The General Data Protection Regulation or GDPR is one of Europe’s strictest regulations with a framework designed to ensure businesses protect the privacy of people residing within the European Union. Before we get into covering some of the important terms within GDPR, let’s first try to understand how it all came about.
The issue of ensuring privacy rights has been around ever since the internet has been widely used by the public. The EU adopted the Data Protection Directive (DPD), in 1995 to protect the processing of personal data restricting the movement of such data only for purposes previously stated and agreed upon by the individual and the collector.
Just like GDPR, the entire framework was built on seven principles that revolved around consent, security and accountability but unlike GDPR these laws were not fixed and could often differ based on where the data subject was located within the EU. Regulators soon realized they had a problem. They set out to establish the OECD guidelines within the Data Protection Directive to make sure all EU member states followed the same data protection requirements.
It was in 2015, the EU made the decision to improve the existing data protection framework giving rise to the GDPR regulation. By 2018, the EU GDPR completely overtook DPD. All businesses handling personal data of EU citizens were now required to follow this new regulation.
How to ensure data protection with the seven principles of GDPR
The seven principles of GDPR gives a brief guide on managing data privacy and constitutes some of the practices organizations need to implement to minimize risks pertaining to data protection and maintaining compliance with the rights of the individual. These include:
Lawfulness, Fairness and Transparency
Organizations should be clear on the purpose behind collecting the data and the reasons for which it is being used for. This shows all the data processing activities are done in a legitimate manner and gives data subjects the assurance their personal data is collected purely on a lawful basis.
Fairness means the data should be handled in a way that is familiar to the individual. Only information that the individual has consented to should be processed by the organization. Transparency requires businesses to be very clear and open about their data processing activities.
The main objective behind this principle is to limit the amount of personal data being processed. The data should be collected and managed only along the lines that is reasonable and justifiable to the concerned data subject.
Data Minimisation, Accuracy and Storage Limitation
These three principles, collectively known as ‘data principles’, defines the standards in which data should be handled. These principles can be found within Article5(1)(c), (d) and (e) of GDPR respectively.
Data minimisation – data collection should be strictly restricted to the minimum amount of data needed to carry out a specific purpose.
Accuracy – gives individuals the right to correct any inaccuracies in their data. Organizations should have some sort of system in place to ensure constant accuracy by having periodic updates or rectifying any measures that leads to the inaccuracy.
Storage limitation – have well written policies that properly defines data disposal and retention periods.
Integrity and Confidentiality
An adequate amount of security measures should be in place to ensure protection of data against any unlawful disclosure, modification or erasure. Both technical and operational measures should be considered while guarding information within the systems and networks.
This principle essentially boils down to these two factors – the organization should be held accountable to complying with all its applicable requirements of GDPR and should be able to demonstrate its compliance in a clear and concise manner.
It helps build the trust of the data subjects and improve your reputation as an organization that takes data privacy seriously. There should be documents in place stating how personal data will be processed, its purpose and time period in which the data will be processed for.
Sensitive data should be protected in accordance with the laws and regulations of the geographical location of the data subject. This requirement came into prominence with the rise of cloud-based applications and the increased amount of data transfer across international borders.
Rights of data subjects
Access and Rectification
Individuals have the right to submit subject access requests and be rightfully informed by the organization whether their information is being processed or not. When getting the request, the organization must send a copy of the personal data they collect about the individual.
The right to rectification gives individuals the freedom to reach out to organizations to correct any inaccuracies in the information they have about them.
Right to Be Informed
This gives individuals the right to know the information being collected about them, its purpose, the processes and systems used in which the data is processed and the retention period which states how long the data will be kept for. This also provides them with the right to file a complaint.
It provides individuals with the right to obtain their own personal data previously collected by the organization. They could also send in a request to have the information transferred to another organization. This can only be applicable if the individual has come to an agreement with the organization by the means of a contract or consent and the processing activities are carried out through automated means.
Right to Erasure
Allows individuals to request the deletion of their personal data if:
Right to Restriction of Processing
Gives individuals the right to refrain organizations from processing their data. This right can only be exercised if:
Right to Rectification
Individuals can ask organizations to correct any inaccurate information organizations may have about them. Once the request is sent, organizations are given a month’s time to respond to it and rectify it.
