In less than a year all the UE Member States will be subject to the new General Data Protection Regulation (GDPR): as everyone in the sector is familiar with by now. As of May 2018 there will be a new obligation on data Controller and data Processors, especially for what concerns electronic data.
To fight the daily data breaches and privacy violations there are two ways to go. On the one hand the GDPR imposes high sanctions and straight Companies liabilities (with fines up to 2% or 4% of the total worldwide annual turnover). On the other hand it requires a new specific professional figure – the Data Protection Officer (DPO) – for the data Controller/Processor as per article 37: Public Authorities or Bodies, high dimensioned private sector Companies or Companies which handle data in a high-risk environment.
The GDPR regulation is not an “isolated” measure as it is a part of a thread around the modification of the European regulatory scenario with a common goal: to increase the electronic transaction trust to raise consumers confidence. In this landscape, the main role is played by the eIDAS Regulation, on electronic identification and trust services for electronic transactions in the internal market.
As per eIDAS, the GDPR regulation Trust Services are also capable of enabling the trust in the digital relationships. Let’s see how.
INFORMED CONSENT AND COMMUNICATION OBBLIGATION
Whenever its use is based on the consent, and a fortiori if it may be given “explicit”, it may be appropriate that the data Controller/Processor can guarantee the personal identity of the data Subject and that they have tools to legally preserve it through time given the consent. This scenario may happen in those contexts – i.e. with healthcare or sensitive data – where a wrong data treatment undermines the basic human right of the citizens. In today’s digital environment, those goals may be fulfilled with e-identification tools – as the Italian identification system SPID – or trusted solution as the Advanced or Qualified electronic signature, which permits the integrity and the ownership of the electronic documents containing the given consent.
Moreover, whenever the data Subject may want to revoke his/her consent, he/she may formally request the cancellation of the treatment using a trusted service, a certified email or another trusted delivery service: as per the communication mentioned in the following paragraph, these tools permit the legal enforceability of the communication, with a guarantee on the data sent and received. Anyway, we should keep in mind that the GDPR Regulation imposes that the revocation of the consent shall be as easy as the collection of that same consent: the data Controller may be the one to give to the data Subject the tools to fulfil this Regulation request.
Another example of the importance of trust tools, can be made considering the communication obligation required by the GDPR Regulation. Once inside a company system, the personal data may follow different flows according to the reasons which have been collected: it may be transferred to third parties, it may be object of a peculiar treatment by the Controller or Processor, it may – in the end – be cancelled or anonymized. Whenever these operations shall be notified to any stakeholder or when the data Controller or data Processor suffer a data breach, it is appropriate to use delivery tools that grant the enforceability in court of the fact of the communication itself: certified or qualified delivery systems, which means Trust Services.
THE CHOICE OF THE RIGHT DIGITAL TRUST SERVICES
However, while other European regulations (as the PSD2 or AML Directive) may describe which are the right means to be compliant, the GDPR only give indications of the ends to be fulfilled by the data Controller and data Processor, ruling some principles on the protection and minimization of the data usage, without any clarifications on the right tools to reach the protection goal. The choice of the right service is up to the companies, which in some cases may lack the right skills and competences to approach the privacy challenge.
The GDPR result obligations – then – leave some place for two other trusted tools which usually enables the digitalization of the processes: time stamping and legal preservation. These kinds of tools allow to preserve the fact and the enforceability of the consent over time -when it is necessary- and the rightfulness of the personal data treatment, giving to the data Controller and data Processor the right means to challenge an external audit.
Also, from a high-level point of view, the GDPR rules that everything related to the data treatment may be designed and projected following some confidence tracks: even the processes architecture shall respect, according to article 25 of the Regulations, principles of privacy by design and by default.
Companies which manage personal data – a fortiori in an electronical environment – shall choose a technological partner which can issue not only the most updated technologies, but also the legal process and compliance consultancy to design the right flow and management of the digital transformation. A European Qualified Trust Service Provider, updated with the regulatory requests and able to certify tools and processes.
It is clear how much the GDPR scenario is challenging. However, it may reveal a lot of opportunities for those who choose the digital trust not only to be compliant with regulations but also to increase its own competition.