Skip to content

Page029

General Data Protection Regulation

The General Data Protection Regulation (GDPR) is the current privacy and security law in the European Union. It was finalized in May 2018 and carries severe penalties for breaches of Personally Identifiable Information (PII): “the fines for violating the GDPR are very high. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages”[^6].

GDPR contains seven data protection principles:

  • Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
  • Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
  • Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
  • Accuracy — You must keep personal data accurate and up to date.
  • Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
  • Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
  • Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles[^6].

Breaches must be reported within 72 hours (the notification requirement may be waived if encryption is used). GDPR defines the following terms:

  • Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.
  • Data processing — Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing … so basically anything.
  • Data subject — The person whose data is processed. These are your customers or site visitors.
  • Data controller — The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.
  • Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations. They could include cloud servers like Tresorit or email service providers like ProtonMail[^6].

Data subjects have specific privacy rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling[^6].

The European Union’s GDPR site maintains an excellent “What IS GDPR” website (partially quoted above): https://gdpr.eu/what-is-gdpr. It is well worth a deep read before taking your exam.