The future of data protection: a threefold perspective on GDPR

Businesses are at a high risk to violate data privacy if they don’t embrace a threefold perspective of the General Data Protection Regulation, formed by legal, technical and business points of view. The article below dissects how ignoring that led to the breach cases of the first two years of GDPR — and what we can learn to avoid making the same mistakes.

Image for post
Image for post

Part 1

Technical & organizational measures in perspective

By reflecting on data privacy breaches of the early years since the General Data Protection Regulation (GDPR) came into force, in May 2018, both law practitioners and professionals from the technical and business areas, develop a more critical perspective on upcoming challenges. It is necessary to understand the pitfalls and neglect that led some companies to prepare themselves insufficiently or leniently, despite the two-year period between adoption by the European Union and the enforceability of GDPR. Through the following case studies, practical measures will be recommended to assist in the correct adoption of data protection laws.

  • Access control (physical and virtual)
  • Passwords
  • Data pseudonymization [3]
  • Cryptography
  • Control of data transfers, mainly to countries outside the European Economic Area (Art. 44 to 50 of the GDPR)
  • Data recovery methods
  • Security measures for remote access
  • “Bring your own device” policies (BYOB)
  • Clean working environment policy (screen and desk)
  • Safe data disposal methods
  • Mandatory GDPR training for employees
  • Review of privacy policy notifications
  • Guarantee of the subject’s express consent before the collection of personal data
  • Audit of personal data collection inventory
Image for post
Image for post

Part 2

Learning from the earliest GDPR data breach cases

It is in this scenario, of lenient interpretation and insufficient preparation of the companies, that the earliest cases of data breaches under the GDPR occurred.

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Part 3

Adequacy review

After reflecting on the lessons learned from the earliest GDPR cases, the next step is to review the adequacy of technical and organizational measures, under the proposed threefold perspective, to build better guarantees for the protection of personal data for the future. These final considerations therefore aim to help professionals in the technical, legal and business areas, and whoever works with data privacy.

Notes and references

[1] Lei Geral de Proteção de Dados Pessoais (LGPD)

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store