I keep getting e-mails about GDPR from pretty much every website I’m subscribed to, not to mention in my line of work, so I decided to research a little more about it, and to compile this into a post that, I hope, will be useful.
The General Data Protection Regulation (GDPR) is a new data protection regulation in the European Union. It governs how data controllers and data processors collect and process personal data, and it comes into effect on May 25th, 2018.
What is personal data, and who has access to it?
Video credits: General Data Protection Regulation in 97 seconds by TietoCorporation via YouTube
Personal data consists in any information about an identified living person, or that can lead to identifying a living person. This includes, among other things:
- Date of birth
- Home address
- Social security number
- Cookies in your internet browser...
As long as it can help identifying you, it falls under the umbrella of ‘personal data’.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
— From the European Commission website at ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
Data controllers and Data processors
A data controller is an individual or legal person who keeps, controls, and processes information about living people. If your organisation has any access to such information, and controls what it uses and discloses, then you definitely work for a data controller.
Examples: The NHS, the IRS, your general practitioner...
A data processor, on the other hand, has access to personal data, but doesn’t control it, and isn’t responsible for it. Such people or companies are only allowed to process personal data when instructed by a data controller.
Example: A call centre outsourced to perform customer service for a company.
Why the need for new regulations?
With the increase in digital communications over the past couple of decades, and the growing amount of organisations having access to personal data, more and more people have been expressing concern about their data, and over 90% of Europeans have requested that they want the same data protection rights to be respected in the European Union as a whole. This concern extends to data controllers and processors outside of Europe as well, as long as they hold the personal data of European residents.
Therefore, on May 24, 2016, a new set of regulations (Regulation (EU) 2016/679), most commonly known as GDPR, was adopted. It aimed at simplifying rules for companies holding personal data, as well as to strengthen people’s control over their own data, by allowing them to consent to what they agreed to disclose.
GDPR is taking full effect on May 25, 2018. In the preceding weeks, residents have been invited to review which data they share on many websites such as Facebook, LinkedIn, or job search portals. If you’re residing in the EU, it is definitely an important opportunity for you to give consent to what you’ve been sharing, and make sure you don’t disclose too much. If you’re outside of the EU, but has access to such data, you also need to know what it entails, and ensure you won’t accidentally misuse personal data in your job, for instance.
GDPR in details
Video credits: The road to GDPR compliance by Micro Focus - HPE Software via YouTube
People’s consent to their personal data is key, and therefore any information and instructions about it has to be legible and understandable. For instance, long terms and conditions full of ‘legalese’ (which is complicated to read) must be simplified to ensure that the readers can fully understand the meaning, and thus not give consent resting on a misunderstanding.
GDPR applies outside of the EU territory, not only inside! Regardless of whether a data processor or data controller is a European entity or not, regardless of a company’s location, as long as it has access to and/or is responsible for personal data of people residing in the EU, then they must abide by GDPR. For instance, it also concerns outside companies offering services or selling goods; if I order a book from Amazon.com in the US to be delivered to my home address in the UK, then Amazon US has to comply with GDPR.
Right to access
Any EU resident has the right to get information about how their personal data is being used: if it’s being processed, where, what for, by whom… Data controllers have to provide a free electronic copy of such data on demand. Moreover, one can also withdraw their consent, or request the deletion of some of all of their personal data, under the condition that said data use is no longer relevant: you can request deletion from a job search website you’re not using anymore, but not from an online store where you currently have an order being fulfilled.
Privacy by Design
Data protection must now be implemented by design, that is to say from the onset, and not afterwards only. Data processing must also be kept to a minimum for the purpose for which it’s being used. To use the Amazon example again, there’s no need for Amazon to have access to more than one of my payment cards' data, or to my parents’ street address on top of mine.
Data processors and controllers that fail to comply incur fines up to either 20 million euros, or 4% of their global annual turnover, depending on which is greater. A company could be fined in such a way if it didn’t get enough consent from the people whose data it holds. Lesser fines will also apply if personal data isn’t properly kept in order, since the latter could lead to breaches.
Hopefully this article has made GDPR a little clearer. It is easy to dismiss all the information that was dumped on you about it (if you're directly concerned), or to be unclear about how it may impact you even though you're not in the EU. And if you read my previous post about social engineering, then you're no doubt aware now of how personal data can be used against you!
- European Commission (2018), What is personal data? [Online] Available at https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
- EU GDPR information portal [Online] Available at https://www.eugdpr.org/
- Office of the Data Protection Commissioner (2018), Are you a "data controller"?, Ireland [Online] Available at https://www.dataprotection.ie/docs/Are-you-a-Data-Controller/y/43.htm
Written for bitLanders by Naotalba