DT Network with the support of Westminster Foundation for Democracy organized a workshop titled by: “Data Protection Legislation: National Authority for Informatics and Liberties” on 10 & 11 February 2020.
Below is the intervention of Dr. Lina Oueidat:
DATA PROTECTION –
Awareness, Legal Framework and Compliance of Procedures
Dr. Lina OUEIDAT
In the era of high connectivity and huge data flows, personal data protection is essential. Data is becoming more and more valuable. Protecting personal data from unauthorized, careless or ignorant processing must be a priority in the national cyber goals. GDPR and other regulations has evolved to become a compliance for the different authorities to protect personal data. In the following, we will explore the importance of personal data as well as the different challenges faced when trying to protect this valuable asset.
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data – “EU”
Personal Data Privacy and Protection
Data protection is about securing data against unauthorized access. Data privacy is about authorized access — who has it and who defines it.
Another way to look at it is this: data protection is essentially a technical issue, whereas data privacy is a legal one.
The faced Challenges
Enforcing personal data protection is not an easy task. Many challenges are encountered:
- Complexity of configuring and operating data protection software/hardware / Ballooning costs of storing and managing backup copies due to rapid data growth
- Lack of data protection solutions for emerging technologies
- Ensuring compliance with regulations like GDPR
- Privacy by Design
Privacy by design calls for privacy to be taken into account throughout the whole engineering process.
Privacy by design should be taken seriously the same as security by design
- Absence of a responsible authority (like the CNIL)
GDPR are policies and regulations enforced by EU to better protect and secure private data. However, being compliant with GDPR is not an overnight task. Eventually it requires overcoming some difficulties:
- Governance and accountability
New provisions in the GDPR have created a need for enterprise-wide focus on data protection across the full processing life cycle.
- Enhanced data subject rights
The additional rights afforded to data subjects are proving to be a major challenge for controllers to manage, particularly in the context of cross-border data transfers where consent is no longer a viable ground to rely on in many cases.
- Transparency and information requirements
The level of information required to be provided to data subjects is substantial and controllers are concerned about the risks of getting this wrong.
- Data portability and subject access requests
The burden on controllers has substantially increased and questions are already being raised as to how data portability and access rights overlap with concepts of privilege, confidentiality and intellectual property. The potential cost of SARs is a concern.
- Records of processing activities
The requirement to maintain detailed records of processing activities is a particular burden. Some of the template records shared by Data Protection Authorities are deceptively simple.
- Data protection impact assessments
Mandatory impact assessments are posing a new challenge and questions remain as to when they are required. For example, some controllers may engage in large scale personal data processing but only as an ancillary purpose or function. The extensive assessment process requires a cost commitment that may be difficult for smaller companies to bear.
- Data breach notification
There is widespread concern that an abundance of caution on the part of controllers will see a flood of notifications to DPAs. This is likely to continue until regulators issue more guidance. Authorities fear that this wave of over-notification could defeat the policy objectives of introducing the breach notice requirement; controllers are equally concerned that notifications will lead to more litigation.
In the main time, personal data is a valuable asset. It is often targeted by unauthorized harvesting because of its importance. Protecting personal data should be considered at the national level. The most effective steps to protect these data is by crafting the right laws that apply to our current situation as well as implementing an authority to watch over these laws and regulations.