What is GDPR?
How is it Different than the EU Data Protection Directive?
GDPR (General Data Protection Regulation) is the legal framework in the EU and the UK that replaced the previous EU Data Protection Directive in 2018. The most significant difference between the two is the difference between a regulation and a directive.
A regulation is law and is legally binding, whereas a directive is a recommendation and is not legally binding. This means that GDPR is a law that must be followed by all European member states.
Alternatively, this distinction can be explained as a regulation being a single set of rules that must be obeyed, while a directive is a set of rules that leaves room for interpretation.
While the previous EU Data Protection Directive did not define data breaches, GDPR includes this very broad definition, stating a data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to, personal data transmitted, stored or otherwise processed.”
The definitions of a data breach and personal data matter, as they mean many different events or activities could qualify as violations of GDPR. Personal data is defined as “any information relating to an identified or identifiable person – not just data that could be used for fraud or identity theft.”
What is the purpose of GDPR?
GDPR is intended to protect personal data and how organizations process, store, and ultimately destroy it when the data is no longer required. The law gives individuals control of how companies can use information that is directly relatable to them personally and provides eight specific rights.
It also lays down very strict rules governing what happens if access to personal data is breached and the consequences (fines) organizations will suffer.
How Does the GDPR Define “Personal Data”?
When it comes to data protection, the GDPR regulations are the strictest in the world and cover the term “personal data” with a very broad brush to encompass virtually any information that can possibly identify an individual. GDPR can be applied in many ways, including examples such as the following and more:
Direct/Indirect Indentification
Assigned Data
IP Address
For GDPR compliance it is best to keep the phrase “any information” top of mind. Assume and act as if personal data is an identifying factor in how you deal with and protect any of it in your possession. As an example of how broadly the GDPR can be interpreted, the European Court of Justice even includes less obvious information in its interpretation. If an individual could even be identified by recorded information on such things as start and stop times for work, or answers to a test and remarks from a test examiner, this too can fall under the GDPR umbrella.
GDPR also includes subjective information in its definition of personal data. So that can include situations such as work performance reviews, estimations of creditworthiness by a lender, and other judgements.
GDPR also applies levels of protection, subjecting sensitive personal data such as genetic, health, racial, ethnic origins, political opinions and religious affiliations, trade union memberships, etc., to an even higher standard of protection.
Who Does GDPR Apply to?
The personal data covered by GDPR starts with any data assigned to a natural person at birth, covers all identifiable data for that person throughout their lifetime, and ends at that individual’s death. It does not, however, apply to organizations, businesses, or institutions, etc.
Organizations that store or process personal information about EU residents are obligated to comply with the GDPR, even if located outside the EU.
Remember, the regulation defines personal data as “any information relating to an identified or identifiable natural person/individual.”
GDPR’s impact on IT staff can’t be minimized. Controllers, data protection officers, processors, and others all play a role in facilitating and enforcing GDPR compliance. As a refresher on roles associated with GDPR compliance:
Controller
A controller alone, or jointly with others, determines how and why personal data is processed. This role is similar to but expanded from the previous data controller role under the old EU Data Protection Directives. Legally the controller has ultimate responsibility to ensure processors follow the rules.
Processor
A processor is defined as any person who processes data on behalf of the data controller. Examples include third-party companies, such as marketing firms and cloud hosting companies.
Data Protection Officer
A data protection officer (DPO) may need to be designated as the leading authority on GDPR compliance within the organization. Briefly, a DPO is required when processing of data is carried out by a public authority or body, or where data is processed in a regular and systematic method on a large scale, or when large scale processing of specialized data such as criminal convictions is undertaken.
Controllers, Processors or Organizations Outside the EU
Controllers, processors or organizations outside the EU but offering services or goods in the EU or processing identifying data of EU citizens will also need to be compliant with GDPR
The 8 Rights of GDPR
Right to Be Informed
Right to Access
Right to Correction (Rectification)
Right to Erasure (Right to Be Forgotten)
Right to Restriction of Processing
Right to Data Portability
Right to Object to Processing
Right to Not Be Subject to Automated Decision Making
Challenges for GDPR Compliance
Complying with the stringent GDPR is not without its challenges. But countries around the world recognize that the strict guidelines designed to protect personal data are in an organization’s best interest, as well as for individuals, and many countries are developing compliance regulations modeled after the GDPR as a result. A few of note: the California Consumer Privacy Act (CCPA), Canada’s proposed Digital Charter Implementation Act, and Brazil’s Lei Geral de Protecao de Dados (LGPD).
To comply, organizations need to do the hard work of protecting the rights of their data subjects and of conducting impact assessments, reporting incidents like breaches, and ensuring they have auditing processes in place. In addition, while GDPR is an EU edict, its impact is global as organizations who have employees or customers outside the EU or who use data processed outside the EU must also comply.
IT staff may have used manual processes or even temporary controls when the GDPR was first enacted to help meet the requirements, but this approach is not sustainable. Instead, robust data protection technology that is automated and streamlined better meets the strict regulatory requirements for limiting access to personal data and securing data at rest and in motion. Three areas are of particular concern to IT teams:
Security
Data management
Automation
Meet GDPR Requirements with a Suite of Security Solutions
Complying with GDPR requires a layered approach best met with a suite of security solutions that can be seamlessly integrated across your enterprise to enforce the policies set in place. Fortra's security suite offers a variety of security-focused solutions to help you meet your GDPR obligations.
Email Security
Data Classification
Vulnerability Assessments and Intrusion Protection
Secure Managed File Transfer (MFT)
Infrastructure Protection
Data Loss Prevention
We Can Help with GDPR Compliance
Contact the professionals at Fortra for a free 30-minute consultation on what solutions are best for your organization. We’ll help you determine what you need to do next to be in compliance with GDPR.