And why you need to know about it in 2018.
On May 25th 2018 the General Data Protection Regulation (GDPR) became applicable law in the European Union (EU). This has an impact on organizations worldwide which do business with and/or collect data about individuals who live in the EU. The regulation intends to better protect the rights and freedoms of people in the EU, particularly with regards to privacy and data protection. It also aims for a better balance between protecting those fundamental rights and the need for a free flow of information in a globalized economy.
It’s been just over 2 years since the law was passed. Organizations should now be prepared for the new rules and principles, and have their systems and tools ready to fully comply to the GDPR.
What should you know? The bare minimum:
A major change in Focus.
First of all, do not make the mistake of assuming the GDPR is ‘roughly the same as before, with some improvements’. Instead, you should see the 25th of May 2018 as the start of a new era. One in which your organization must consistently maintain an up-to-date data security stance and demonstrate this through well-documented policies and procedures.
And in Scope.
The GDPR has a broad definition of ‘personal data’ as ‘any information relating to an (…) identifiable natural person (‘data subject’). And ‘processing’ is defined by the GDPR as ‘any operation (…) which is performed on personal data (…), whether or not by automated means,(…)’. This makes it extremely unlikely that an organization does not process personal data.
Data Processing Principles.
The first principle of the GDPR is that ‘personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject’.
According to the GDPR, processing is lawful only if at least one of the legitimate purposes given in article 6 applies. The rules are even more strict for ‘sensitive personal data’, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs and data concerning health, sex life or sexual orientation, etc. It is illegal to process ‘sensitive’ personal data, except for the purposes specifically detailed in article 9.2. The formulation ‘data revealing …’ should be broadly interpreted. A photograph can reveal a lot of sensitive personal data.
Fairly and in a Transparent Manner.
The GDP focuses heavily on the rights and freedoms of the data subject. The requirement of fairness and transparency makes it impossible to trick the data subject into consenting. GDPR recital (42) states: ‘For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.’
The restrictions on the validity of consent and the right of the data subject to withdraw consent at any time (see below) means that ‘consent’ might not be easy to obtain legitimately anymore. Certainly not if your real purpose is, in fact, some form of exploiting the economic value of personal data. Instead of blindly trying to get consent from data subjects, it is probably easier to justify the request by openly stating that ‘processing is necessary for the legitimate interests of the controller or a third party …’.
Notification – and Rights of the Data Subject.
Whenever you process personal data, you must inform the data subject about it and provide information about which data is being processed, where this data was obtained (if not from the data subject), the purpose of the processing, who is responsible and to whom the data will be divulged (etc.). The details can be found in articles 13 and 14.
On top of this, data subjects are entitled to have access to the data you have on them (you are legally required to respond within 30 days). They have the right to have their data corrected if it is inaccurate and to have it erased in a number of cases. In your notification, you must provide information on these rights. You must assist data subjects in the execution of their rights.
Data Breach & Notification.
A personal data breach is a security incident that has, or might have, affected the confidentiality, integrity or availability of personal data. A breach can be accidental or on purpose. This includes any unauthorized processing such as data that is accidentally lost, destroyed or made unavailable by ransomware.
Whenever a security incident takes place you need to establish whether a personal data breach has occurred and, if so, promptly take steps to address it. This includes sending a notification to the supervisory authority within 72 hours from the moment the breach was detected.
 The GDPR has EEA relevancy, so its territorial scope includes the European Economic Area. The EEA comprising of the (as yet 28) members of the EU, Iceland, Liechtenstein, and Norway. Switzerland is not a member of the EEA but it has a series of agreements with the EU allowing it to participate in the internal market.
This article has been written by guest author Leo Besemer.