Right to Object
This gives individuals the right to object the processing of personal data for marketing or other legal purposes.
Glossary of important GDPR terms
The material scope of GDPR is defined within Article 2. It refers to the automatic and manual processing of personal data of the data subjects.
Data processing of subjects within EU will not fall under the purview of GDPR if:
The European Data Protection Board (EDPB) in 2019 updated the territorial scope of GDPR. Defined within Article 3 of the legislation, it sets out to ensure full protection of the rights of the data subjects and require businesses operating internationally to completely assess their data processing activities.
In Article 3, the territorial scope is applicable to:
GDPR is applicable to EU member states and EEA countries such as Iceland, Lichtenstein and Norway.
Roles and Bodies
The data controller determines the purposes for which information is controlled and processed. It is their responsibility to ensure data processing is done in accordance with the seven principles of GDPR. They determine the type of data the organization needs to collect and purpose behind collecting the data. A controller could be an organization or an individual responsible for collecting the data.
A data processor processes the data the controller gives them. Even though they don’t have the authority to define the purpose behind the processing activities they will be held accountable if anything happens. Although the responsibilities of a controller and processor are clearly defined within the legislation, there can be gray areas where the duties overlap. A data processor could also be an external party the controller uses to process the data. Data processors could be an individual or an organization such a cloud service or a data analytics provider.
Data subjects are those individuals within the Union who can directly or indirectly be identified by the data collected and processed by the organization.
Data Protection Officer (DPO)
Organisations are required to appoint a data protection officer if they process personal data on a large scale or process special categories of personal data such as ethnicity and race. They oversee the complete implementation of the processing activities and ensure it is done in alignment with the requirements set forth within the legislation.
Also known as Data Protection Authority, a Supervisory Authority is found within each member state and is responsible for supervising the implementation of the European Data Protection Law which includes GDPR and other national laws within their respective member state. If an organization processes data just in a single member state, they could contact the SA of that state. If data processing is done across different member states, it would involve communicating with the Supervisory Authorities of those member states.
According to Article 4(9) GDPR, a recipient is defined as a “natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not”. The data subjects should be informed of the recipients of their personal data.
This includes any individual or organization who is not a data controller, processor or other entity for processing data.
Article 27 of GDPR mandates organization operating outside of EU to appoint a representative within the Union if they are processing personal data on a large scale and do not have establishment within the EU.
This makes it easier for data protection authorities to ensure secure processing of the data subjects. Representatives shall be identified within the privacy notices of the non-EU based businesses and shall be a point of contact with supervisory authorities and data subjects on all matters relating to data processing and general compliance with GDPR. They shall also maintain records of the data processing activities.
This could constitute a natural or a legal person engaged in economic activities. The term also covers the partnerships and associations they maintain to aid in their economic activity.
Information Society Service
Article 1(1)(b) of Directive (EU) 2015/1535 defines an Information Society Service (ISS) as
any service normally provided for renumeration, at a distance, by electronic means and at the individual request of a recipient of services.
This means the service is provided at a distance without the end party being simultaneously present with the provider. Electronic includes the usage of an electronic equipment to process, store and transmit the data. ‘At the individual request of a recipient of services’ simply means the service is provided at the request of the individual. Thus, websites, search engines, apps, online stores and other online services would be an ISS.
These are organization and its supporting bodies that are governed by a public international law. It also includes other bodies setup as a result of an agreement between two or more countries. They may collect and process information for humanitarian missions or monitoring trends for research purposes.
Central administration is the place within the EU where the purposes for processing data and the means by which this is done is determined. The main establishment should be the same place as the central administration. Companies need to show they have proper management and enough controls in the main establishment.
Data in which an individual can be identified based on their inherited or acquired genetic characteristics.
Any information such as an address, credit number or telephone number which could relate to the identifiable person. GDPR defines personal data as the following
any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Natural persons are data subjects who are living.
