Rule specifics:

Simen goes on by discussing the core parts of the regulation that touches technology. He points at several articles, namely: 7, 15, 16, 17, 19, 20, 25 and 32–35 (no worries, we’ll go through them very briefly).

Article 25: Data privacy by design and by default

This article indicates that privacy should be considered in every single aspect of the design and development of a product or service, and that when prompted by an option, the default should always be private mode. Some useful checkpoints to comply with this are:

Are you using only the minimum data needed?

Can you unlink data from individuals?

Are you using anonymisation and pseudonymization?

Simen suggests the usage of DPIA (Digital Privacy Impact Assessment) if a privacy breach in a specific context involves high risks and consequences.

Article 7: Conditions for consent

GDRP stipulates that the company needs to document or prove that consent has occurred between the user and the company, and if the consent is withdrawn, it should have an immediate effect.

Article 15: Right of access by the data subject

Another important aspect is that companies should provide users with access and an overview of their personal data. This can be done via something like an Information Portal, which could also be used for consent management purposes.

Note by Aiko: You can also check an interesting article at NYTimes written by this years’ Nobel Prize laureate Richard Thaler on exactly this topic.

Article 16: Right to rectification

The Information Portal can further be used so the user can amend his/her personal data. This implies a series of challenges such as validation of the new data, and potential “ripple-effects” in the systems relying on the data.

Article 17: Right to be forgotten

Should we use anonymisation or pseudonymisation? it depends on the case! Simen goes by saying that for example, for tax audit purposes, it is required to hold on to certain data for 2.5 years before it can be deleted.

Article 19: Notification obligation

Notifications need to be followed by any changes requested by the registered individuals, that would be: change of personal data, request for removal or withdrawal of consent.

Article 20: Right to data portability

This means that it should be possible to consolidate and download all the data concerning an individual.

Note by Aiko: In some cases, it can be quite scary to see the data they have on you.. as shown in this article written by The Guardian on Tinder data.

Article 32–35: Security of processing

Techniques and an organisational strategy need to be in place for Data Access Management. This includes secure programming, and the mechanisms need to be in accordance with the disclosure risk. Also, Simen suggests to NOT put all the eggs in the same basket! — in case a system is compromised. Also, mechanisms for predicting risk or flagging unauthorised accesses are not a bad idea!