Processing of Personal Data by Companies: 5 Things to Keep in Mind
Originally published on November 13, 2019 by Patrick Gebhardt
Last updated on November 18, 2019 • 10 minute read
You work in the IT department of a reasonably large company. Good for you! Wait... What was that? You are also responsible for processing and maintaining personal data of customers, partners and employees? Well... 🤦♂️
Since 25 May 2018, the GDPR (General Data Protection Regulation) has formed the common data protection framework in the European Union. This regulation is abbreviated RGPD in French and DSGVO in German. Compared to all the hustle and bustle around the implementation, not that much has happened since then. There were some fines, but we're still waiting for the big scandals. Now that the dust has settled on the initial hectic pace, there are few basic considerations to keep in mind in order to be on the safe side.
And many companies actually consider themselves well positioned. ManageEngine just recently showed that over 50% of small or medium-sized enterprises said they were fully compliant and 36% were working on it - compared with 70% of large enterprises that reported compliance, and 28% that said it was a work in progress. Looking at these numbers, it should be borne in mind that for many companies there is a lot of uncertainty in giving positive estimates at all, due to unclear processes and things like Shadow IT.
🔍 Basic facts: The GDPR defines personal data as information referring to an identified or identifiable individual. Legal entities are therefore not directly protected. The processing of data includes its storage, modification, and deletion.
👉 Here are 5 helpful things to keep in mind when implementing GDPR-related processes in the coming months or years:
1. Binding of data to a specific purpose
The binding of data to a specific purpose is the most important thing that must be respected when working with personal data. This binding to a purpose is intended to prevent the misuse of collected data. If, for example, customer data is gathered for an order process, it should only be used for the order process. Neither should you later create a kind of customer index or use the information for a customer profile for marketing or further acquisition.
Data may be used for another purpose only in some cases. If your organization has collected data on the basis of legitimate interest, a contract or vital interests, it can be used for another purpose - but only after checking that the new purpose is compatible with the original purpose.
This point requires a fairly clear definition of the actual purpose. General terms should be avoided as far as possible, as they do not guarantee the specific aim. If the purpose is no longer fulfilled, the data that is not required anymore should be deleted.
2. Storage period
You should always balance how long you have to store different kinds of data - in a way that it is still relevant for your business and you can work with it properly - with how long you are legally allowed to store it.
How long personal data is relevant for your own business cannot easily be quantified in terms of exact time. Large mail order companies usually give customers the opportunity to manage addresses and other data themselves, on the assumption that a deletion process actually deletes all the relevant data. Anyway, it makes sense for almost all companies to offer customers to automatically delete data if it has not been used for a while. This is because changes of provider or relocation mean that these frequently alter anyway.
An example of an extremely short storage period would be a birth date for the purpose of proof of age. The success of the verification can be stored, and the actual date can be deleted at once and must certainly never be used to send birthday advertising. That would be contrary to the principle set out in point 1.
Another popular way to protect personal data and to stay on the safe side is to remove the direct personal reference. This is possible through pseudonymization. This is a new term, which refers to the technique of processing personal data in such a way that it can no longer be attributed to a specific “data subject” without the use of additional information. A popular method of pseudonymization is the formation of hash values. In this way, customer profiles are created which are no longer person-related. Resolving of the pseudonyms is only possible with the plain text, which is generally not stored in the respective database.
Some suggest that, especially in the payment card industry or in protected health information, we’re going to see pseudonymisation becoming a mainstream technology over the next two to three years.
4. Data minimalism
This is a general point, which can be given a rather colloquial meaning with the term minimalism. It also indicates the shift from "data maximalism" to minimalism, inspired or perhaps completely dominated by the GDPR.
Basically, it is also a question of intelligent advance planning and the question of which data is really needed. You should only save the information needed. This not only protects your company against data theft, but also against accidental misuse by your employees. For internal purposes, the intended purpose should always be clearly recorded and checked regularly during processing.
5. GDPR and PRTG
It could have been so convenient to refer to an anagram for this paragraph; thank you D for nothing. But the fact remains: To comply with the GDPR, companies need to take some security measures and monitor them regularly. To implement these measures and requirements, there are now a variety of software solutions on the market. We at Paessler work together with the manufacturer EgoSecure, whose software solution covers a portfolio of functions that enable companies to set up their IT infrastructure in compliance with the data protection requirements.
In the below article, you'll find useful information on how to optimize and secure your daily handling of personal data: