Accountability –a new philosophy in personal data protection

Starting from the 25th of May 2018 a revolutionary change in privacy protection and personal data protection will be implemented (general regulation about data protection), known as „RODO”. RODO requires changes in action philosophy, procedural application, documentation, as well as, IT systems in almost every business. At the same time it introduces sanctions up to 20 mln Euro or 4% of world trade revenues for previous year, in the event of not respecting the new regulations.

Why in the first place do we put „change in the action philosophy”? Well, RODO is not about fulfilling some requirements, it’s about changing the approach towards protection and relations with people, whose data is processed. Hence, this is also a change in protection philosophy. Beginning in May 2018 paper and theoretical privacy policies kept in dusty binders will not be enough. New rules about data protection have to work in the every day life of each enterprise. Moreover, from the company which is processing data (virtually from each entity in the market) accountability will be required.

Accountability as understood by RODO (art. 5), is the obligation of the entrepreneur to demonstrate that personal data is processed in the way stipulated by RODO, therefore:

1. in accordance with the law, reliably and lucidly for the person concerned;
2. with purpose limitation;
3. in accordance with minimal data;
4. the data are valid, or when needed, updated;
5. with limitation of storage in time to the necessary minimum;
6. in a way which guarantees security, including integrity and confidentiality

Simplifying and translating to business language, we have to be able to demonstrate: from where we have the data, on what basis, for what reason we process it; that we performed an information procedure, we look after data accuracy, we know how long we can process it, and that after that time we delete it; as well as who has access to it, and why the data are safe.

In the event someone appears and says that she or he did not give any permission for processing the data by the entrepreneur and did not obtain any information, then the entrepreneur will be obligated to demonstrate that the data were obtained through an agreement from a particular day and in a specific way, and that everything went consciously and informational obligations were fulfilled.

Contact form compatible with RODO

Let’s see the example of the contact form from the website. Beyond the data sent by the user (Jan Kowalski, +48 999 999 999, the content in question), date, hour and way of collecting it (the form from the website http://www. …) it may be necessary to show for which exact content the user opted and approved („I agree…”) and what was the content of the texts related to the informational obligation („The administrator of the data is…”), even though they were subjected to later changes.

Solutions, which enable it (record versions in database, logging of every operation in a structured way which enables reporting) are nothing new. Its application in all IT systems in such a short way is a big challenge. Not only for software authors (generating cycle, stabilizing and distributing in a new version solutions may last months) but also for businessmen (implementing, users training, new procedures and way of performing).

Additionally, the content of agreements and communications also have to evolve. It should be written in simple and clear language for everyone, and at the same, time convey much more information (name; surname; data protection inspector; what kind of categories of data stored; do we share the data, and if yes, to whom; where can we get access to it; how long are we going to process it). Some  entrepreneurs are considering adding „pictograms”, graphic communications which complete texts.

Work with data collections compatible with RODO

Another obligation for entrepreneur is related to the systematical assessment of data protection results (English: DPI, Data Protection Impact Assessment), which is required in high risk cases. Of course, it is not enough to estimate risk and evaluate everything „in your head”. Each operation has to leave a permanent mark in order to document when and how the evaluation ran as well as which decisions we took regarding the results.

DPI is one of the examples which shows that accountability concerns not only specific record (Jan Kowalski). Accountability is also relevant if it comes to each action related to the creation and activities connected with personal data collection (aka registration of processed actions). These are some of the questions we should be able to respond to in case of an audit:

1. Meta-information, for example: who is the administrator, what kind of categories do we process, where do we store the data, what kind of security measures we take, how do we gather data, after what time will the data be removed?
2. What was the course of accepting the data creation? The application was created when and accepted by who?
3. To whom do we confide the data? What kind of agreements do we have? Can we re=confide these agreements?
4. Who, why and to what extent have we entitled someone to process the data? How do we train people who have access to the registration?
5. What kind of questions have we received regarding registration? When did we respond?
6. What is the procedure of removing data from the data collection, when don’t we need it any longer (cyclic review, notification system, reminder, alerts, rules embedded in a particular system).

There is a lot of work to do. The discussions currently concerning the RODO project  can be divided into a few categories:

1. Identify – responses to the question what kind of data and where do we store it?
2. Describe – maintenance of the actual information about registration (Meta-information).
3. Legal – business transformation. Training, adjustment of agreement content and information, verification of contracts’ schemes.
4. Work flow – automation of processes related to registration and creation of data collection, authority conferring, contracts implementing, inquiry system support.
5. Security – introduce protection for infrastructure or application. In order to guarantee the correspondence of infrastructure with the highest standards, many of entrepreneurs decide to use the cloud.

RODO is not a whip for entrepreneurs.

Is it possible to prepare yourself for RODO? Many records gives the freedom for interpretation. RODO does not show how exactly we should fulfill the requirements. It says more about rules and philosophy changes in entrepreneurs activity. There are new industry projects created concerning code of procedure which will ease implementation and adjustment to the new regulations. The obscurity of regulations states not only a challenge but also a chance for businessmen. In the transitional period, it is of high importance in the sanction context to show we tried our best to prepare ourselves for the changes, even if there are some stumbles along the way. RODO is not a whip for entrepreneurs. It should be useful for everyone, as each of us may be in the situation of the entrepreneur or the client.

The article was made in cooperation with Paweł Huryn from Huro  http://huro.pl/huro-pl.html