General Data Protection Regulation or GDPR

CybeRiskBlog, Cybersecurity


With information having developed into an asset equal to or even more valuable than conventional currencies, organizations across the globe are engaged in an ongoing race to acquire and exploit more data – often with little regard for the people that they’re collecting this information from.

In an effort to strengthen up and unify legislation regarding online privacy, consumer rights, and data protection across the continent, officials of the European Union (EU) approved a draft proposal covering over 90 articles on customer data collection and security on April 27, 2016, with the aim of improving customer privacy for European citizens.

This new EU privacy policy was formalized as the General Data Protection Regulation (GDPR), which was issued in May 2016 – and in this article, we’ll be looking at what it says, who it applies to, and what its implications are for consumers and those who consume their data.

GDPR – Binding and Imminent

After its formal release in May 2016, a period of two years was allowed before the General Data Protection Regulation should become effective – primarily to enable organizations and individuals who consume or process consumer data to get their houses in order, and comply with the new set of wide-ranging and strict regulations it sets out.

The General Data Protection Regulation applies to all companies that process the personal data of subjects residing in the EU – regardless of the company’s location. Its terms are spelled out in various publications by the EU’s Article 29 Working Party, a body of representatives from the data protection authorities of each EU member state.

GDPR is a legal framework which will override existing data-handling and privacy laws in the European Union, and provide a consistent set of conditions for any company or organization which offers goods or services to EU citizens. Unlike an EU directive, the GDPR requires no further action on behalf of member states’ governments in order to be enacted, and is legally binding.

The GDPR is due to take effect as from May 25, 2018 – which gives the affected parties a little over six months to prepare themselves.

GDPR – Controllers and Processors

The General Data Protection Regulation sets out two principal categories of data users to which it applies:

  1. Controllers, or entities (individuals, platforms, or organizations) that determine how and why personal data is processed, and
  2. Processors, which are the agents that act on a controller’s behalf.

For the controllers or overseers of data consumption, the GDPR contains a set of defining rules and conditions governing the contracts they form with data processors, all of which have to be in full compliance with the framework.

Processors are specifically required to maintain records of the personal data that they operate on, and of their processing activities. There are also legal liabilities on processors, for example in the event of a data breach occurring on their data-handling platform. Data processing organizations operating within the EU, and those outside the EU that offer goods or services to individuals in EU countries, are all subject to GDPR statutes.

Certain data processing activities – such as those covered by the Law Enforcement Directive, processing for the purpose of national security, and data processing carried out by individuals purely for household or personal use – are exempt from the GDPR.

GDPR and Personal Data

The General Data Protection Regulation applies to personal data – but its definition of this is extensive and detailed, and covers a variety of information gathering techniques and technologies. “Personal data” in the GDPR sense effectively applies to all data relating to individuals residing in the European Union.

Uniquely identifying information such as driver’s license or social security numbers are defined as personal data, along with the likes of email and IP addresses, home addresses, dates of birth, online financial data, online transaction histories, and physical device information such as the unique device identifier of your mobile phone.

In addition, the GDPR also applies to user-generated information such as blog and social media posts, and personal images (which don’t necessarily have to include a likeness of the person concerned) uploaded to websites.

GDPR and Sensitive Personal Data

As if that weren’t enough, Article 9 of the GDPR has a specific set of conditions for “special categories of personal data” which may be considered as sensitive. These would include the likes of medical records, biometric information, and genetic data which might be processed to uniquely identify an individual.

Personal information related to criminal convictions and offenses is not included, but Article 10 of the GDPR lays out extra safeguards which should be applied to its processing.

GDPR Reminder: It’s Not Just Europe

Though drafted for the protection of its citizens or those resident in the EU, the General Data Protection Regulation will have a global reach, and the potential to affect any individual or organization that has regular dealings with the personal information of consumers, subscribers, or partners in the European Union.

GDPR – Increased Territorial Scope

Previously, there was some confusion as to the scope of GDPR, which referred to data processing “in context of an establishment,” rather than specifically defining the geographical territories in which it should apply. This has since been clarified, to confirm that the GDPR rules apply to the processing of personal data by controllers and processors in the EU – regardless of whether the processing takes place in the EU or not.

So companies that rely on cloud-based storage and services like Google Cloud, Microsoft Azure, or Amazon Web Services won’t be exempt from GDPR, and can’t palm off their responsibility for compliance with the new regime to these third-party organizations. And the consequences for not complying with the GDPR could be very severe.

