- The General Data Protection Regulation (GDPR) is a regulation in European Union law about data protection & privacy for all individuals within the EU (Citizens and residents). The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU
- GDPR becomes enforceable from 25 May 2018
- Cost of a failure of data protection compliance is up to 4% of worldwide turnover of a company!
- Personal data can be stored and analyzed but companies must explain to end users how their information is being used and for how long.
- Personal data should not be used without consent due to Consumer Profiling Restrictions in GDPR.
- Users have a right to update personal data and correct inaccuracies due to Right to Rectification in GDPR
- Users can ask their personal data get removed from a system due to Right To Be Forgotten in GDPR.
- A fast response is required due to mandatory breach notifications
GDPR applies to data controller, an organization that stores or collects data from EU residents or data processor, an organization that processes data on behalf of data controller like cloud service providers or other 3rd party vendors that has access to PII information inside your organization’s network. The data subject is a person based in the EU (citizen or resident). According to GDPR there are two types of data: Personal Data such as name and address and Special Personal Data like bio metric, PHI and political orientation.
Per GDPR each and every of the followings are examples of PII:
- home address
- email address
- bank details
- posts on social networking websites
- medical information
- computer’s IP address
For GDPR, the data controller should implement measures, which meet the principles of
- data protection by design and
- data protection by default
Note: As we mentioned before, GDPR applies to your company if you maintains some of the above-mentioned EU residents’ data. However, if your company a. can monitor and justify that data was collected outside of the EU from an EU resident, and b. that EU person is not going back to the EU nor is your company is communicating with him/her while (s)he is in the EU, then GDPR does not apply.
As an example a foreign worker from the EU working in the US might be in scope or not. The employer of the in question person gathers information about this person in the US. If the worker later returns to the EU and provides updated information, like the new address, to the employer, GDPR would apply. Otherwise we can consider that person out of scope. Obviously it becomes very difficult to confirm and track the location that information is gathered. That’s why performing a risk review for the entire data lifecycle is important as users may move in and out of territorial scope.
For more information about territorial scope consult GDPR Article 3 and Recital 23.
Privacy by design and by default (Article 25 of GDPR) requires data protection measures to be designed into the development of business processes for products and services. Data protection officers (Articles 37–39) are required to ensure compliance within organizations. Such measures include lots of things like
- Pseudonymising personal data, by the controller (your organization), as soon as possible (Recital 78)
- Data Protection Impact Assessments (Article 35) have to be conducted when specific risks occur to the rights and freedoms of data subjects
- Risk assessment and mitigation is required and prior approval of the national data protection authorities (DPAs) is required for high risks
According to GDPR article 5, the controller shall be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data. These are: lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data.
According to Article 24, “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”
Examples of such measures may be to allocate responsibilities for data protection, a data protection impact assessment and a risk mitigation plan, implementation of pseudonymization (the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information), and data minimization in order to meet the requirements of this regulation and protect the rights of data subjects.
According to Article 28 of GDPR, “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
This means that if your organization wants to stay in business, as controller or processor, it will have to implement the necessary controls or safeguards to ensure that they comply with the GDPR, because the fines can be applied to both controllers and processors. According to Article 83, fines shall be imposed regarding “the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them.”
GDPR requires a DPO (Data Protection Officer) within your company. All DPOs should understand how their companies collect data and maintain user privacy by performing a risk review for the entire data lifecycle as users may move in and out of territorial scope.
You may find these two links very helpful if you need more information: