Assigning responsibility and baking privacy controls into the system design process might be one of the more difficult things to implement for organizations, especially those who aren’t well-versed in their organization’s data posture. It is incredibly important for companies who store, interact with, and use personal consumer data to name a data controller. In other words, name someone responsible for that data. This person is responsible for implementing the processing standards outlined in Article 5. Additionally, these same standards of data minimization, data subject consent, specific purpose for collection, data accuracy, confidentiality, and controller accountability. Each of these areas, as well as the overall stewardship of data throughout the data lifecycle, are the responsibilities of the controller at the organization.

Article 24: Responsibility of the Controller

1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated when necessary.
2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

Article 25: Data Protection by Design and by Default

1. Taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protet=ct the rights of data subjects.
2. The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without individual’s intervention to an indefinite number of natural persons.
3. An approved certification mechnicam pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Article 26: Joint Controllers

1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall, in a transparent manner, determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the infrmation referred to in Articles 13 and 14, by means of an arrangement between them unless, and i so far as, the respective responsibilities of the controllers are determined by the Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.
2. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-a-vis the data subjects. The essence of the arrangement shal be made available to the data subject.
3. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may xercise his or her rights under this Regulation in respect of and against each of the controllers.

---

How does this apply to me and you?

For the most part, these articles only apply if you’re the organization’s data controller. However, since you and I aren’t controllers, most likely, let’s talk about how this might apply.

If you know an organization has collected your data, with or without your consent, they should provide contact details in their privacy policy, or an adjacent policy, that contains contact details as to who the controller is and how to request your data be sent to you and, if you’d like, erased. We’ve seen how in previous articles, the controller needs to provide a reasonable amount of time to handle your request and also will need evidence you are who you say you are, which will be asked by them after your request is received. As is stated in the articles above, the controller is the individual or individuals, you should contact to correct or erase any data that belongs to you. If organizations do not do this, they’re in direct violation of the articles above, as well as several others throughout the Regulation.

If you are the controller or one of the controllers, these articles earnestly apply! Your job is to implement technical and organizational safeguards, such as access and security controls, to protect personal data from prying eyes. These would include including data privacy discussions during the planning phase (phase 1) of the software development lifecycle (SDLC). This first phase is where all the hypothetical situations and their outcomes are brought to the table and discussed in great detail. This should include instances in which, for example, an employee that shouldn’t be able to access John Smith’s personal address is able to query a non-production database and see that information. This would be avoided by implementing pseudonymization and access controls to limit the exposure of information to internal and external parties. Article 25 above specifies a few more safeguards controllers must implement. Doing this is mandatory for whoever the organization designates as its steward of all collected personal information.

The last thing to know for controllers is that various certifications, such as PCI DSS, would demonstrate compliance with the protection of payment card information and the associated metadata around those transactions.

Lastly, all protection measures must be reviewed and updated as needed. Most organizations implement an annual or bi-annual review process for such controls.

---

THE DETTON RANCH AND DATA

Let’s say your uncle Joe Detton owns a large plot of land in a rural part of the world. Joe lives on this land with his three kids Corey, James, and Rachel. Corey’s wife, Madeline, and son, Titus, also live on the land with him. In addition to Joe’s family, several indentured servants also live on this land and help Joe maintain it. Because Joe’s ranch is operated as a business that raises and sells chickens and eggs, as well as pigs, Joe has to keep all the data of each worker, as well as his family on file for tax purposes. In addition to this, he also processes payment card information from his vendors and customers. With so much information to maintain, Joe would need to name someone as his controller in order to steward over the data in a fair and lawful manner and implement safeguards to protect the data from cybercriminals who want to steal it.

Joe decided to name his son James as his controller, meaning James now has the responsibility to handle data requests from customers, implement appropriate safeguards over the data, and achieve certifications of compliance where necessary.

As it turns out, Joe only keeps physical copies of all data. To make sure this is protected, James purchased a fireproof safe to store all records and implemented a combination lock where only he and Corey know the password. Although the data isn’t obfuscated, it is stored in a secure, fire-proof location that requires a combination to unlock. Further, the safe is stored in Joe’s office where only he has the key to access. In the event a data request would appear in James’s inbox, he would need Joe to unlock the door and then use the passcode to open the safe. This would prevent James or Corey from accessing the safe without proper authorization. In the event Joe is on vacation, Rachel has a key to his office and authority to allow access when Joe is away. This allows for accountability and segregation of duties over the protection of personal information.

As for the payment card information, James contracted an outside firm to conduct a PCI DSS assessment to achieve compliance with the Regulation.

---

See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.

Once you understand how valuable your information is, then you can begin taking steps to keep it private.