The Basics of GDPR
Providing a full description on the EU General Data Protection Regulation is not a simple task. Why?
Because it is not merely a compliance framework; rather, it is a blueprint for a combination of legal, technological and work habit changes within an organization. And it directly affects all currently accepted ideas and methods used in data management processes.
To gain a proper understanding of what is within the regulation and what to expect from it, some keywords needs to be discussed and understood.
First and foremost who is involved in the process? The regulation differentiates three major entities that are present in all scenarios where personal data is present.
First of all there are the ‘data subjects’ – those people whose personal data is collected. Those doing the actual data collection are called ‘data controllers’ and finally come the ‘data processors’; organizations tasked with processing the information collected.
Not only are the entities declared but also the concept of personal data is redefined. Whereas previously, personal data was simply any information that is relevant to an individual it is relevant to any information that can be directly or indirectly correlated to a natural person. In other words, any information that is specifically attributable to the user is considered personal data. So, anything from a simple IP address, to a user name or even health records can be described as personal data, and the list just goes on. That is why we need to reconsider what type of information is collected at an organization.
There is also a territorial scope around this. Any organization within or outside the EU that collects or processes personal data of EU citizens must take action according to the requirements of the GDPR.
The GDPR is therefore relevant to anyone responsible for the collection or processing of the personal data of EU citizens. And of course this does not except non EU businesses, because if they want to trade with the EU, they have to play by the EU’s rules.
GDPR rights and responsibilities
But what are those rules? To get a better understanding, let’s look at what rights Data Subjects will have and what responsibilities Data Controllers and Processors will need to consider:
- The right to data correction: Simple enough yet giving subjects a chance to change any previously provided information and make adjustments if necessary.
- Tighter consent requisitions: Data subjects must be informed and consulted on anything related to the processing of their personal data, or ways in which that data might be used.
- The right to be forgotten: Giving subjects the chance to erase all stored information relating to them.
- Notification on data endangerment and current state: During the whole data handling process subjects bust be informed on what is happening to their personal data and if it is at risk.
- Privacy by default: Once an agreement has been made between the subject and the other data entities, divergence from the terms is only possible once an additional agreement has been made by the parties.
These are the rules that directly apply to data subjects, but the responsibilities of both data controllers, known as responsibilities, are also very much in the interests of the data subjects
- Accountability for violations and breaches: Both controllers and processors can be held responsible by the supervisory authority in the event of any negligence of personal data security or of not complying with the GDPR requirements.
- Harsh sanctions for not complying: The GDPR stipulates that not complying with the regulation can lead to penalties up to 4% of total global annual turnover or €20 million, whichever is the higher amount.
- Embedded security measures: The security of personal data should not be an afterthought when it comes to infrastructure development.
- Visibility in the data flow: Information and the actions executed to it must always remain visible and traceable.
- Full functionality of data handling: All implemented habits and technologies must serve the sole purpose they were intended for.