Data Protection
This short self-check is meant to help you verify your privacy requirements and give you quick suggestions with reference to the General Data Protection Regulation.
Do you collect any personal data?
Personal data indicates any data which alone or in connection with other data can be used to identify an individual.
Do you collect anonymous data?
Anonymous data indicates any data which cannot lead to the identification of a person.
Do you store data centrally on servers?
Data might be stored on local devices or central servers or cloud and be subject to legal requirements for record retention.
What kind of personal data are you collecting?
- Personal data (including, but not limited to)
- Name
- Identification number (e.g. SSN)
- Location data (e.g. home address)
- Online identifier (e.g. e-mail address, screen names, IP address, device IDs)
- Sensitive data (including, but not limited to)
- Race and ethnicity
- Health, sex life, and sexual orientation
- Political, religious, or philosophical beliefs, including union membership
- Genetic and biometric data (e.g. biological samples from individuals, fingerprints, facial recognition)
Suggestions
No data protection requirements
Since you don’t collect any form of personal data, data protection laws do not apply to your business.
Anonymous data
It may be quite difficult to ensure data anonymity and data leaks could still lead to the identification of persons.
We suggest to protect anonymous data.
The processes to ensure that such data cannot be linked to other sources and used to identify persons is challenging.
Moreover, they must be regularly evaluated because technology and available datasets are permanently evolving.
Storing data locally
Storing data on local devices simplifies your privacy requirements but is not a good security practice.
It may, for example, be difficult to erase data from lost or stolen devices and you must still ensure that data are encrypted.
Saving data on a server would increase your privacy-related requirements, but it will increase also data security.
Personal data
Organizations that handle personal data shall be responsible for, and be able to demonstrate compliance with the following principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
Sensitive data
The special category of personal data called sensitive data imposes special security requirements.
The GDPR specifies that this data shall be prohibited with few exemptions.
Pseudonymous data
Data is pseudo-anonymized when stored without personally identifiable information.
Although pseudonymous data do not reveal the identity of persons, it could be combined with other external information to reveal people identity.
Pseudonymisation is considered a good security practice, yet it’s very challenging to implement it properly, and data is still considered personal and to be protected accordingly.
Symnia can help you review your data security to ensure compliant confidential data management.
Symnia can help you run an impact analysis and define the next steps for your GDPR compliance.