What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation, or GDPR, is a legal framework that sets guidelines for the collection and processing of personal data from individuals who live in the European Union (EU).
GDPR was established on April 14, 2016 by the European Union and the European Economic Area (EEA) and became effective on May 25, 2018. The GDPR replaced the 1995 Data Protection Directive which was created when the internet was still in its infancy. Unlike the Data Protection Directive, the GDPR is a regulation so it is binding, applicable and enforceable. However, it does provide flexibility for some parts of the regulation to be adjusted by individual member states.
So What Does the GDPR Entail?
GDPR is one of the world's strictest security and privacy laws that imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the European Union. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
The GDPR has seven principles: 1) lawfulness, fairness and transparency; 2) purpose limitation; 3) data minimization; 4) accuracy; 5) storage limitation; 6) integrity and confidentiality (security); and 7) accountability. Accountability is a new addition to the data protection regulations. In the UK all the other principles are similar to those that existed under the 1998 Data Protection Act. The following definitions are paraphrased from ICO’s site found here.
Lawfulness, Fairness and Transparency: Data must be processed lawfully, fairly--this means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned. You must be clear, open and honest with people from the start about how you will use their personal data and communicate that in a transparent manner.
Purpose Limitation: Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes can be considered to be compatible with the initial purposes.
Data Minimization: Data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. In short, the company or individual should identify the minimum amount of personal data needed to fulfil their purpose and no more.
Accuracy: Data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure inaccurate personal data can be erased or rectified without delay.
Storage Limitation: Data must be kept in a form which permits identification of subjects for no longer than is necessary for the purposes in which the personal data is being processed. Personal data may be stored for longer periods if it is processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. These exceptions must implement appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
Integrity and Confidentiality: Data must be processed using appropriate technical or organizational measures to ensure appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage.
Accountability: The controller must be responsible for, and able to demonstrate compliance with the GDPR
What is Personal Data and Data Subject Under GDPR?
GDPR specifically defines “personal data” as any information that relates to a natural person, which is someone who can be directly or indirectly identified. This includes:
- Identification number
- Location data
- Physical address
- Email address
- IP address
- Radio frequency identification tag
- Voice recording
- Biometric data (eye retina, fingerprint, etc.)
- An online identifier of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person.
GDPR has five definitions proposed for “data subjects,” varying from any personal data physically located in the EU to citizens of the EU.
- Located in the EU
- Resident of the EU
- Citizen of the EU
- An EU Resident/Citizen Located Anywhere
- Personal Data in the EU
Related: PII vs PHI
Located in the EU: A data subject is anyone physically within the borders of the EU whose data is being processed. For example, a citizen of the EU, who is physically located in the EU, who provides personal information through the purchase of a product.
Resident of the EU: A data subject is anyone who formally resides within the EU, regardless of citizenship. Simply, the individual is physically within the EU. For example, a non-EU citizen who is studying abroad in the EU.
Citizen of the EU: A data subject who has formal citizenship in the EU while that individual is physically within the EU.
An EU Resident/Citizen Located Anywhere: A data subject is anyone who has residency/citizenship in the EU whose data is being processed, regardless of where the resident/citizen is physically located at the time of processing. For example, a data subject could be an EU citizen, who is located in the U.S. and who provides personal information during the purchase of a product.
Personal Data in the EU: A data subject is anyone whose personal data is located in the EU, regardless of the residence, citizenship, or physical location of the data subject. For example, a non-EU citizen, who may or may not be located in the EU, but does provide personal information through the purchase of a product.
What is GDPR Compliance?
Data breaches inevitably happen. Information gets lost, stolen or otherwise released into the hands of people who were never intended to see it, many of whom will have malicious intent to use or sell the information on the black market.
Under the terms of GDPR, not only do organizations have to ensure that personal data are gathered legally and under strict conditions, but those who collect and manage it are obligated to protect the data from misuse and exploitation, as well as to respect the rights of data owners to have access to or to correct their own data. Failing to do so will result in penalties.
To Whom Does GDPR Apply?
GDPR applies to any organization operating within the EU, as well as any organization outside the EU that offers services or goods to customers or businesses in the EU.
The legislation applies to two different types of data-handlers: “controllers” and “processors.” The UK's Information Commissioner's Office, who is the authority responsible for registering data controllers defines a controller as a "person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data." The processor is a "person, public authority, agency or other body which processes personal data on behalf of the controller."
The GDPR places legal obligations on a processor to maintain records of personal data and how it is processed, providing a much higher level of legal liability should the organization be breached. Controllers are also accountable to ensure that all contracts with processors are in compliance with GDPR.
Since GDPR became law, the regulation has become a model for many national laws outside the European Union, including Chile, Japan, Brazil, South Korea, Argentina and Kenya. The California Consumer Privacy Act (CCPA) that was adopted on June 28, 2018, has many similarities with the GDPR, although one shouldn’t think that they are identical as there are differences—but that’s an article for another time.