Understanding the new General Data Protection Regulation (GDPR) can be challenging. It’s a complex law with confusing language. Making matters worse, the law has a far reach and prescribes potentially hefty fines for non-compliance. Without understanding the basics of the law, it could be easy to make an unwitting mistake that could cost you.
A Crash Course in GDPR
What exactly is GDPR and what does it attempt to accomplish? In the time-honoured tradition of the journalistic practice of answering the “5Ws and 1H,” here is a high-level breakdown of GDPR.
GDPR (General Data Protection Regulation) is a regulation passed by the European Union (EU) setup to protect the personal data of EU citizens. GDPR defines any data that makes a person identifiable as personal data.
Under the new regulations persons are referred to as a data subject which means “an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as name, ID number, location data, online identifier or to one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” In short everyone who has data about themselves collected by any business/organisation.
GDPR requires that all personal data is protected but also that the measures a business has taken to ensure that data is protected. This applies to both physical and digital data and applies to all personal data whether it is being collected, processed, stored or transmitted. Under the new legislation businesses must be able to identify when personal data becomes exposed or compromised in a timely fashion.
The regulation applies to every organisation regardless of whether they are located in the EU or not. GDPR applies to the following;
- Any organisation in the EU, even if the processing of data takes place outside of the EU
- An organisation processing EU citizens’ data in the context of selling goods or services or even monitoring data subject’s behaviour in the EU. This is still applicable even if the organisation is located outside the EU.
- Data controllers (defined as the entities that determine the purpose, conditions and means of the processing of all personal data) that are located outside the EU, but where the EU law applies due to international law.
In addition, GDPR regulations keep the current rules surrounding data transfers in place. Data transfers typically occur only with nations that have adequate protection. However, GDP does allow for codes of conduct and certifications that, when approved, allow exceptions.
Unfortunately, the new regulations do not come with clear directions on how to achieve compliance, only that compliance must be met otherwise extremely large penalties will be issued for non-compliance. However, it states that measures for protecting personal or sensitive data include:
Data classification, data loss prevention, encryption, managing consent more explicitly, data transfer limitations, and technologies that enable data subjects to exercise their rights to access, rectify, and erase personal data held by data controllers.
Based on this alone it would be beneficial for businesses to employ IT security best practices and control frameworks such as Cyber Security Essentials (UK).
Its Not To Late To Act!
With 25th of May just around the corner, if you havent started making preperations to get yourself compliant – Now is as good a time as any! Remember that the GDPR does not just apply to electronic data it applies to ALL data including paper files!