GDPR: user data managed by companies operating in the IT sector

The 25 May 2018 has now passed and the Gdpr (General Data Protection Regulation) has become fully effective. The web is full of more or less in-depth information on the topic: these are generally user guides and explanations of the new terms.

The user is at the center of all the regulation, his data are important and all the companies have had to organize themselves to respect it. But are the companies themselves, as data owners, sufficiently protected by the GDPR? We are interested in checking the situation of those belonging to the IT world. The regulation should only affect European companies, but it was immediately clear how the whole world is affected in one way or another by the regulation. This happens because user data easily cross the EU borders, adopting services offered by companies operating from non-EU countries, such as Facebook and Google, but not only, many companies that offer Cloud based services are also part of this typology.

The reference regulation in Europe on the protection of personal data does not explicitly refer to the Cloud, but it is clear how this infrastructure must comply with the new rules.

The key points of the regulation are:

• Privacy by design – The protection of personal data must be guaranteed “right from the design”
• Privacy by default – The protection of personal data must be guaranteed “by default”
• Accountability – The data controller adopts adequate technical and organizational measures to guarantee, and be able to demonstrate to the Privacy Guarantor that the processing of personal data is carried out in accordance with the Regulation.

GDPR

A company that provides Cloud services is to all intents and purposes to be considered “Responsible for data processing” pursuant to Article 28 EU GDPR, not surprisin

gly, the main players have included the contract alongside the service contract with customers which governs their role in this area.

With this in mind, the data controller who uses an external Cloud service:

• Is identificated as data processor
• Check that it meets the 3 key points previously reported

Companies operating in the IT sector often find themselves offering products / services that guarantee users portions of virtual space within their platforms, spaces in which users have the opportunity to insert, manipulate and save different levels of personal data.

The user finally have a series of very important rights, but which can seriously endanger companies that have not organized themselves to guarantee them, in particular:

• the right to access data;
• the right to request the correction of incomplete or inaccurate personal data;
• the right to obtain the cancellation of their data;
• the right to limit processing;
• the right to data portability.

Let’s have an example:

In the past, a company has created a web application that collects user data, in particular: photos of places of art which, when properly connected, create a shared cultural journey. Since the intellectual property of the photos is always of those who make it, the user may request the deletion of his photo from the platform. Beyond the problems related to the loss of information to be offered, the company may not have organized itself to extrapolate a single data from a larger and interconnected whole.

This scenario is likely and completely changes the approach to new projects. If until today it was possible to create software dedicated to a specific purpose, limiting itself to observing the impact on users’ privacy, today’s respect for the latter is the starting point from which to develop the application.

From an operational point of view this implies the use of an expert on the subject already in the software analysis phase, significantly modifying the skills necessary for development. The company organization charts are about to undergo a significant change.