The General Data Protection Regulation, commonly referred to as GDPR, is privacy legislation that standardizes data privacy laws in the European Union and aims to give individuals more control over their data. Though the legislation went into effect on May 25, 2018, some organizations still struggle to both understand and comply with GDPR and its complexities.
Nearly a year after GDPR went into effect, it still remains to be seen how effective the regulation really is, with various research reports within the industry indicating that many organizations subject to GDPR still fall short when it comes to data management.
GDPR is a complicated regulation, so before practitioners and consumers try to wade through it, they should familiarize themselves with the following basic but important terms.
General Data Protection Regulation: The EU GDPR aims to make businesses more transparent about how they handle the data of individuals — referred to as data subjects — as well as to expand the privacy rights of those data subjects.
The GDPR requirements apply to all the data produced by EU residents and non-citizen residents, whether or not the company collecting the data in question is located within the EU. They also apply to all the people whose data is stored within the EU, whether or not they are actually EU citizens; this could include students, tourists, etc.
A specific mandate of this regulation is that if a company detects a data breach, it must report the breach to its supervising authority within 72 hours. Also, companies subject to GDPR may not legally process any person’s personally identifiable information (PII) unless the data subject gives explicit — and revocable — consent for the company to do so. Companies cannot process PII without meeting at least this one condition, as well as another one of six conditions. Those conditions, as well as further mandates and data subject rights, can be found in this article.
Data breach: A data breach is a confirmed incident in which sensitive, confidential or protected data is accessed or disclosed without authorization. A data breach can be intentional — like when a malicious actor hacks into a network and steals data, for example — or it can be accidental — like when an employee unknowingly brings classified information outside of the workplace.
The EU GDPR mandates that, in addition to reporting breaches to legal authorities within 72 hours, companies that experience any kind of significant data breach have to report it to the affected data subjects “without undue delay” when “the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.”
Personally identifiable information: Personally identifiable information, or PII, is any data that could be used to identify a specific person. PII can be sensitive or non-sensitive information. Sensitive PII includes biometric data and medical information. Non-sensitive PII includes information that anyone can gather from public records or websites, such as names.
Under GDPR, companies may not legally process any person’s PII without first meeting certain criteria. Also, data subjects can request that their PII — including IP addresses and photos — be erased from a company’s storage.
Data protection officer: A data protection office, or DPO, is an enterprise security position that ensures data management and handling are compliant with GDPR. Beyond GDPR, the DPO is also responsible for a general strategy for data protection. GDPR mandates that every company that handles large amounts of data subjects’ PII must hire a DPO who is an expert in data protection and law.
The right to be forgotten: The right to be forgotten is one of the rights given to data subjects under GDPR. It is the concept that individuals have the civil right to request that personal information be removed from the internet and from companies’ storage. Enterprises doing business in the EU need to address GDPR’s right to erasure clauses or face financial penalties.
Data Protection Bill of 2017: This is a piece of legislation that replaced the Data Protection Act of 1998 and was designed to balance the privacy needs of U.K. and EU citizens. It is a U.K. version of GDPR, in a sense, as the U.K. plans to withdraw from the EU. Many of the provisions of Data Protection Bill of 2017 are like those of the GDPR, including transparency and requirements for a DPO to oversee how data is handled.
EU Data Protection Directive: Also known as Directive 95/46/EC, this is a regulation adopted in 1995 by the European Union to protect all the personal data collected for or about citizens of the EU, especially as it relates to processing, using or exchanging such data. The Data Protection Directive was superseded by GDPR.