Simply put, the General Data Protection Regulation is a new piece of EU-wide regulation that mandates how the data of EU citizens can be used. However, this does little to explain the complexity of the new regulation. It affects all organizations handling the data of EU citizens, regardless of their location. In view of the regulation’s vast scope, it is highly recommended that all organizations train their employees in GDPR compliance to avoid any dangerous violations.
First and foremost, it is important to explain that GDPR unifies all previous directions and regulations on data privacy within the EU. It sets out laws on how the data is to be created, processed and stored (actions collectively known as “data processing”), as well as what measures should be in place to protect the data at every step.
The regulations also stipulate what kinds of data should be protected: essentially, anything that contains an “identifier” (i.e. can be used to trace an individual) is subject to GDPR protection rules. The nature of identifiers is broad, and includes names, important dates, addresses, photographs, bank details and national identity cards. However, there are other categories of “sensitive” data, such as religion or gender identity, that require greater levels of protection under GDPR.
Regardless of the class of data, GDPR requires that all data is protected by a number of measures. These include anonymisation and pseudonymisation, both of which remove identifiers from personal data files to make it harder to trace to individuals. Encryption is a widely used technique in cybersecurity that means that if data is intercepted, it cannot be read by unauthorised individuals. GDPR goes all the way down to password policies, and though these may remain trivial, are often the first step in protecting against data theft.
There are two main parties referred to throughout GDPR legislation. The controller is the party responsible for initiating data collection and processing. They are usually the ones that approach the data subject and with whom the data subject has the most contact. By contrast, the second party – the processor – are the ones that “handle” the data and process it as per the controller’s requests. Both parties must be GDPR-compliant.
How does GDPR protect you?
GDPR was established to provide maximum protections to data subjects, and to ensure that they have power in how their data is being processed. This means that they can consent to data collection, object to parts of processing or ask that their data is deleted.
The main rights established under GDPR can be summarised below:
- Right to be informed: At the time of data collection, the data subject must be given information regarding the intended use of the data, how long it will be held and contact details for the controller.
- Right to access: The data subject has a right to request to see their data, which should be acted upon without undue delay.
- Right to rectify: If a data subject can show that there is an error in their information, they may request that this is changed.
- Right to object: Data subjects may object to controllers or processors using their data in specific ways.
- Right to restrict processing: Data subjects may request that their data is not processed further or for certain purposes.
- Right to erasure: If certain conditions are met, data subjects can request that their data is deleted from a controller’s database.
- Right to data portability: Data subjects can request copies of their data in a portable manner, such as electronic copies or paper copies.
- Right to complain: If they feel that their data is being mishandled, data subjects have the right to complain to the controller or an independent authority.
- Right to judicial remedy: If a data subject believes the controller or processor was GDPR non-compliant, they have the right to request a judicial remedy.
- Right to receive compensation: Data subjects have the right to be compensated for material or non-material damage caused by GDPR violations.
- Right to representation: The data subject has the right to be represented by an independent body when making complaints or seeking compensation for GDPR-related issues.
These rights apply to all EU citizens. Any organisation that is based in the EU must be GDPR-compliant, and apply these regulations to all users. However, any organisation that is not based in the EU, but still handles the data of EU citizens, must also be GDPR compliant regardless of where they are based. This safeguards the rights of EU citizens regardless of where they are in the world, and helps to ensure their data privacy.
GDPR is an extensive piece of legislation. It applies to all organizations, public and private, that operate within the EU and handle the data of EU citizens. However, it also applies to all organizations outside of the EU that handle the data of EU citizens, regardless of their location. Many are concerned about Brexit’s impact on the new legislation, though it expected that the UK will adopt policies similar to those laid out in GDPR. It is also important to note that GDPR supersedes the previous EU-US Privacy Shield.
GDPR puts individual privacy to the fore. It awards them a number of rights, giving them agency over the handling of their own data, and also ensures that whilst their data is in the possession of other organizations it is adequately protected.