We’re a few months away from the official implementation of a game-changing regulation. Once enforced, the GDPR will make sweeping changes for organizations worldwide, and will ultimately set the gold standard for data protection.
What is the GDPR?
Back in 1995, Europe adopted a regulation called the Data Protection Directive 95/46/EC. While this directive served its purpose well, advancements in technology and communications rendered the Data Protection Directive outdated, particularly where cross-border data flow is concerned.
In April of 2016, the European Union adopted a new standard called the General Data Protection Regulation, or GDPR, which addresses the who, what, when, and where of personal data for EU citizens. In total, the GDPR is 99 articles, which have been neatly broken down into 11 chapters on the official website. We’ll be covering a few of those articles, but this is by no means meant to be anything other than a general introduction to the regulation (not to be used for legal purposes). At the bottom of the page, you’ll find a bunch of resources in case you want to learn more, which we encourage!
In a nutshell, the end-goal of the GDPR is to make regulation easy for data controllers (entities that access, store, and transfer data) around the world, and maximize the protection of data for EU residents.
Who does it apply to?
The GDPR applies to any organization that processes or controls data of an EU resident, regardless of where the organization is located worldwide. If a company in Alberta wants to access personal data of a person in France, that company must be in compliance.
The GDPR was designed to make this process as simple as possible and it expands on the previous directive’s requirements, such as getting proper consent, conducting impact assessments, appointing data protection officers, and maintaining records of processing.
So even though this regulation was built with data subjects at heart, it was also designed to make compliance easier for organizations, particularly those outside of the EU.
What is personal data?
Article 4 defines personal data as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
That’s a long way of saying that anything that can identify a person should be considered personal data and is likely covered under the GDPR.
Article 3 defines the processing of personal data as:
- the offering of goods or services, whether or not payment is required, to data subjects in the Union; or
- the monitoring of their behavior so long as their behavior takes place within the Union.
What rights do individuals have under the GDPR?
Articles 12 through 23 specifically define individual rights, how they work together, and how they are restricted (such as when needed for law enforcement). The long form of those rights is far too much detail for the purposes of this blog, but here are five that will give you a snapshot of what the GDPR is trying to accomplish:
Right to transparency – controllers are required to provide information and communication of data processing to individuals “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.”
Right of access – individuals have the right to know whether his or her personal data is being processed by a controller, the purposes for processing, the categories of personal data being processed, and the recipients of said data. The controller must provide this information free of charge.
Right to erasure – also known as the right to be forgotten, data controllers must, in a timely manner, erase personal data per the subject’s request and inform all other controllers that are also processing the data of said request.
Right to data portability – Article 20 states that “The data subject shall have the right to receive the personal data concerning him or her in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance.”
Right to object – Data subjects have the right to object to the processing of their data at any time. After which, data controllers must demonstrate compellingly legitimate reasons to continue processing.
What is privacy by design and default?
Article 25 requires that data be protected by design and default. What this means is that organizations must create internal policies for how they handle personal data. They must take appropriate technical and non-technical measures to ensure the confidentiality, integrity, and availability of data throughout its lifecycle.
The idea behind privacy by design and default is to make data protection a fundamental process of organizations worldwide, and not just a matter of legislation and compliance.
Organizations that fail to comply will face significant fines—as high as four percent of the organization’s annual revenue. Furthermore, individuals may take action against any entity that improperly handled personal data.
What does all this mean to you?
The steps taken to create and implement the GDPR are encouraging to us as individuals. Too often we hear of major data breaches that could have easily been avoided. Bad processes and poor security practices are most often to blame. The GDPR requires that organizations fully review their data handling policies to ensure security. And while it only applies to EU citizens, we believe it’s just a matter of time until more countries around the world adopt similar regulations.
If you work in an environment that handles personal information, be sure you know what your organization’s policies are, and know what your role is regarding those policies. If you’re unsure, just ask! And if you’re the owner or operator of a business of any size, and you intend to access data of EU citizens, we strongly recommend you seek legal counsel and ensure that you are in compliance of the GDPR.
Official website: https://eugdprportal.godaddysites.com/eugdpr.org.html
Articles and chapters: https://gdpr-info.eu/
Summary of key changes: https://eugdprportal.godaddysites.com/key-changes.html
PDF of full and final text: http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
12 steps for preparation of the GDPR: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
GDPR checklist for data controllers and processors: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/