GDPR has become cool after being hot for a period of time. This was because GDPR was targeted at large-size groups or large-size Internet service providers such as Facebook, Google, etc. and these enterprises had no efforts to pay attention to others.
Therefore, these enterprises were not proactive. Such thought was a gambler mentality. Penalties were too strict and who knew that these penalties will occur to the enterprise, so the entrepreneur needed to treat this problem in his or her discretion. In all fairness, if you read off GDPR provisions and then thought about Personal Data Protection Law of Taiwan, actually there were many design models which were the same as those of Personal Data Protection Law of Taiwan. However, as Personal Data Protection Law of Taiwan was not proactively implemented in Taiwan, when you are an enterprise having strong business links with EU and carefully treat GDPR, you will find that you need to supplement Personal Data Protection Law of Taiwan to which little importance was attached because GDPR is more stringent than Personal Data Protection Law of Taiwan.
However, what are similarities between both laws and what are differences? Appropriate protective and technical measures are necessary procedures. It should be first confirmed that overall information security protection is provided for personal data and privacy in EU and standard configurations are file encryption, access right decentralization, printing management, database security, personal data declaration, etc. It is still recommended that legal affair personnel or relevant personnel should carefully read relevant provisions of GDPR and when necessary an international accounting and audit firm should provide recommendations for improvement. Enterprises having business links with EU must note that Personal Data Protection Law of Taiwan is different from GDPR in penalties and this is the reason that many enterprises successively handled the case urgently. Imagine that you should frequently receive the letter of confirmation of change of privacy terms. The most famous service is the services for Line and change of its privacy terms was due to GDPR.
However, the right to be forgotten and the right to delete as mentioned in GDPR must be implemented in the same way as Personal Data Protection Law of Taiwan. Here the right to be forgotten popularizes basic rights of people in EU members and data to be deleted cover backup data, so this greatly increases the difficulty in the design of an information system. Besides, an enterprise has many hardcopies and electronic files and it is very uneasy to handle them. It is almost an inevitable procedure to make an detailed inventory of these materials.
For GDPR, attention should be paid to the difference between anonymity and alias. Here the anonymity is a complete anonymity and you should never confuse the definition of anonymity with that of alias in GDPR. In short, the so-called anonymity refers to the generation of the real identity due to implementation of some technical approaches or use of relevant data. As for the design of information system, due to the consideration of auditing and requirements of relevant regulations, it is recommended that the alias should be used to design the model and the alias design principle can be supplemented via the encryption and decryption mechanism, review and release, right decentralization and control.
For a company with a number of employees which meets the standard of GDPR, a DPO should be designed. In GDPR, relevant responsibilities and obligations of the role are described in detail and this will not be elaborated in this paper. What needs to be mentioned here is that it is recommended that an automated data processing process should be established following a highly standard process design model regardless of DPO and this can effectively reduce the risk.
Finally, I need to remind everyone of you of paying attention to relevant provisions and development of E-Privacy because such specification will be expanded to online communication devices and software and information systems and the impact will be greater. It is recommended that the enterprise should correctly seek consultation services when facing the GDPR specifications and this is a relatively safe method. Combination of such method with appropriate security protection and encryption technique is a technical solution. It is expected that each enterprise can be enabled to solve some conceptual problems related to GDPR in the most appropriate way in the GDPR era.