The new GDPR – General Regulation on Data Protection – was published on May 4, 2016 and becomes mandatory on May 25, 2018. This new regulation aims to guarantee the privacy and confidentiality of data of the citizens of the European Union. Here are some of the most important terms and their meaning, so that you can receive the new Regulation accordingly.
According to the European Commission, the Data Privacy Impact Assessment (DPIA) is a process for describing private data processing, assessing the need for it, and risks related to the processing of personal data. It is a risk assessment, which relates the impact of the realization of data privacy threats to their likelihood of occurring.
The National Commission for Data Protection (CMPD) has the general attribution of controlling and supervising the processing of personal data, in strict respect for human rights and for the freedoms and guarantees enshrined in the Constitution and Law. This is the body to notify whenever there is a violation of personal data.
According to the law, personal data means any information relating to an individual identified or identifiable through them (identifiable ‘by reference to an identification number or to one or more specific elements of his physical, physiological, psychological, economic, cultural or social ‘).
Citizens will be able to require companies to delete their personal data. This right of forgetting is an extension of the existing right to prevent personal data being processed. The new regulation allows the personal data of each citizen to be destroyed at his request.
Companies’ computer systems should be able to register who indicated a refusal to automate their data, as is usually done in behavior analysis and consumer profile creation processes. In these situations, the records may not be included in the files.
This figure (also known as DPO, Data Protection Officer) plays an essential role in the transition period from the old law to the new legislation. The person responsible for data protection should ensure that everything is perfectly legal at the date of entry into force of the GDPR. This function is assigned whenever the data processing takes place in a public entity; whenever there is constant monitoring of people on a large scale and whenever there is large-scale sensitive data processing. This professional should train his team, perform audits and be the point of contact with data protection authorities.
Data encryption transforms information by using an algorithm so that there is no easy and perceivable access by third parties, but only by those who have the correct encryption key, which shows its true meaning. Data masking creates a version similar to the original data in terms of structure but without revealing its true information. Its original format remains unchanged but the data presented is fictitious. Masked data can be used in test and auditing environments without compromising the result of the analysis, but always ensuring the confidentiality of sensitive information.
The personal data collected should be used only for the purpose for which they were collected and can not be used in other actions that are not related to the reason for the sharing of data by citizens.
Citizens may require companies to send them their personal data in a format that allows them to be sent to another company, facilitating their migration and making it simpler to change service delivery. Whenever a citizen changes banks or a television service provider, he or she will not have to provide his / her personal data again, as they can be easily migrated from one company to another.
Measures should be taken to ensure the protection of data from the design of computer applications, minimizing the processing of personal data, data masking, encryption, among other things. The goal is to be able to explain the whole treatment process and data protection.
Set of actions carried out on personal data, automated or not, involving its collection, registration, organization, conservation, adaptation, recovery, use, consultation, disclosure, destruction or interconnection.
Violation of information security that causes the destruction, loss, alteration or unauthorized access to personal data transmitted by individuals to a company or organization.