In five months, the Generation Data Protection Regulation (GDPR) will go into full effect. This European legislation aims to protect all European Union citizens from privacy and data breaches. In this article, we delve further into the fundamentals of the regulation. What are the objectives, definitions, and territorial scope of the GDPR?
Regulation for the Smartphone Era
The GDPR is a privacy regulation which has been put in place to protect European citizens in this modern age of Big Data, smartphone apps, and the Internet of Things. It is constructed to protect natural persons with regard to the processing of their personal data. It also has rules relating to the free movement of personal data. So, on the one hand, the regulation protects fundamental freedoms of natural persons. On the other hand, the free movement of personal data within the EU will not be restricted.
The GDPR: It’s Almost Global
Article 3 of the GDPR describes the territorial scope. It applies to all organizations processing the personal data of individuals residing in the EU. This is regardless of the company’s location. Exceptions are made for processing that falls outside the scope of European legislation or when personal data is processed by authorities in order to fight crime.
What does this mean in practice? Many international organizations have dealings with EU citizens. Medium-sized and bigger international organizations that do not have to comply with the GDPR will be rare. As a flipside, critics point out there are some loopholes that could have a negative impact on GDPR’s effectivity.
Even an IP Address is Personal Information
Article 4 of the GDPR consists of 26 definitions of terms that are used in the regulation. The definition of personal data is the most important. The GDPR scope of personal data is very broad. Personal data is defined as any information relating to an identified or identifiable person. A person is considered identifiable if she can be directly or indirectly identified.
This is already the case when an identifier is used. Examples of identifiers are a name, an identification number, a person’s location data, or even an IP address. Moreover, a person is also identifiable if one or more facts are gathered that are characteristic of his physical, physiological, genetic, mental, economic, cultural, or social identity.
Another definition applies to “processing” the data. The GDPR defines “processing” as performing any action or set of actions on data, automated or otherwise. Some examples include recording, structuring, or even destroying data. In other words, whenever you handle personal data, the GDPR applies.
Other important definitions apply to “controller,” “processor,” “profiling,” and “pseudonymization.”
How EXIN Can Help
The EXIN Privacy & Data Protection program covers the required knowledge of regulations relating to data protection. It will certify professionals with the required level of knowledge to face these challenges and opportunities.
The EXIN Privacy & Data Protection program expands your portfolio with a subject in high demand. This certification will strengthen your career opportunities and credibility in your field. Both you and your employer will reap the benefits!