Back

EU General Data Protection Regulation – what should we know about it

EU General Data Protection Regulation – what should we know about it?

Pinja Ahola

The EU General Data Protection Regulation (GDPR) was ratified in the spring of 2016 and steps are being taken to make the new regulation applicable during the two-year transition period, which ends on 25 August 2018. The GDPR concerns the automatic processing of data belonging to natural persons. The new regulation brings with it significant new obligations and sanctions. Now is a good time to learn more about the regulation and give thought to how organizations, such as higher education institutions, should prepare themselves for the changes that it will bring about.

The primary objective of the GDPR is to enhance and ensure the rights of individuals. It will also promote economic growth and improve the oversight of the enforcement of data protection rules.

The aim of the GDPR is to provide up-to-date, comprehensive and uniform data protection for the European Union. In addition, an effort is being made to improve the level of confidence in online services, thus promoting the development of the EU's internal digital market. The GDPR also provides a more precise definition of concepts such as consent as well as genetic and biometric data.

The GDPR lists the rights of the data subject, i.e. a natural person whose personal data is being processed. These are, with certain restrictions: the right of access to one's own personal data; the right to have one's personal data rectified; the right to be forgotten; the right to have one's personal data erased; and the right to withdraw one's consent to process personal data.

The GDPR also specifies the obligation of data controllers (i.e. organizations responsible for processing data) to provide data subjects with open, easily available information on the processing of data that concerns them. For example, the data subject has the right to demand that a data controller delete personal data concerning the subject.


How the GDPR will affect us

– An organization should start by examining how it currently processes personal data. Then, it should come up with a plan on what changes to the processing of personal data will be needed. This plan has to take into account the requirements laid out in the GDPR as well as the risks to the data being processed, explains Urpo Kaila, CSC Head of Security and Data Protection Officer.

These kinds of risks include the outsourcing of data processing to a service provider, which has not taken proper care of its data protection and security.
 

"When the GDPR enters into force, organizations must be able to demonstrate that data protection rules are being taken into consideration in the processing of personal data."

 


 



The new GDPR contains more clearly defined rules on the responsibilities of personal data processors. This applies particularly to the data controller, i.e. both the organization and its personnel. This might be, for example, an educational or user administration and its personnel.

When the GDPR enters into force, organizations must be able to demonstrate that data protection rules are being taken into consideration in the processing of personal data. This can be done by means of, for example, certification and terms of use.

Public organizations, such as higher education institutions and other bodies that process personal data on an extensive scale, are required to designate their own data protection officer. The tasks of the data protection officer include ensuring that the organization complies with the GDPR. The data protection officer also serves as a contact person for supervisory authorities. In Finland, these are the Data Protection Ombudsman and a collegial body in charge of oversight.


Increased transparency in the processing of personal data

The GDPR states that data subjects will have the right to receive data concerning them in a machine-readable format.

– Data subjects have the right to access their personal data. This includes the obligation to provide data electronically, if a request for information is made by electronic means. In other words, if a student sends a request by email, the response must also be made in a commonly used electronic format. One solution might be, for example, the possibility of browsing data through a student information system, explains Anne Rautanen, CSC's coordinator of digitisation in teaching and studying.

Data subjects also have the right to transfer their personal data and all other information provided to another system, in cases where they themselves have provided their personal data to a given register and the processing of that data is based on consent or agreement.

In accordance with the principles of transparency, data subjects must know how their personal data is being processed and for what purpose.


Well defined guidelines help personnel in dealing with change

Organisations must ensure adequate information security, such as access control and monitoring, to ensure that the confidentiality of personal data is not jeopardized. The unauthorized access, for example, to the management interface of a student register must be prevented by means of good information security practices. If an administrator is able to read user emails, any access to the emails of a user should generate a log entry.

"Management should develop comprehensive guidelines for staff responsible for change management for example. Information Systems should also ensure privacy by design."


 


 

– Management should develop comprehensive guidelines for staff responsible for change management for example. Information Systems should also ensure privacy by design, says Kaila.

Organizations must immediately report any breaches in data protection to the Data Protection Ombudsman and data subject.

If an organization does not act in accordance with the GDPR, supervisory authorities have the power to impose administrative sanctions, such as large fines, whose amount can be set based on the conditions of each case.


How we do things at CSC

Urpo Kaila was appointed the Data Protection Officer last spring. He has made a long career in information security management. During the coming fall, CSC will draft an internal governance review of information governance and update both its Terms of Use and Privacy Policy.

This fall, CSC will be holding two workshops for data protection officers in higher education, thus supporting compliance with GDPR requirements. Invitations to the workshops will be sent directly to the data protection officers of higher education institutions.

CSC engages in continuous and long-term cooperation with higher education institutions also where data protection issues are concerned.

– As Finnish higher education institutions have cooperated on information security for decades, the security of their IT services is today on a good level. I am convinced that, if the data protection officers can jointly develop and share best practices, we can also protect the personal data we are responsible for.
 


Further information

Data Protection Ombudsman

How to prepare for the EU General Data Protection Regulation (pdf) (in Finnish)

General Data Protection Regulation (in Finnish)

CSC Data Protection Officer: privacy@csc.fi

 


PICTURE: NINA KAVERINEN



comments powered by Disqus