Impact of the EU General Data Protection Regulation
The definition of personal data will become broader, bringing more data into the regulated perimeterPreviously, personal data has been defined as data which relates to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. The Regulation expands the definition of personal data such that data privacy will encompass other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity. Under the Regulation, if inaccurate personal data is held and has been shared with another organisation, the other organisation must be told about the inaccuracy so it can correct its own records. If a business is not in the EU, they will still have to comply with the RegulationNon-EU controllers and processors who deal with EU subjects’ personal data must comply with the new Regulation. Although enforcing regulation beyond EU borders will be a challenge, those providing products or services to EU customers, or processing their data, will face sanction under the Regulation if an incident is reported. Children’s dataThe Regulation will bring in special protection for children’s personal data. Introduction of data breach notification regulations and changes in liability will have a profound impact on the supply chainThere is no obligation to notify authorities of data breaches under the current Directive, although there are some sector-specific requirements, such as those applicable to communications providers and ISPs under the E-Privacy Directive. Not all breaches will have to be notified to the regulator, only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach and, where the breach puts individuals’ data at risk, the data subjects must also be informed. The Regulation clearly calls for more effective data breach investigation, categorisation, containment and response infrastructure. Additional information will also need to be provided to people making requests, such as data retention periods and the right to have inaccurate data corrected. Introduction of mandatory privacy risk impact assessmentsA privacy impact assessment is a tool which can help identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy. Privacy by designThe current EU Directive does not include any clauses related to privacy by design but under the new Regulation, data controllers will have to implement appropriate measures to ensure that processing protects the rights of the data subject, that only the minimum personal data will be processed, and that the data is not disclosed more widely than necessary. The international transfer of dataSince the Regulation will also be applicable to processors, organisations should be aware of the risk of transferring data to countries that are not part of the EU. Non-EU controllers will need to appoint representatives in the EU. The separate EU-U.S. Privacy Shield agreement also contains strict penalties for those in breach the privacy of European citizens and requires parallel consideration. Data portabilityThe right to data portability is new in the Regulation. Appointment of a Data Protection OfficerSome organisations will need to appoint or designate a DPO to take responsibility for data protection compliance.
GDPR is a good thing
GDPR solve two problems: * Businesses which collect whatever data they can put their hands on, and sell it to the data brokers. GDPR substantially changes it, allowing people to control their data. “You’d like to keep this data from this forever? Certainly! Now if your business unit is committing to GDPR responsibility for maintaining this data, we’ll notify the DPO and … oh, you want to delete it? Done. Cheers!”. What do you mean with “Auditable way of wiping data”? Just that there will be a log that the data was wiped, but the actual data is gone forever? In the event that you have to restore data from a backup for operational purposes, you need to cross reference it to the record of deletions that occurred since the backup was created to ensure that any such data is either not restored, or is immediately deleted again. Which company do you work for if you don’t mind me asking? ). Can you explain in more detail to how the GDPR applies to unstructured forms? Would those be forms specifically for inputing personal data, or any free text at all? Any personal data is subject, whether it is contained in Word documents, PowerPoints, spreadsheets, text files, database dumps, PST files, CSV files, etc, etc. Surely you’re not expect to treat any possible data you receive as personal, just in case? If you’re providing a consumer storage service, and users are uploading their own data for personal use, this is outside the remit of GDPR. If you’re providing a storage service to a business that handles personal data, your a data processor, not a data controller. If you’re the data controller, you need a classification technology that can identify personal data in those documents. GDPR the latter, is a general law… In our case it will likely mean that we have a defined documented procedure in place to remove the customers data within the specified period. It’s not just that you can no longer hold backups for an extended period as a form of pseudo archive, but that for those backups you do keep for operational restore purposes, you have to ensure that data that was deleted or redacted under the GDPR right to erase is not subsequently restored during a routine recovery, or is immediately deleted / redacted after the data set is recovered. I would not complete the transaction if that data was requested without very good reasons, and have already point-blank refused to take up ‘incentives’ for superfluous data. “Who does the GDPR affect? The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.” “In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.” We find there is a core tension between GDPR’s principle of data minimization, and SaaS practice of data driven innovation I am an EU citizen, but live in a non-EU country. Does the GDPR regulation apply to data about me? I’m still thinking how I’m going to remove all that sensitive data from my old backups.