By: Ans Duthler and André Biesheuvel
Introduction
Privacy and information security undeniably belong together. The fact that guaranteeing the quality of data is a condition for protecting personal privacy initially raises many eyebrows. Referring to the (Dutch Tax Authorities) benefits affair is then sufficient to explain that your privacy is actually at stake if, for example, the tax authorities or a financial institution assume an incorrect age, an incorrect income or an incorrect family composition.
Ensuring the quality of data is also a condition for using artificial intelligence (AI). Once the AI Act comes into effect, a company that wants to apply AI must be able to demonstrate afterwards that the data used was correct and complete. Data protection is also given a prominent role in the AI Act. The AI Act can be regarded as a further elaboration of the requirements that the GDPR imposes on profiling. The EDPB subsequently wrote guidelines to meet the relevant GDPR requirements. The AI Act, in turn, further fleshes out the EDPB guidelines.
This article substantiates that privacy and security are inextricably linked. They are both part of and influence the quality of an organization’s business operations.
This article is structured as follows. First of all, the legal frameworks for privacy protection are presented, focusing in particular on the General Data Protection Regulation (GDPR). An overview is given of the most important rights and obligations of the GDPR, as well as a brief substantive explanation of the rights and obligations. Below we discuss the method of implementing the GDPR in an organization, whereby a distinction is made between a so-called formal and a material implementation of the GDPR. The aspect of material management is also discussed. Finally, the relationship between the GDPR and information security is discussed. After all, information security is one of the obligations arising from the GDPR.
General Data Protection Regulation (GDPR)
The GDPR is one of the most important privacy laws in Dutch law.[1] The GDPR applies to (almost) all organizations that process personal data and in fact there is no organization that does not process personal data. Which organization does not maintain a mailing list with names of contact persons or personnel administration? The criterion for determining whether there is personal data is whether data can be traced back directly or indirectly to a natural person. A combination of data that in itself is not personal data, but as a combination can be traced back to a natural person, also falls under the concept of personal data.
Other concepts that are central to the GDPR include processing of personal data (all actions that can be carried out with personal data, from collection to destruction), controller (the person who has control over the processing), data subject (the person to whom the personal data relate) and accountability.
Rights and obligations
The GDPR grants the data subject a number of important rights. It imposes a number of important obligations on the controller.
To gain more control over the processing of his own personal data, the data subject has the right to inspect his own personal data. Only when a data subject knows which data an organization processes about him can he invoke his other privacy rights. For example, he can request correction of the data, he can object to data processing and he can request to be forgotten.
The controller must process the personal data in accordance with the law, in a fair and careful manner and only for legitimate purposes. The legitimate purposes are listed exhaustively in the GDPR. If personal data are further processed – for example if they are provided to a third party – this must be compatible with the original purpose of the processing (the so-called compatibility test). The controller must also have established a policy regarding the retention period of personal data. Personal data may not be kept longer than necessary[2]. In practice, it appears that many organizations have not yet determined a retention period, let alone have a retention policy. These organizations therefore by definition do not comply with the GDPR.
In addition, the controller must ensure that employees who work with personal data observe confidentiality. He must also take appropriate technical and organizational measures to adequately protect personal data[3].
Another important obligation for the controller is that he has an obligation to provide information and must be transparent about the processing of personal data. The controller must inform data subjects in writing about the processing, at least disclosing his own identity and the purposes for which the processing takes place. The most obvious way to comply with this obligation is to publish a privacy statement on the website.
The GDPR also includes the obligation to set up a register of processing operations and prescribes what must be recorded in a register of processing operations.
Last but not least, a controller, and also a processor, is in many cases obliged to appoint a data protection officer (DPO). The DPO is the internal supervisor and advisor and also the contact person for the supervisor.
How to fulfill rights and obligations?
In order to meet all these obligations and to continue to comply, it is important that the controller takes measures and procedures. The rights of data subjects primarily require detailed procedures. The obligations of the controller mainly require measures to be taken.
In order to meet all these obligations and to continue to comply, it is important that the controller takes measures and procedures. The rights of data subjects primarily require detailed procedures. The obligations of the controller mainly require measures to be taken.
Meeting these obligations starts with creating an overview of all processing of personal data that takes place in an organization[4]. After all, the legality must be assessed for each processing operation, security measures must be taken, the information obligation must be met, etc. The inventory of data processing therefore forms the basis for complying with the GDPR and a register of processing turns out to be very useful. It is noted that the purpose of the data processing determines whether there is data processing and not the business process or application. The latter sometimes causes confusion. The so-called formal and material implementation of the GDPR is discussed in more detail below.
Formal and material implementation
Compliance with the GDPR involves more than complying with “formalities”. Compliance also means that all other rights and obligations are met and can be accounted for at any time. The implementation of the GDPR is therefore divided into a formal phase and a material phase. During the formal phase, the formal requirements are met, such as setting up a register of processing operations or registering the DPO with the Dutch Data Protection Authority. During the material implementation of the GDPR, procedures are drawn up and measures are formulated, maintenance and management are organized and the GDPR is integrated with or anchored within the security policy. Use will be made of general infrastructural management measures already taken, controls within the applications or established administrative organization measures.
After the material implementation has taken place, the GDPR requires that the measures continue to work. Internal audits will be carried out periodically to form an opinion on whether or not the GDPR is adequately anchored within the organization. In larger organizations, cooperation is often sought with an internal accounting department to draw up a control framework.
