GDPR: Data subjects’ rights and organizations’ duties

There’s more to GDPR than 37201 mails on your inbox. Here’s what you need to know if you are working at a tech-based company.

Published in

Deemaze Writing Wall

7 min readMay 23, 2018

Hello everyone! 👋 It’s been a long time since my last intervention on this writing wall! Now that my fellas gave me some airtime I decided to talk about the GDPR.

By this time, if you are working at some tech-based company, you’ve probably already heard a lot about this matter and how it’s going to rule the world after the next 25th of May. Ok, I’m being a bit over-dramatic, but the truth is that all tech companies are concerned about this new European regulation and are trying to comply with these new policies. On the other hand, there is a lot of information spread on the web and it’s been hard to find a succinct article with all the principles I need to know. For that reason, I decided to do some research and summarize what I felt to be really important and attention worthy.

Firstly, I’d like to introduce the GDPR: what it is and why it is so important, leading everyone to talk about it. After that, I want to present the data subjects’ rights and finally the companies’ duties under GDPR policies.

What is the GDPR?

The GDPR is a European Regulation adopted on April 2016 and it will come into force from May 25th, 2018. The main focus of this regulation is to guarantee the protection and privacy of EU citizens’ data. 🇪🇺

Essentially, every software application with a user base on the EU needs to comply with it. Now I got you thinking about your products and your client base, and as you can imagine the changes they will require are not a simple job a handyman can handle. 😨

GDPR can be sustained in 5 core principles

Only save the user’s personal data your application will need;
Keep the user’s personal data for the shortest time possible. You should set an expiration date if you don’t need it forever;
Keep the user’s data updated for as long as you can. Even if you can’t update the user’s information you should always remove the outdated info from your system;
Keep the user’s data securely stored, avoiding information loss or leaks;
You should appoint a responsible person for the data processing, who must act with loyalty and transparency towards the company and data protection authority.

The rights GDPR defends for the data subjects

Yes, the GDPR aims to transfer the power of controlling the user’s personal information from the companies, and give it back to you, the people.

This way, hopefully, Donald Trump shouldn’t be able to know the color of your neighbour’s underwear or what ice cream you ate the most during the past year. 😅

To accomplish these objectives it’s important to provide the following rights to the data subjects:

Access to all the information related to their personal data handling, such as: Why does the company specifically need each piece of information? Who is responsible for the data processing? Are there more parties interested in the user information? Who are they? Do they have access to it? Where is the data stored? How long will the data be stored in the system?
Ability to request a copy of all the personal data and also the right of transferring that data to another system using a standard format, as long as it is technically possible. You can take facebook as an example as it allows you to download all your personal data;
Option to request updates to their personal data;
Deletion of their personal data. In this particular case, the company can refuse the data deletion if it infringes the right of freedom of speech, in case it is necessary for legal matters or on behalf of public interest;
Stop the processing of his personal information. The data subjects can request this if they don’t agree with the way the company handles their information, they don’t want its deletion either, or in case the company does not need the user’s information anymore but the user wants to keep it in the system for other legal purposes;
Opt out of decisions based on automatic assumptions, such as assigning a profile to the user that will change the information he has access to or his experience while using the software;
Be informed when a data breach occurs. The information should be passed clearly and the simplest way possible to the data subject.

The duties GDPR imposes on the organizations

Now that we already saw how the residents of the EU will benefit from the GDPR, we need to look at the other side of the coin: all the new rules applied to the companies.

An organization should only hire a subcontractor entity compliant with the GDPR regulation;
If your company has more than 250 collaborators you are obligated to create and maintain records of all the users’ data processing. If your company has a smaller team, you may also be forced to keep internal records if you are dealing with data processing that can affect the individuals’ rights or freedoms, or if it concerns criminal activity;
The company’s internal records should include the name and the contact information of the data processing responsible, the purposes for processing the data, a description of the categories of data being processed and the details about the recipients that will have access to it;
During data processing, there are security matters that need to be assured, such as data pseudonymization, confidentiality, integrity, and availability;
If your data processing may represent a high risk for the freedom rights of your system’s users, then you must perform the Data Protection Impact Assessment (DPIA) (e.g. user profiling based on automatic decisions, large-scale data processing, and facilities access control);
If the DPIA evaluation deems that there is a high risk for the data processing, the person responsible for it should consult the data protection authority;
Your company should have a data protection officer (DPO), ideally someone in the legal field with a background in data protection. The DPO can be someone from your company or a subcontractor.

Data breaches

Even if you follow all the procedures listed above, you should always keep in mind that Murphy is out there and he might knock on your door to enforce his law. On that day you might be dealing with a data breach, so let’s focus on the important things you should keep in mind.

The company owner (on the left) talking with the data processing responsible.

There are three types of data breaches: confidentiality, availability, and integrity. A data breach should be categorized as a confidentiality violation if there was unauthorized access to private user data or if that data was accidentally published. For the scenarios when the user lost the access to his data, whether temporary or permanent, you are facing an availability infringement. The integrity is also compromised when the data is updated by an unauthorized operation, including updates made by accident or errors.

The data breach must be reported to the data protection authority and, in some circumstances, to the data subjects. It all depends on the risk associated to the transgression, the following flowchart explains the decision hierarchy you should follow in order to identify whether or not you should proceed with a notification or statement.

Ok… I don’t want to turn this post into a law lecture. After all, this article was intended to be just a GDPR briefing for those who want to know the short story. However, if you would like to know more about it you can find your new bedtime story here. 🛏 📖

And yes, I know all these new rules seem to be pretty simple when we are talking generically, but when you are trying to apply them to your projects a lot of new questions will arise. So, before I leave, I want you to know that if you have some specific question about your product, we are happy to discuss it with you, but keep in mind you should always contact your legal advisor about the concerns you have.

See you around! 🖖

Deemaze Software is a digital agency developing products for web and mobile. Follow our work on Twitter, Facebook and Instagram.