02/05/2023

Data Protection: ensures your compliance in production data environments

The General Data Protection Regulation was created with the aim of granting citizens greater control over their personal data. However, knowing how to comply with the Data Protection Law and taking the necessary steps can be a hassle for companies.

This is especially true in contexts where data management and process is particularly complex such as in the software development sector.

We’re discussing here everything you need to know about how to comply with the Data Protection Law in the context of software development.

How does the Data Protection Law affect databases?

The Data Protection Law (General Data Protection Regulation or GDPR) entered into force on May 25, 2018, assuming a unified legal framework at the European level for the protection of personal data.

From the point of view of citizens, the goal was to guarantee them greater security of protection of their personal data.

Thus, since its entry into force, the law creates the obligation for companies that work with the personal data of citizens of the European Union to comply with a series of requirements outlined in the regulations.

Right of deletion

Data Protection puts a key concept at the center: the right of deletion. This is defined as the right to "eliminate, hide and cancel information or past events in people's lives".

Put into practice, the right of deletion allows citizens to require companies to make the record with personal data disappear or leave no trace on the web (in the latter case, when applied to search engines such as Google, we speak of the "right to forget").

The Data Protection Law also outlines the specific instances and circumstances in which this right will be safeguarded. These instances include:

  1. The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  2. the individual withdraws the consent on which the processing of data is based in accordance with Article 6, paragraph 1, letter a) or Article 9, paragraph 2, letter a), and this is not based on another legal basis;
  3. the individual objects to the processing pursuant to Article 21, paragraph 1, and no other legitimate grounds for the processing prevail, or the person objects to the processing pursuant to Article 21, paragraph 2;
  4. the personal data have been unlawfully processed;
  5. the personal data must be deleted to comply with a legal obligation established in the Law of the Union or of the Member States that applies to the data controller;
  6. the personal data have been obtained in relation to the offer of information society services mentioned in Article 8, section 1.

Data life cycle

We speak about data life cycle because, according to the Data Protection Law, it is understood that companies are allowed to keep data only for a limited time in the cases mentioned in the previous section.

In this way, once the commercial relationship has ended or when any relationship for which the person has given their consent ends, access to the data must be blocked. After the blocking period, the data must be completely deleted. This process is known as the lifecycle management of each person (or seed) data structure.

Sanctions

From the Data Protection regulations, a series of sanctions were established aimed at guaranteeing compliance with the law: the fine can reach 4% of the annual worldwide turnover or 20 million euros (whichever is greater).

In this sense, some fines that have already been made effective for companies that have failed to comply with the rule include:

  • A report from the European Commission revealed significant data one year after the implementation of the standard: Google was fined 50 million euros for the lack of consent in its ads; a social network operator paid a fine of €20,000
  • Data from 2022 from the DLA Piper firm quantified the amount collected for sanctions related to the GDPR in a single year at almost 1,100 million euros.

How to comply with the Data Protection Law?

For companies, complying with the Data Protection Law involves using the appropriate software to process the large number of personal data they have, and generate all the required deletions.

With specialized GDPR compliance software, it is possible to:

  • Select the personal data to delete
  • Block personal data
  • Apply the necessary actions, from verification to restitution (due to possible errors), anonymization, or physical deletion of data.

In addition, the appropriate software will give the option of carrying out these actions manually or automatically, and of being able to execute the data from the graphical interface and through particular requests.

Anonymization

The anonymization processes involve the transformation of sets of personal data into anonymous information, that is, information that is not related to a natural person.

In this way, a new set of data is generated in which there is no possibility of identifying the natural persons that are part of the data, this being an irreversible process.

On the other hand, pseudonymization generates two sets of data: the one with the pseudonymized information, and another with information that would potentially allow the anonymization to be reversed.

Difference between icaria TDM and icaria GDPR

At icaria Technology we work to help companies manage their data efficiently, safely, and in accordance with the law.

In this sense, we have generated two software solutions:

  • icaria TDM is oriented to GDPR compliance in pre-production environments, such as test environments. With this tool, massive dissociation and data segmentation processes can be carried out, generating complete, coherent, and correct sets for use in tests.
  • icaria GDPR makes it easier for companies to comply with the right to deletion. To do this, the tool takes care of blocking period management and deletion. The software is also in charge of coordinating the life cycle of each seed and promoting actions such as the extraction, storage, dissociation, restoration, and deletion of data in the corresponding environment, among other operations, in an automatic and planned way.

In this way, at icaria we side with companies, making it easier for them to comply with the law as well as generating trust in customers and suppliers, also avoiding potential sanctions. Do you want to know more about Data Protection and how to comply with the law in a test data environment? Request a demo without obligation and see firsthand how our software facilitates these processes.

Share
magnifiercrossmenuchevron-down