GDPR trust services

Trust services to win the GDPR challenge

By Lorenzo Piatti, Digital Consulting – Process & Compliance at InfoCert, Tecnoinvestimenti Group

GDPR trust services

english version In less than a year all the UE Member States will be subject to the new General Data Protection Regulation (GDPR): as everyone in the sector by now knows, starting from May 2018 there will be new obligation on data Controller and data Processors, especially for what concerns the electronic data.

To fight the daily data breaches and privacy violations, on one hand the GDPR imposes high sanctions and straight Companies liabilities (with fines up to 2% or 4% of the total worldwide annual turnover), on the other hand it requires a new specific professional figure -the Data Protection Officer (DPO)– for the data Controller/Processor as per article 37: Public Authorities or Bodies, high dimensioned private sector Companies or Companies which treats data in a high-risk environment.

The GDPR regulation is not an “isolated” measure as it is a part of a thread around the modification of the European regulatory scenario, with a common goal: increase the electronic transaction trust to raise the consumers’ confidence. In this landscape, the main role is played by the eIDAS Regulation, on electronic identification and trust services for electronic transactions in the internal market.

As per eIDAS, also in the GDPR regulation the Trust Services are capable of enable the trust in the digital relationships. Let’s see how.

We may take as an example one of the pillars of the Regulation: the informed consent.

The GDPR requests -in the respect of the legitimate treatment- that the personal data shall be treated only after the data subject has received the correct privacy policy and -in some cases- he/she has given the consent for the treatment. Whenever the treatment is based on the consent, and a fortiori if it may be given “explicit”, it may be appropriate that the data Controller/Processor can guarantee the personal identity of the data Subject and that they have tools to legally preserve through time time the given consent. This scenario may happen in those contexts -i.e. with healthcare or sensitive data – where a wrong data treatment undermines the basic human right of the citizens. In the nowadays digital environment, those goals may be fulfilled with e-identification tools -as the Italian identification system SPID- or trusted solution as the Advanced or Qualified electronic signature, which permits the integrity and the ownership of the electronic documents containing the given consent.

Moreover, whenever the data Subject may want to revoke his/her consent, he/she may formally ask the interruption of the treatment using a trusted service, a certified email or another trusted delivery service: as per the communication mentioned in the following paragraph, these tools permit the legal enforceability of the communication, with the guarantee on the data sent and received. Anyway, we should keep in mind that the GDPR Regulation impose that the revocation of the consent shall be as easy as the collection of that same consent: it may be the data Controller the one to give to the data Subject the tools to fulfil this Regulation request.

Another example of the importance of trust tools, can be made considering the communication obligation required by the GDPR Regulation. Once inside a company system, the personal data may follow different flows according to the reasons it has been collected: it may be transferred to third parties, it may be object of a peculiar treatment by the Controller or Processor, it may -in the end- be cancelled or anonymized. Whenever these operations shall be notified to any stakeholder or when the data Controller or data Processor suffer a data breach, it may be appropriate to use delivery tools that grants the enforceability in court of the fact of the communication itself: certified or qualified delivery systems. Which means Trust Services.

Anyway, while other European regulations (as the PSD2 or AML Directive) may describe which are the right mean to be compliant, the GDPR only give indications of the ends to be fulfilled by the data Controller and data Processor, ruling some principles on the protection and minimization of the data usage, without any clarifications on the right tools to reach the protection goal. The choice of the right service is up to the companies, which in some cases may lack of the right skills and competence to approach the privacy challenge.

The GDPR result obligations -then- leave some place for two other trusted tools which usually enables the digitalization of the processes: time stamping and legal preservation. These kinds of tools allow to preserve during time the fact and the enforceability of the consent -when it is necessary- and the rightfulness of the personal data treatment, giving to the data Controller and data Processor the right means to challenge an external audit.

Also, from a high-level point of view, the GDPR rules that everything related to the data treatment may be designed and projected following some confidence tracks: even the processes architecture shall respect, according to article 25 of the Regulations, principles of privacy by design and by default.

Companies which manage personal data –a fortiori in an electronical environment- shall chose a technological partner which can issue not only the most updated technologies, but also the legal process and compliance consultancy to design the right flow and management of the digital transformation. A European Qualified Trust Service Provider, updated with the regulative requests and able to certify tools and processes.

It is clear how much the GDPR scenario is challenging.

However, it may reveal a lot of opportunities for the ones who can pick the digital trust not only to be compliant with the Regulation, but also to increase its own competition.

Add Innovation and Trust to your digital transactions with InfoCert

InfoCert - Tecnoinvestimenti Group