designed intro the business processes for products and services. This includes measures such as pseudonymisation and high level of privacy by default (Article 25). This is the responsibility of the data controller, even if processing is carried out by a data processor. The data controller keeps internal record of the processing of personal data. This will give an overview of the treatments of the data that is initiated. Such an overview is a necessary prerequisite to fulfill a number of obligations, such as: considerations on what information to process; handling insights requests and review of breaches of personal data security. This is an internal document that data protection agency can request at any time.
    • A report (ENISA on privacy and data protection by design (January 12, 2015)) specifies what needs to be done to achieve privacy and data protection by default. For instance, encryption and decryption operations must be carried out locally, and not be a remote service as the keys and data must remain in the power of the data owner.
  • Data protection impact assessment have to be conducted when specific risks occur to the rights and freedoms of data subjects. Prior approval of the data protection authorities is required for high risks (Article 35).
  • Pseudonymisation: Is a required process for stored data that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject, without the use of additional information. An example of such, is encryption that renders the original data unintelligible and the process cannot be reversed without access to the correct decryption key.
  • Records of processing activities: Must be maintained, and include purposes of the processing, categories involved and envisaged time limits.
  • Security of personal data: In the case of a breach, is the data controller is under a legal obligation to notify the supervisory authority within 72 hours of becoming aware of it. Further does the data subject(s) have to be informed if there is a high risk of an adverse impact.
  • Data protection officer (DPO): If processing is carried out by either a public authority, or if processing operations involve regular, systematic and large scale monitoring of data subjects, or if it occurs within special categories, such as a criminal system, a data protection officer has to be appointed. The DPO is expected to have expert knowledge of data protection law and practices, and should be designated to assist the controller in monitoring their internal compliance with the regulation.
    • A designated DPO can be either internal to the organization or external, as long as there is no conflict of interest. Organizations outside of EU, must appoint an EU-based person as representative for their GDPR obligations.
    • The DPO is further expected to be proficient at managing IT processes, data security including dealing with cyber attacks and other business continuity processes (prevention and recovery) to deal with threats to the organization.

Meeting the GDPR regulation for the GIRAF project

The examination of the GDPR regulation, provides a basis for analysing it in the context of the GIRAF project, which is performed in this section.

Organisational Structure and Definitions

Initially a set of definitions has to be established. The purpose of the GIRAF project is to provide a tablet environment, including a set of tools, to assist autistic children with little or no verbal communication. The system developed, is based on a client-server architecture, meaning that for the system to work properly, an application, in this setup termed the client, has to be installed on a tablet, which communicates with a service installed on a server. The system is built such that the client in itself does not store information, but instead delegates data storage to the service on the server, thereby resembling a thin client, and which further establishes that whatever entity provides the service(s) on one or more servers is in control of the data. Depending on the particular circumstances under which the GIRAF system is deployed, including the specific business model and organisational structure, there might be a couple different ways to define the data controller and processor:

  • As the GIRAF project is developed by open-source means, one choice would be for an institution wishing to provide this for its citizens, to acquire the necessary system files and deploy it on their own servers along with the applications on their tablets. This would not change the requirements of the institution to uphold the GDPR regulation to its citizens, but it would possibly be the easiest business model, as the institution would be able to internally to determine the budget allocated to uphold any IT-services, and it would further not require any professional dependencies or expenses with regards to the development of the system, thereby contrasting with the following alternatives.
  • Another choice would be to establish an organisation with commercial intent, whether for-profit or non-profit, which would then provide the GIRAF system services, and thereby operate it as a Software-as-a-Service (SaaS). Those involved in such an organisation, could be anyone knowledgeable about the GIRAF system, such as a subset of developers. The reason for this to be required if GIRAF was to be provided as a SaaS, is two-fold; firstly, to operate a SaaS, an entity must take the responsibility as the data controller and processor, along with any professional obligations, such as dealing with expenses. Secondly, it is unlikely that Giraf is allowed to use the current AAU ITS servers for commercial purposes, and/or delegating the responsibilities of GDPR regulation to that department.

