GDPR is the acronym for General Data Protection Regulation, itself a shorthand for “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016”. It is a European privacy legal framework directly applicable in all 28 EU countries and regulating personal data flows of individuals based in the European Union.
It is in force (fully part of the EU legal order, but not yet enforceable) from 25th May 2016 and enforceable starting from 25th May 2018.
It repeals (replaces) Directive 95/46/EC, the previous data protection law adopted by EU Member States with considerable variation among them, by simplifying rules for data controllers, imposing for the first time obligations also on data processors, strengthening rights for data subjects (individuals), making personal data breach notification compulsory and, generally, striving for one continent, one rule handling of personal data across the Union. It is one more step towards the longer-term strategy for a European Digital Single Market.
Its reach is considered extraterritorial in that the GDPR regulates the processing (handling) of personal data of EU-based individuals wherever that data may be stored or processed round the world. It applies also to anyone’s personal data if the data controller or processor is based in the EU. The only situations in which the GDPR does not apply is when data controllers or processors are based entirely outside the EU and are dealing exclusively with personal data of non-EU individuals.
The GDPR is not intended to cover the protection of an individual’s fundamental rights to privacy in the context of criminal investigations, covered by a distinct, but parallel Directive: “Directive (EU) 2016/680 on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities”.
Companies are expected to be fully compliant by May 25th 2018 and Help Net Security will be publishing updated guidance notes in the 24-month run up period.
GDPR essential glossary
Data Subject: a natural person.
Personal Data: any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, by reference to an identifier: ID number, location data, online identifier, or factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Data Controller: is the natural or legal person, public authority, agency or other body which alone, or jointly with others, determines the purpose and means of the processing of personal data; where the purposes and means of processing are determined by European Union law or Member State law, the controller or the specific criteria for his nomination may be designated by European Union law or by Member State law.
Data Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Processing: any operation or set of operations performed upon personal data, or sets of it, be it by automated systems or not. Examples of data processing explicitly listed in the text of the GDPR are: collection, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasure or destruction.
Profiling: any form of automated processing of personal data using it to evaluate, analyse or predict certain personal aspects of a natural person. Examples of profiling explicitly listed in the text of the GDPR are: performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation: the processing of personal data so that it can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and technical and organisational measures are used to ensure non-attribution to an identified or identifiable person.
Data Subject’s Consent: any freely given, specific, informed, unambiguous indication of his/her wish by which the data subject, by statement or clear affirmative action, signifies agreement to personal data relating to them being processed.
Personal Data Breach: breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Binding Corporate Rules: personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings or group of enterprises engaged in a joint economic activity.
Principles: All of the fundamental principles in the GDPR are further “translated” into detailed rights for the individual and corresponding obligations for the organisation. Additionally all of the principles are reinforced with the overarching Accountability principle: this means that organisations (Data Controllers) not only must follow each Data Protection principle, but must also be able to prove how they are putting each into practice.
The GDPR does not offer many technical specifications, and organisations are free in the choice of technical or organisational measures they adopt to comply. However, all will have to put in place some sort of audit trail, data tagging or metadata framework to show how personal data is handled in accordance to the principles.
Legality Principle: Personal data must be processed only on the basis of one of the legal grounds specified by the GDPR. In practice, this means that for any personal data element processed, an organisation must be able to indicate on which of the following list of grounds it is processing it:
1. Individual’s own consent.
2. Contract with the individual.
3. Complying with an existing legal obligation.
4. Necessary to protect the vital interests of a person.
5. Necessary for a task in the public interest or in the exercise of public authority.
6. Necessary in the pursuit of the legitimate interest of the organisation or a third party.
Transparency Principle: Any information the data controller (organisation) gives to the data subject (individual) about its data processing practices must be concise, transparent, intelligible and in easily accessible form; must be provided at the latest within one month, in writing. The data controller can only refuse if it can demonstrate that it is not in a position to identify the data subject. If the data controller does not take action on the request, it must inform the data subject at the latest within a month of the reasons for not taking action and of the possibility of lodging a complaint to a supervisory authority and of seeking a judicial remedy. Information shall be free of charge, unless the requests are unfounded, excessive or repetitive, in which case the controller may charge an administrative fee but bears the burden of proving the unfounded or excessive character of the request.
Fairness Principle: Fairness is achieved when the Data Controller has put in place working procedures for the Data Subject to exercise in an effective manner the following rights:
1. Right of access to the data (to know what data is held about the individual).
2. Right to rectification of the data.
3. Right to erasure of the data (to be forgotten).
4. Right to restriction of processing.
5. Right to data portability (to be given personal data in a structured and commonly used and machine-readable format and transmit such data to another controller).
6. Right to object to the processing of personal data, including profiling.
7. Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects him/her.
Purpose Limitation Principle: Personal data must be collected for specified, explicit, legitimate purposes and not further processed in a way incompatible with those purposes. Public interest archiving, scientific, historical, statistical research are deemed to be compatible with the initial purpose.
Minimisation Principle: Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Accuracy Principle: Personal data must be accurate and kept up to date and every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified without delay.
Storage Limitation Principle: Personal data must be kept in a form which permits identification of data subjects for no longer than necessary for the processing purposes. Data may be stored for longer periods only for public interest archiving, scientific, historical or statistical research purposes.
Integrity and Confidentiality Principles: Personal data must be processed using appropriate technical and organisational security measures, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Accountability Principle: The Controller has responsibility for and must be able to demonstrate compliance with all the principles listed above.