Risk analysis
The same measures will not have to be taken for all processing operations. The nature and extent of the measures to be taken depend, among other things, on the type of data that is processed, the circumstances under which the data is processed and the quantity of the data. In addition, the nature and extent of the measures to be taken also depend on the controller’s expectations regarding the extent to which the data subject will exercise his or her rights. In addition, the measures to be taken must be proportionate to the rights of the data subject to be protected and the obligations of the controller. It is obvious that different measures will be taken for a telephone list or birthday list than for the processing of, for example, individual rental subsidy data, in which Citizen service number are also processed. It is therefore advisable to carry out a so-called risk analysis.
Network of GDPR contact persons
It is recommended – especially in larger organizations – to set up a network of GDPR contact persons. After all, it is not feasible for one person to simply inventory all the processing of personal data, let alone take the associated measures and procedures. At ministries, for example, hundreds and sometimes thousands of processes take place. The contact persons in such a network should represent the various directorates/departments and regions and should be appointed by the manager of the relevant directorate, department or region. The advantage of a network is that the GDPR is implemented in a uniform manner throughout the organization, and that the contact persons can share their knowledge and experiences.
A chairman to be appointed can have a coordinating, encouraging and possibly steering role with regard to the network. Given the relationship with information security, it is further advisable to appoint as contact persons those who also act as contact persons for information security. In addition, it may be important to involve the Internal Audit Department in the network, as well as the DPO, where appropriate.
GDPR and information security
Various reports, guidelines and advice have been issued in which the information security requirements of the GDPR are further elaborated. One of the well-known guidelines is, for example, the ‘Privacy Control Framework’ manual from the Dutch Association of Registered EDP Auditors (NOREA).[5]
For each individual processing of personal data, it must be determined which technical and organizational measures must be taken to achieve an appropriate level of security. Technical and organizational measures should always form a coherent and coordinated system, derived from an (information) security policy, (information) security plan and reflected in a system of general measures and procedures. The level of security required will depend on the risk class. In addition to determining the risk class, aspects such as the state of the art and the costs of taking measures are also relevant.
A risk analysis precedes determining the risk class. Such an analysis involves a number of steps:
- inventorying the (business) activities and processes in which personal data are processed (this is part of the aforementioned formal phase);
- determining the nature of the personal data in combination with its scope and use;
- identifying the possible forms of unauthorized or careless processing of the data such as loss, damage and unauthorized access, modification or provision; and
- determining the risk class itself. The risk class is the product of the likelihood of undesirable consequences and the damage this may cause for the data subject, the controller or the processor.
Finally
Both information security and privacy protection relate to the quality of an organization’s business operations. Privacy protection is part of information security, and information security is part of privacy protection. Together they form an inseparable bond.
Registered Accountants and Registered EDP Auditors are also increasingly of the opinion that privacy protection and information security belong together and determine the quality of organizations’ business operations. Accounting services in larger organizations no longer only check for effectiveness and efficiency, they have also made quality the subject of their audit. They check both the implementation of privacy legislation and the implementation of information security.
This article focused on privacy protection. The relationship with information security was established through the GDPR. This was not done because information security would be less important, but rather because privacy protection, the implementation and management of measures taken under the GDPR often appear to be neglected of information security. This may have to do with the fact that the GDPR is a law, and people think that the application and implementation of a law can only be left to lawyers. However, the implementation and management of appropriate GDPR management, security and compliance measures requires a multidisciplinary collaboration and integrated approach. However, there is a positive trend that more and more organizations are making time and capacity available to organize and keep the GDPR organized in a proper manner. Not only lawyers are involved, but also information security professionals. This is a healthy and positive development, which only underlines the usefulness of privacy protection and information security increasing together. This development will only be reinforced if the AI Act comes into effect.
Summary
Privacy protection and information security are inextricably linked. Both determine the quality of an organization’s business operations and information management. This article first provides an overview of the most important rights and obligations under the GDPR. The formal and material implementation of those rights and obligations of the GDPR is then discussed. It is emphasized that not only legal knowledge is required for the implementation and management of the measures taken, but that knowledge in the field of business operations, ICT and information security is necessary, especially for the material implementation. After all, being able to continue to comply with the GDPR requires taking measures and procedures within the organization. The final topic was the relationship between the GDPR and information security. It has been indicated that (continuous) risk analysis and the division into risk classes are not only useful for information security, but also for determining the nature of the measures and procedures to be taken and the effectiveness of the measures and procedures taken in the broader context of the material implementation. and management of the GDPR.
Interested?
Do you have any questions, comments or need an appointment with Ans Duthler or André Biesheuvel regarding this article? Please feel free to contact the authors via +31 (70) 392 22 09 or j.a.duthler@duthler /a.j.biesheuvel@duthler.nl.
Don’t want to miss our important updates and publications (blogs, articles and news)? Then subscribe to our newsletter.
[1] In addition, Dutch law also has sector-specific laws, such as the Police Data Act (Wpg), the Medical Treatment Agreement Act (WGBO) and the Basic Registration of Persons Act. Sometimes such a law replaces the GDPR, sometimes such a law works in addition to the GDPR. We view the European AI Act as a further extension of the GDPR.
[4] We recommend the SBC Management System to our customers, see:https://duthler.nl/diensten/beschermen-van-persoonsgegevens/sbc-managementsysteem/
[5] See: https://www.norea.nl/uploads/bfile/6ffdfb84-7449-4106-b109-fc5f6ba0636a
