GDPR Implementation Questions

"I am *** Chief Technical architect from *** and I have a couple of questions about GDPR implementation in customers applications.

In order to be compliant with GDPR the user has some rights that should be available by the different systems such as the right to delete the personal data, the right to rectify, the right to get a copy of his personal data, and so on.Are there any issues if these rights are implemented using defined processes with our customers and use database scripts to implement the required rights Instead of modifying each and every application to implement these rights? These database scripts will be included in the application deliverables.

No, the GDPR does not prescribe any mandatory method. It leaves up to the data controller to determine the methods to ensure data subjects' rights are assured. Of course, these methods must be compliant with GDPR requirements in terms of security e risk for freedoms and rights.

The right to be informed will be included in the cookies bar or a separate checkbox in the registration process or the consent signed by the employees using these applications, is that accepted?

Article 7 GDPR requires that when consent is collected in written form should appear “in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.” Therefore, a separate checkbox is preferable. The consent can be collected also by a checkbox.

Would you please confirm that securing the data at rest can be achieved by applying security measures on the database access either physically (access to the physical server) or logically (access to the database tables) if it is on-premise?

This is also applied on databases hosted on the cloud by the cloud providers and in this case we need a confirmation from the cloud provider that the servers are secured as required and confirm the required security measures.

Yes, article 32 GDPR requires the adoption of organizational and technical security measures taking into account the state of the art, costs, purposes of the processing, and risks. If data are stored in the cloud, you need to evaluate the compliance of your cloud provider which will be considered a data processor.

Securing the data at transit can be implemented by securing the communication channel (i.e. using HTTPS protocol, or SFTP if the personal data included in files) and securing any media used to backup or transfer the data

Yes, as said GDPR leaves up to the data controller the choice on the security measures to adopt.

Encryption of personal data in the databases is something that is recommended and it is not mandated by GDPR for securing user personal data at rest, please confirm"

Yes, encryption is a recommended security measure. It is not mandatory because you need to balance risks, costs, state of art, kind of data processed as indicated in Article 32 GDPR.

Here you can find more information:

• Article 32 GDPR: https://advisera.com/eugdpracademy/gdpr/security-of-processing/
• How cybersecurity solutions can help with GDPR compliance https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/
• EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
• Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//

If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//