Agreed in 2016, the motive of the General Data Protection Regulation (GDPR) is to better protect the personal data of European Union “data subjects” – EU citizens and other nationals physically present in the EU at the time data are collected. After a two-year grace period to allow organizations to prepare for the regulation, GDPR came into effect on the 25th May 2018. Any business or organization that offers services to EU data subjects, or that collects, processes or stores the data of EU data subjects has to comply with GDPR regardless of the location of the business or organization.
Personal data (also termed “personally identifiable information) is considered to be any piece of information that contains an “identifier”, i.e. that can be used to identify a specific individual or group of individuals. It must pertain to a person, rather than a business or other organization (which have their own set of data protection laws).
The following can be considered as GDPR personal data:
However, so-called “anonymous” data does not need protection by data security laws. For example, if participants in a survey are grouped by county instead of town, it makes them harder to identify as there may be ten people named “Jane Smith” in a county, but only one in any particular town.
Most data protection laws consider maintaining data longer than necessary a breach of privacy, so those storing data must also carefully consider how to safely dispose of it once it has served the purpose it was collected for (subject to retention regulations for compliance purposes).
There are particular pieces of information that, when leaked, make individuals especially vulnerable. Thus, the data is considered “sensitive” and falls under a special category of data. It requires even greater levels of protection and its use requires extra levels of checks and justification, outlined in Article 9 of GDPR.
Examples include the following:
Broadly, there are three parties one should keep in mind when reading about GDPR. The first, the controller, is the government agency or organization (public or private) that initiates the collection and processing of personal data. They are also the ones who use it and, if necessary, share it.
The second, the processors, are those contracted by the controller to process the private data. These are usually IT companies or third-party marketing companies, but the term “data processor” can also relate to any software used to process data. Therefore, apps used to collect or process personal data are also subject to GDPR compliance. In many circumstances, the same organization can be both a data controller and a data processor.
Finally, there are the data subjects. These are the people whose personal information is being used and processed by the controllers and processors. These individuals retain the right to access, correct or request the removal of information collected about them and such requests must be processed within thirty days. GDPR also gives the data subject the right to portability, meaning the information must be provided in a structured, electronic format.
Essentially, when GDPR refers to the processing of data, they mean the collection, handling, use, storage and destruction of information. The processors and controllers are responsible for ensuring data security at every stage of its lifecycle.
In certain situations, individuals may request that their data is not processed, or that its processing is “restricted”. This is also known as “the right to object”. It may be that the individual considers their information particularly sensitive, or have concerns about how it will be used by the organization.
There are three instances when an individual has the right to object:
If such requests are upheld, it means that any collected data cannot be used. In some instances, processing may be restricted for a certain period, after which the data can be used.
As can be expected, not every organization that operates within the EU must comply with GDPR. Such exemptions are outlined in Articles 85 and 91, though member states may apply for specific exemptions (see Article 23).
GDPR sets out to protect personal data, though doing so may mean contravening other GDPR rules. If an individual poses a threat to the rights and freedoms of others, it is often the case their data is no longer protected under GDPR in the same way as data of other citizens.
Examples of when personal data may no longer be treated as such include:
Conversely, member states may wish to apply extra safeguards to citizens’ data. Regardless of these extra measures, all GDPR requirements must be met.
The protection of personal data is a value that is shared across the globe, with 109 of the world’s 195 countries incorporating some form of data protection law into their national legislation. Privacy is considered to be a fundamental aspect of the right to human dignity. Though organizations also have some right to privacy, it does not prevail over an individual’s right.
Yet these laws are highly variable. What is legal in one country may not be in another. Additionally, data is transmitted all across the world – how should it be protected? Does it depend on the country where it is currently being held, or the individual’s home country? When it comes to GDPR, data must be protected in line with EU standards for all if its citizens, regardless of where the data itself is.
The United Kingdom’s impending departure from the EU will, undoubtedly, have many unforeseen and unpredictable consequences. However, with regard data protection, it is very likely that the UK’s new Data Protection Laws will take the same shape as GDPR. This is, in part, to facilitate the fact that many UK organizations will work with the data of EU data subjects.
There is an existing agreement between the US and the EU regarding the protection of shared data. Adopted in 2016, the EU-US Privacy Shield Framework allows private data to be transferred outside of the EU if the recipient organization is certified by the US Department of Commerce or the EU Supervisory Authority. This is necessary as the EU has ruled that the US privacy laws are inadequate. Thus, organizations wishing to use EU data must go through extra steps to certify they have “adequate safeguards” to protect data.
These organizations must process and use the data in accordance with the guidelines set out by the Framework. The US Federal Trade Commission or Department for Transportation are responsible for enforcing these rules, depending on the nature of the data. To meet the criteria, organizations must conduct an annual review to self-certify that they are compliant.
Whilst being Privacy Shield-certified does not guarantee GDPR compliance, it certainly gives such organizations a head-start over uncertified ones. Additionally, there are plans to conduct an annual review of GDPR, so organizations must be sure to keep updated on the latest requirements.
When it came into force, GDPR established the right to erasure, commonly called the “right to be forgotten”. Those who hold an individual’s personal data must delete it upon request if the following conditions are met:
Data subjects also have the “right to be informed”. This means that they must receive information from the controller about what information is collected, what and how it is stored, and how it is being used. If any of these things change whilst the data is still in the controller’s possession, the data subject must be informed.
As part of the original Directive on privacy, each member state can establish its own regime for penalties. For example, breaches in the UK can attract fines of up to £500,000, but in France the maximum penalty is €150,000.
GDPR will standardise the penalty scheme. Now, the maximum penalty will be €20 million, or 4% of a company’s annual net worth. Data subjects will also be able to file lawsuits against those that committed the violation.
There are eight core GDPR privacy principles that underlie GDPR.
Essentially, this means that data must only be used for a pre-defined purpose, it must be held securely within the EU and it is only accessed by those with adequate authorization. The data collected must, of course, be accurate.
There are a number of practices that can be put in place to ensure that data remains secure. These can help guard against both malicious breaches of information and breaches that result from simple human error.
It is, of course, essential to ensure that all employees strictly adhere to these practices to minimize the risk of GDPR non-compliance.
It is important to note this GDPR Guide for Dummies is a very basic guide and should not be considered a basis for GDPR compliance. The General Data Protection Regulation contains 11 Chapters and 99 Articles of regulations relating to the protection of data and how its should be obtained, processed and stored. Naturally not every line of text will apply to every GDPR-covered entity, but businesses and organizations outside the EU should be aware each EU member state has its own data protection legislation that also has to be complied with.
A further consideration for businesses and organizations operating outside the European Economic Area (EEA) is that data subject to GDPR can only be shared with businesses and organizations in non-EU countries that have an adequacy agreement in place. This will affect all businesses and organizations that operate in the cloud and who archive data in jurisdictions (regions and availability zones) that have not met the standards of GDPR adequacy. In this case, it will be necessary to re-migrate the data to a GDPR-compliant region.
The requirements for GDPR compliance are long and complex, and businesses subject to GDPR not only have to ensure their operations are compliant, but also the operations of third parties with whom data is shared. Although it is not an automatic requirement of GDPR for businesses to appoint a Data Protection Officer to address compliance issues (this requirement only applies in certain circumstances), it is recommended businesses conduct a compliance audit and discuss their current level of data security with a GDPR Compliance Consultant.