11 Jul Basics of the General Data Protection Regulations (GDPR)
The year 2017 is on its way to becoming the worst year in our history for cyber attacks. From threats that begin internally to creative ransomware and onward to the vast industrial Internet of Things, businesses and security experts all agree that this year there are going to be more creative and devastating attacks than ever before.
Formulating the GDPR
To combat these cyber attacks, the General Data Protection Regulation (GDPR), was formulated by the European Union in January 2012. The plan grew out of an EU directive adopted in 1995, the Data Protection Directive, which regulated the processing of personal data within the European Union.
The GDPR is due to take effect on 25th May 2018. It applies new rules on companies, government agencies, non-profit and other organisations that offer goods and services to the people who live in the European Union or who collect and analyze data which is associated with EU residents.
If a business or organisation is associated with collecting, hosting or analyzing the personal data or EU residents, the GDPR regulations require that you guarantee their ability to implement all of the GDPR requirements.
The GDPR requires that organisations controlling or processing personal data that is tied to EU residents to use only third-party data processors designed to meet the requirements of the GDPR for processing personal data.
The GDPR data protection authorities are still in the process of putting the final touches to the regulations and intend to approve more specific certification mechanisms, codes of conduct, and standardized clauses.
Encryption is defined by the GDPR as a protective measure which changes personal data so that it becomes unintelligible after being affected by a breach. Whether the encryption is used or not can impact the notification requirements. Additionally, the GDPR considers encryption as technically or organisationally appropriate to use in certain cases.
Controllers and Processors
The GDPR applies to “controllers” and “processors”. Controllers are defined as an entity that says how and why personal data can be processed. Processors act on the controller’s behalf. The GDPR requires a processor to maintain records of personal data and processing activities and assigns penalties if one is responsible for a breach.
A controller, however, is not relieved of his obligations where a processor is involved. The GDPR also places obligations on controllers to ensure that their contracts comply with the regulations.
The GDPR applies to “personal data” such as an online identifier using an IP address. The regulations apply to both automated data and manual filing systems when personal data are accessible.
Sensitive personal data
Personal data is defined by the GDPR as any information which is related to an identifiable person. It can include the following:
- Email address
- Social media posts
- Physical, physiological, or genetic information
- Medical information
- Bank details
- IP address
- Cultural identity
More sensitive personal data is also included in the GDPR definition such as genetic and biometric data that is normally processed to uniquely identify a person. Personal data that relates to criminal convictions and offences are not included in the definition, but there are extra safeguards built in to the regulations that apply to its processing. Personal data should be:
- Processed lawfully, fairly and transparently
- Collected in a specific and explicit way for legitimate purposes
- Not further processed
- Adequate, relevant and limited to what’s necessary
- Accurate and kept up to date
- Kept no longer than necessary for the purposes processed
- Processed to ensure appropriate security of the data
How Businesses are Affected
GDPR will apply in the UK from 25th May 2018. The GDPR contains hundreds of requirements concerning the collection, storage and use of personal information and how businesses should identify and importantly, secure personal data. In addition, it also directs how businesses should detect and report breaches of personal data and how to train employees and personnel.
If a business fails to comply with the GDPR regulations, they could face substantial fines and harm to their reputation.
The GDPR allows residents of the EU to have control over their own personal data through the use of “data subject rights.” A company can be fined up to either €20 million (approximately £17 million) or four percent of the company’s annual world-wide turnover, depending on which has the greater value. These company rights include the following:
- To access readily-available information concerning how personal data is used
- To access personal data
- To delete or correct personal data that is incorrect
- To have their personal data rectified or erased in specific circumstances
- To restrict or object to the processing of personal data
- To receive a copy of their personal data
- To object to the processing of their personal data for marketing or profiling purposes
The GDPR defines lawful processing as having a lawful basis to process, such as consent of the data subject, the necessity of processing for performance of a contract, legal obligation or to protect the vital interests of a person or data subject or another person. Processing should also be necessary when it’s needed to carry out a task in the public interest or in the exercise of an official authority.
The GDPR requires that consent must be given freely as an affirmative action, be specific in nature, informed and be the unambiguous indication of the wishes of the individual. Consent can’t be simply inferred from being silent and must be separate from any other terms or conditions.
Rights for Individuals
The GDPR provides the following rights for individuals:
- The right to be informed
- The right to have access
- The right to rectification
- The right of restricting processing
- The right of objecting
- The right to erase questionable statements
- The right to the portability of data
- Rights in relation to profiling and automated decision-making
In most ways, the GDPR will only enforce the fact that individuals are in charge of their own data use. Many organisations have already benefited from adopting similar privacy notices allowing their customers to have real control over the destiny of their data.
Individuals who have not braced themselves to the increasing cyber attack menace may soon find themselves forced to pay attention by consumers, privacy activists, and the regulations of the GDPR.