Increased Penalties for Non-Compliance with GDPR

The General Data Protection Regulation is at the same time a set of rules governing the handling of personal data, and a legal framework setting out conditions of compliance for any individual or institution that includes data-handling as part of its remit.

Any business person or company who fails to comply with GDPR will first be issued a formal written warning, which may occur even if the violation is a minor one due to ignorance of the law, or committed unwittingly.

Continued infraction of GDPR statutes could escalate the penalty, obliging the offender to undergo regular periodic data integrity audits to ensure compliance. In practical terms, this would require the offender to surrender all access to potentially sensitive, confidential, or proprietary information to a GDPR designated auditor.

If these initial sanctions fail to produce the desired result, fines may be imposed, up to a value of €20 million or 4% of a company’s worldwide turnover – whichever is greater.

That’s a lot of money. And it’s potentially a whole lot of money, if the non-compliant party is a huge multinational or a globally recognized brand. Little wonder that ensuring compliance with GDPR conditions has moved to the top of the Priorities list, for many commercial organizations. But many are finding it difficult to successfully cross it off that list.

Confused? You’re Not Alone

You may have read through the above, and still be scratching your head over what the General Data Protection Regulation actually means, in terms of your daily life and business. And it’s evident that commercial enterprises across the globe are in a similar position.

A 2017 survey by The Compliance, Governance, and Oversight Council (CGOC) of 132 compliance officers from organizations in multiple industries around the world suggests that only 6% of companies are prepared to be compliant with the General Data Protection Regulation by the time it comes into force in May 2018.

Similarly, a study by the Close Brothers Business Barometer of companies in the UK and Republic of Ireland suggests that small to medium-sized enterprises (SMEs) are struggling with the definition of “personal data” under GDPR. They’re also puzzling over whether the permissions they currently have in place to contact customers will meet with the requirements of GDPR, and the new rights of the consumer as defined under the regulation.

GDPR and Customer Consent

The GDPR solidifies the concept of “Affirmative Consent” – which simply means that consumers have to specifically state to a data processor (company, website, etc.) that they agree to having their personal information collected and used.

Under GDPR, the consent form presented to the consumer at the point of entry must be written in plain English (or French, or whatever), and must specifically state why the customer’s data is being requested, and what it will specifically be used for. There’s no wiggle room for the organization in this – and couching the consent form in “legalese” to confuse the customer won’t be tolerated, either.

For EU nationals under the age of 13, consent must be affirmatively provided by the parents or guardians before information on their children may be collected, stored, or processed by an app developer, entertainment website, social media platform, or any other business that requests it.

Consent under the General Data Protection Regulation is very much an “opting in” process – and a customer’s consent may be withdrawn at any time.

GDPR – Rights to Revoke and Alter

Withdrawal of a consumer’s consent to have their personal information collected and processed has several shades under the GDPR – and comes with several implications for the organization that’s holding their data.

For starters, customers must be able to withdraw their consent to data use as easily as they opted in. And within the context of data processing, consumers have the following rights under GDPR, with respect to how their information is handled:

  • Right of access: Customers can request to see what Personally Identifiable Information (PII) of theirs that an organization holds.
  • Right to rectification: Consumers can ask an organization to edit or alter their personal information (if for example, an entry is incorrect),
  • Right of erasure: Also known as the “right to be forgotten” – whereby all PII may be erased from a company’s system (within the conditions specified by any obligations they may have to national security or law enforcement).
  • Right to restriction of processing: Certain types of data-handling may be prohibited, if the customer wishes a company not to use their data for a specific purpose.

There are a lot of permutations, and many conditions to be met. It’s also likely that the courts will be kept busy, as legal issues are clarified and the first cases for non-compliance are prosecuted.

According to a recent article from eSecurity Planet “79% of companies have no plan in place for GDPR compliance”. Whatever else it may accomplish, the General Data Protection Regulation should certainly make things interesting, in the months and years ahead. Contact us to get a free quote.

Share this Post

GDPR | The What, Why and When of General Data Protection Regulation
Article Name
GDPR | The What, Why and When of General Data Protection Regulation
GDPR - a set of rules governing the handling of personal data - a legal framework setting rules of compliance for any institution involved in data-handling.
Publisher Name
CybeRisk Security Solutions
Publisher Logo