Your Guide to GDPR Compliant Data Collection and Processing in 2022

figure 1: CCTV footage blurring

GDPR Requirements: What do you need to know?

The GDPR acts as a legal framework that requires businesses to protect the data privacy of citizens in the EU. As of May 25th, 2018, organizations that operate, or have operations within the EU and the EEA (European Economic Area) are asked to implement organizational changes and security by default protocols to ensure the protection of the personal data they control.

  • Basis and transparency: where companies provide details on why data collection and processing is taking place, transparency on the type of data that is being collected, details on who has access to the data files.
  • Data security: implementation of data privacy by default and by design protocol, where data protection is taken into account from the initial stage of product development, and consistently at each step in the data processing. Organizations must ensure that personal information is encrypted, anonymized, and cannot be traced to an individual without their consent.
  • Accountability and governance: where an organization is transparent in actions taken to ensure the privacy of the data, and a plan on how the data will be discarded once the purpose of collection has been fulfilled. Organizations must ensure that they keep records of all the above-mentioned steps in order to be able to demonstrate to an auditor that the organization meets the GDPR requirements.
  • Individual privacy rights: finally, one of the most crucial points of action that organizations need to implement: organizations must always uphold the individual’s rights to their personal data. This includes the right of the individual to be informed about their data being captured and processed, the right to access the data, the right to the rectification and erasure of the data, and the obligation of organizations to notify the individual about the erasure of their data.
  1. The organization is a public authority, whereby personal data is processed by that public authority, with an exemption for courts and independent judicial authorities.
  2. The organization regularly handles large-scale data, where the processing of individual data is the main activity for the organization to achieve its goals.
  3. The organization handles large-scale data from special data categories, this includes an individual’s race or ethnicity, political and religious beliefs, health data, and sexual orientation.

Personal information: What is it and how can you protect it

Personal data refers to any information relating to an identified or identifiable person, whereby the person can be identified directly or indirectly. Particularly, this refers to names, location data, faces, identification numbers, and any other physical, mental, and social identity of the natural person. Article 6 of the GDPR stipulates requirements for such data processing and specifies that personal information needs to be properly safeguarded in order for organizations to be able to use the data to fulfill their needs to ensure that data privacy by design protocols are set in place to adequately protect individuals’ private information, as it is now a global requirement.

figure 2: blurring street view camera footage
  • An organization can proactively ask for consent from all data subjects before collecting data.
  • An organization can delete any personal information it finds in its database.
  • An organization can anonymize all data that contains personal information from the database.

Consequences: What happens if an organization is found to be non-compliant?

Data breaches and other breaches can lead to fines, and GDPR fines are known to be some of the highest — amounting to 20 million, or 4% of annual turnover, whichever is the greater amount. Furthermore, organizations found to be in violation risk reputational loss among shareholders and financial loss to remedy the violation.

source: https://dataprivacymanager.net/how-to-calculate-gdpr-fines-general-data-protection-regulation-criteria-for-fines/

NavInfo Europe’s GDPR Compliance Package

In our capacity as data processors, NavInfo Europe offers a GDPR compliance package to support our customers by providing data privacy by design framework, for the data they have collected. A core aspect of our package is our anonymization service, which uses high accuracy and high-speed computer vision techniques to detect and blur personal information on customers’ data sets while being resource-efficient. Additionally, we offer the infrastructure for GDPR compliant data handling, which includes data management and pre-checkup, setting up of the anonymization pipeline, data anonymization, and data validation and finalization.

figure 3: data management process for GDPR compliance

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
NavInfo Europe

NavInfo Europe

Helping companies power their future with intelligent solutions in AI, Simulation, Map Data Services, and Cybersecurity.