The General Data Protection Regulation (GDPR) is an agreed-upon data regulation law requiring companies operating within and out of the European Union to protect EU citizens’ personal data and privacy. The GDPR replaced the Data Protection Directive 95/46/EC in 2018.
GDPR aims at redesigning how organizations within the European Union member states handle data privacy. The GDPR allows the EU citizens to have more power over their personal information, and it also helps standardize laws pertaining to data privacy.
Examples of the data regarded as personal under this law include; a person’s name, date of birth, photos, bank details, health records, IP address, and biometric information. Organizations are also required by law to send emails to clients or customers asking them to acknowledge their consent and data privacy policies.
To whom and When does the GDPR Apply?
The GDPR applies to all the EU data subjects regarding how their data is collected, processed, stored, or/and transmitted. It’s worth noting that this new privacy law cuts across regions provided the data subject is an EU citizen – meaning the legislation applies to several other countries outside of the European Union.
In a broader sense, GDPR governs both data processors and data controllers. A data controller is an organization that determines the means and purposes of personal processing data, while a data processor is the third party that processes personal data on behalf and under the instruction of the data controller.
Under the GDPR, both the controller and the processor have some obligations, which they must meet to ensure compliance. For instance, the GDPR requires the processors to maintain clear records of personal data and processing activities. In case of a breach, while handling data on behalf of the controller, the processor can be held liable.
Similarly, the GDPR requires data controllers to ensure that their contracts with data processors are GDPR-compliant. That said, GDPR applies to specific processing executed by organizations operating with the European Union or those outside of the EU but offering goods or services to customers/clients/employees in the EU. And while the GDPR applies to most activities inside and outside of the EU, it doesn’t apply to data processed under any of the following categories:
Law Enforcement Directives – In specific contexts, the police and the secret services are exempt from the GDPR.
Matters of national security – The GDPR may be compromised on issues related to national security, e.g., terrorism.
Journalism – The GDPR doesn’t apply to any processing that might suppress the freedom of the press.
Personal or purely individual activities – Article 2 of the GDPR states that the law doesn’t apply to “purely personal or/and household activities.” Recital 18 further highlights the examples of personal and household activities to include keeping a journal/ address book, personal correspondence, or social networking.
Education Sector – Learning institutions aren’t always required by law to provide students access to their examination materials.
Getting Ready for GDPR
If you are a data processor or controller, you need to pay keen attention to the following technical controls to help you stay GDPR-compliant.
Identity and Access Management (IDAM) – Always ensure that only the authorized individuals have the (least) privilege to access onlythe data they need to execute their jobs. Employees with access to sensitive customer/client data should also undergo some rigorous privacy training to ensure they understand their role and the risk of handling sensitive data.
Data Encryption and Pseudonymization – GDPR advises but doesn’t require data processors and controllers to implement data encryption and pseudonymization. However, in case of a data breach, investigators will check if you had your data encrypted. So, it’s definitely a must-have technical control.
Third-party Risk Management – GDPR uses the “liability for all” concept to determine who’s liable in case of a data breach where the processor, controller, or/and sub-processor are involved. To be on the safer side, always ensure that the contractual relationship between either of these parties is GDPR-compliant.
Incident Response Plan (IRP) – It’s advisable to have a plan in place that addresses preparation, disaster identification, possible containment, eradication, and recovery measures. The GDPR further requires any organization that suffers a data breach to report the incident to the Data Protection Authority and the data subjects without delay, i.e., within 72 hours.
Data Loss Prevention (DLP) – The GDPR holds both the processor and the controller liable for data loss. Having a reliable DLP tool is, therefore, a priority for any organization that collects personal data.
Policy Management – Meeting all the GDPR compliance narrows down to having a solid policy framework deeply rooted within the organizational culture. It’s through policy management that all the other technical controls become easy to implement and follow through.
When it comes to data, playing catch-up isn’t always healthy for your business. The sooner you take action on your data protection and compliance issues, the better you can address the elephant in the room. This allows you to focus on what matters the most – without fears of violating one of the strictest online data and privacy laws.