Special Category Data
They fall under the classification of personal data but require more protection since they are sensitive. Some of which include racial identity, religious beliefs, sexual orientation, genetic data and biometric data.
Due to its sensitive nature, GDPR requires organizations to conduct periodic privacy impact assessments and maintain adequate protection methods to secure biometric data.
Data Concerning Health
Data that can reveal the current, past and future physical and mental health condition of the data subject.
It defines any actions performed on personal data by automatic or manual means. These include but not limited to collection, storage, alteration, retrieval, transmission and disclosure.
It forms the dual purpose of collecting personal data and using the data to map out the behaviour and decision-making route of the individual.
Processes the personal data in a way it cannot be identified with the individual without the help of an additional information such as a key. It only consists of unique references to the data and not the personal data itself.
It removes personal identifiers from the data rendering it anonymous.
Defines the method in which information ought to be stored and organized in order for it to be easily identifiable and retrieved.
This is one of the principles of GDPR which states data should only be collected and processed in accordance with the purposes stated in advance to ensure data privacy.
Cross Border Processing
Cross border processing refers to the processing of data in more than one member state. In such cases, the organisation should clearly identify the supervisory authority they need to report to.
Privacy by Design
Encourages organisations to consider privacy from the beginning instead of implementing it at a later stage. When designing a process or a product, they should address various privacy concerns right from the start. This includes conducting a data protection impact assessment whenever a new service concerning processing of personal data is used and having enough organisational and technical controls in place.
Data Privacy and Data Security: the connection and distinction
Policies and managing data breach incidents
Binding Corporate Rules
Binding Corporate Rules (BCRs) have been around before GDPR. Their relevancy has just improved with the coming of GDPR. They define the rules and code of conduct organizations need to follow to secure personal data during cross border processing to organizations or multinationals outside of EU.
GDPR defines BCR in Article 1 as follows:
binding corporate rules means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.
Personal Data Breach
It can be defined as breaches to personal information that could lead to its unauthorized and unlawful destruction, loss or disclosure. The three pillars of information security are considered while evaluating personal data breaches, which includes confidentiality, integrity and availability. Confidentiality breaches refers to unauthorized disclosure of the information. Integrity breaches to the accidental modification of the data and availability breaches happens when the information is lost or destroyed.
Data Breach Notification
When personal data breaches do occur, organizations are required to report it to their relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to affect the data subject, they should be informed as well. It’s advisable to maintain records of the personal data breaches.
Data Protection Impact Assessment
The EU GDPR and DPA 2018 mandates organisations to conduct assessments to minimize risks in certain types of data processing activities. They are required when the processed personal information may lead to high risk resulting in the violation of the rights and freedom of the individual and when new processing activities and systems are introduced. They help organizations evaluate the effectiveness of their security measures.
EU GDPR vs UK GDPR vs DPA: Understanding the difference between the three
Although the decision to leave the Union was taken in 2016, it was only four years later UK officially ceased being a part of the EU. In preparation for this withdrawal, the EU Withdrawal Act of 2018 was adopted by the government to include some of the EU regulations along with the domestic laws. With the rise of the UK GDPR, all references to EU institutions were replaced by institutions within the UK. The UK GDPR is essentially the same as the EU GDPR with just some minor differences.
UK’s Data Protection Act (DPA) is UK’s implementation of GDPR wherein some of the rules defined by the GDPR has been woven into the legal systems within the UK. It sets the laws and procedures organizations need to follow while processing data of subjects within the UK.
Ensuring GDPR compliance with endpoint management
Your organization may already have enough controls in place to maintain data privacy and you may even have a data protection officer to oversee and manage these controls. However, ensuring the safety of the data residing within the endpoints you use requires constant monitoring. A UEM solution helps organization maintain compliance with GDPR by giving IT admins various insights on how securely the data is stored and implementing various measures to ensure user privacy is not affected in any way. The operating systems of the devices in use and important enterprise applications can be remotely updated to minimize any risks that comes with using an outdated version of the OS or application.
Ensuring endpoint security
How secure are your endpoints? Get a free trial to understand how UEM helps in scaling up the security of all the devices your organization manages.sign up
Share your thoughts