Summary

  • The General Data Protection Regulation (GDPR) is a regulation in European Union law about data protection & privacy for all individuals within the EU (Citizens and residents). The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU
  • GDPR becomes enforceable from 25 May 2018
  • Cost of a failure of data protection compliance is up to 4% of worldwide turnover of a company!
  • Personal data can be stored and analyzed but companies must explain to end users how their information is being used and for how long.
  • Personal data should not be used without consent due to Consumer Profiling Restrictions in GDPR.
  • Users have a right to update personal data and correct inaccuracies due to Right to Rectification in GDPR
  • Users can ask their personal data get removed from a system due to Right To Be Forgotten in GDPR.
  • A fast response is required due to mandatory breach notifications

Scope

GDPR applies to data controller, an organization that stores or collects data from EU residents or data processor, an organization that processes data on behalf of data controller like cloud service providers or other 3rd party vendors that has access to PII information inside your organization’s network. The data subject is a person based in the EU (citizen or resident). According to GDPR there are two types of data: Personal Data such as name and address and Special Personal Data like bio metric, PHI and political orientation.

  • home address
  • photo
  • email address
  • bank details
  • posts on social networking websites
  • medical information
  • computer’s IP address
  • data protection by default

Responsibilities

Privacy by design and by default (Article 25 of GDPR) requires data protection measures to be designed into the development of business processes for products and services. Data protection officers (Articles 37–39) are required to ensure compliance within organizations. Such measures include lots of things like

  • Data Protection Impact Assessments (Article 35) have to be conducted when specific risks occur to the rights and freedoms of data subjects
  • Risk assessment and mitigation is required and prior approval of the national data protection authorities (DPAs) is required for high risks

Controllers’ responsibilities

According to GDPR article 5, the controller shall be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data. These are: lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data.

Processors’ responsibilities

According to Article 28 of GDPR, “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”

Other requirements

GDPR requires a DPO (Data Protection Officer) within your company. All DPOs should understand how their companies collect data and maintain user privacy by performing a risk review for the entire data lifecycle as users may move in and out of territorial scope.

Useful Links

You may find these two links very helpful if you need more information:

Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store