Based on these observations, it is most likely that the first choice is the most appropriate one to take, as this would allow the institution interested in the GIRAF system to assume control and responsibility of the systems and data, along with allowing the current structure of the GIRAF project to continue; as nearly everyone involved as developers, are only active for a four month period once a year, after which they are replaced with the next group of students studying that semester.

The definitions are therefore as follows. The data controller would be the institution seeking to make use of the GIRAF project, by running the system on their own set of servers, thereby also letting the institution assume the role as data processor. This could, based on the specific institutions wishes be delegated to an external provider, thereby making that provider the data processor. The primary data subjects is the citizens of the particular institution, while secondary data subjects would be any caretakers registered in the system.

The personal information processed in the system is data such as the name of the citizen (elaborate with any other information), along with the unique calendar assigned.

Essential Principles

The GDPR regulation states several essential principles, by which every data controller should ensure their business processes operate. Based on the previous discussion of definitions, the primary responsibilities fall upon the institutions adopting the GIRAF system, but in order for any organisation to be willing to do so, the GIRAF system must be designed and implemented with the regulation in mind, which is therefore the responsibility of the development team.

The principles are summarised to the following list of tasks for the GIRAF project:

  • Determine what data is sufficient to fulfill the purpose of the purpose of the GIRAF system, and document both the details of the data, how and when it is collected and for which purpose.
  • Determine or define how the correctness of the data is ensured, and document it.
  • Define reasonable step to take, to ensure the integrity, confidentiality and security of the personal data, which applies both to organisational and technical levels.
  • Determine for how long data has to be retained, for it to fulfill its purpose, along with both when and by what means, it should be deleted.

For any processing of personal data to be legal, there has to be appropriate lawful purpose to do so. There are a number of lawful purposes for processing personal data, one of which is the use of consent from the data subject, by means of a consent contract for example. The GDPR regulation defines several stipulations, regarding obtaining consent from the data subject, such as requiring high privacy and data protection by default, and any request for data collection to have a specific purpose and be of opt-in nature. Further, any processing of data regarding children, requires consent of the parent or guardian of the child. These requirements should be considered in the tasks regarding the GIRAF project.

  • Determine the lawful basis on which personal data is to be processed in the GIRAF system, and based on this, determine the most appropriate means of obtaining such lawful basis, such as seeking to establish a consent contract with the data subject. Should the data subject be a child, it should be determined how the consent should be obtained from the parents or guardian.

The GDPR regulation provides the data subject with several rights, which the data controller legally is required to inform the subject of. While the details of the exact rights are defined in the section describing the GDPR regulation, it is further necessary to determine when and how, the data subject should be informed. The tasks include:

  • Determine when and how the data subject is to be informed about their legal rights. The information should include:
    • What is the extent of the data collection?
    • Is any data transferred to third-parties and/or parties outside EU?
    • Is any automated decision-making occurring, at what is the impact?
    • What is the privacy rights of the data subject? (Details listed in the section about GDPR regulation)
  • It should further be determined how the privacy rights of the data subject is to be enforced, both within the organisation and at the technical level.

Controller and Processor in relation to GDPR

The data controller and processor is responsible for defining the means by which the GDPR regulation is adhered to, which both means definitions of the organisational processes occurring regarding personal data information, but also the technicalities of processing personal data, such as to adhere to the rather elaborate privacy measures defined in the regulation. For the GIRAF project this means:

  • Determine, or define, the data protection principles and measures that is designed into the system, possibly along with any required organisation processes.
    • If, for example, pseudonymisation is used, then when, where and how?
  • Define records of processing activities, including
    • Purpose of the processing
    • Categories involved
    • Envisaged time limits
  • Define processes to be used upon the discovery of an occurred security breach

Conclusion

This chapter has examined and detailed the essential details of the GDPR regulation, along with an elaboration of how these requirements are applicable to the GIRAF project, which includes details of responsibilities to be handled by either the data controller, data processor, data subject and, in order to make it possible for the system to live up to the regulation, the indirect responsibility of the developers to make sure the system adheres to this.

The tasks defined, are necessary to complete before the GIRAF system is put to use, although, depending on the chosen organisational structure and thereby on who is to run the system, the responsibility either falls upon a defined GIRAF organisation or the institution making use of the system.

Last update: December 12, 2023