“The net never forgets” is a quote made by the journalist JD Lasica. As SNS became popular and most of the information in society is saved on the internet, information that has been forgotten over time by the people is still left on the internet. Search portals made it easier to search for information for anyone at anytime, anywhere.
Have you heard about ‘the right to be forgotten?’ It is called the ‘Right to erasure, Right to be forgotten” and it is a right to request for deletion of personal information. “An individual may ask the information holding company to remove any irrelevant or unnecessary personal information, and when certain conditions are met, the company must fulfill the request.”
The right to be forgotten (Right to erasure) is one of the General Data Protection Regulation (GDPR), which will be enforced starting this May for all EU members. The law was passed on May 2016 in order to replace the existing Data Protection Directive Law (1995).
As such, GDPR will become an issue among global corporations, and domestic enterprises are expected to be greatly influenced by this change. Many companies have formed an EU GDPR response council in order to analyze and respond to the impact of the GDPR regulations. Let’s take a look at the overall contents of GDPR.
# Personal information defined by GDPR
Personal information includes all information related to identifiable person (subject of the information), as well as the general personal information such as names and phone numbers, as well as cryptographic information, biometric information, online identification information or location information.
*IP address, MAC address, and is also a personal information if an individual can be identified through online cookies.
Thus, if it is possible to identify a person boarding the means of transport through the geographic information collected by the machine, then it will be subject to GDPR as personal information.
# To what scope does GDPR apply?
GDPR regulated entities include all personal, physical, and geographical scope, and not only the Controller (the company or organization that determines purpose and means of processing the personal information) but also the Processor (a company or organization that processes personal information on behalf of the Controller) is directly affected by this law. In particular, GDPR applies not to the ‘nationality’ or ‘citizenship’ of the subject, but to all European residents.
# What is the penalty for violating GDPR?
Violation of GDPR can be looked at in two ways. First, since not only the Controller but also the Processor are subject to the regulation, if the obligation stipulated by each role is not complied, each entity will be responsible for violation.
For solution enterprises, the company’s solution must be implemented to meet the requirements of GDPR so that the customer can also comply with the law. If the GDPR is not complied, the penalty parameter (turnover) that the EU authorities can impose can be set to include the sales of the Controller as well as the Processor. (Especially, if the Controller requests the Processor to pay for the damage cause by the Processor’s solution)
*Criteria for Charging Fines
1) Worldwide sales 2% / EUR 10 million ▶ reporting in case of leaks (72 hours), violating DPO obligations
* DPO: Data Protection Officer, company’s personal information protection professional
2) Worldwide sales 4% / EUR 20 Million ▶ 6 principles of personal information protection and the obligation to comply with the information rights/ in case of violation towards the regulation related to offshore transfers
# What part of GDPR should the Processor be most aware of?
First of all, you need to know what type of private information you are holding. Particularly, sensitive information such as genetic information, bio information for individual identifications, and health information all need to be evaluated in detail. You need to identify various ways in which personal information is handled, and document the list of the size and flow of the information, then monitor it constantly.
Especially, the most important goal of the GDPR is to strengthen the rights of the entity that the information identifies. ▲ Establishment of rigorous agreement standards, and of revocation of agreement policy ▲ In addition to the establishment of the right to erasure (right to be forgotten) and the right of data portability, the purpose and means of information collection is minimized under the information protection principle.
* Withdrawal under consent: The information subject should set up the environment so that they can easily withdraw their own consent easily at any time (As with consent, the implementation of the withdrawal feature is recommended.)
*The rights of the information subjects
Right to basic information
Right of access
Right of rectification
Right to erasure (the “right to be forgotten”)
The right to restrict processing
Right of data portability
Right to object to processing
Companies that develop solutions must provide Privacy by default for the necessary personal information, and consider privacy from the solution design phase (Privacy by Design). Data Protection Impact Assessment should be conducted, especially for profiling large-scale processing of sensitive information and public site monitoring, prior consultation with the government authorities is required. Additionally, it is necessary to clarify the role of Controller-Processor, and in order to guarantee the rights of the information subjects, the implementation of functions and processes is required. Also, the Data Processing Agreement is required.
With the advancement in cloud computing and big data analytic technologies, compliance has become a must-have checklist for global enterprises.