Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.
If your company processes the data of individuals who reside in the European Union, the General Data Protection Regulation (GDPR) is likely a hot topic around the office right now. Once the regulation goes into effect in May 2018, companies in violation of the GDPR could face massive penalties. But creating a compliance plan for your company can be quite difficult if you’re unfamiliar with the language used in the regulation.
With that in mind, we’ve broken down 11 of the GDPR’s most commonly-used terms to help your organisation work toward compliance.
1. Personal Data
Personal data is any information that identifies a person. Formally, article 4 of the GDPR defines personal data as “any information relating to an identified or identifiable natural person”. This data could include a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
A controller is an entity that has collected data for its own use. More specifically, under article 4, a controller is defined as the entity that “determines the purposes and means of the processing of personal data”. In other words, if you gather data from EU citizens, you’d be considered a controller under the GDPR.
A processor is an entity that receives data from a controller—otherwise known as a third party or a vendor. Processors receive data from a controller and must use that data in the manner instructed by the controller (see below for the definition of “process”).
As a controller, if you don’t already have a complete list of all of your agencies that process personal data on your behalf, now is the time to do so. Once you have this list, you’ll be able to review the contractual agreements in place with each process and determine whether you’ll need to revisit your agreement to be in compliance with the GDPR.
Processing is the general use of personal data from a controller or processor. “Processing” is very broadly defined under article 4 of the GDPR and includes collecting, using, storing and destroying personal data.
5. Personal Data Breach
A personal data breach, according to article 4, “means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
In the early 2000s, a wave of regulations in the U.S. mandated that if a data breach impacts someone's personally identifiable information (PII), like an account number or social security number, the company must disclose that to the individual. The GDPR goes beyond this by mandating that if any personal data—say, a name or email address (as defined in #1)—is exposed in a data breach, the data subject impacted must be notified.
Consent, as defined by the GDPR, must be given affirmatively and unambiguously. More specifically, article 4 of the GDPR states that consent is "any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".
7, 8. Right To Rectification & Right to Erasure
The Right to Rectification gives data subjects the right to update the information they provide to a controller. Article 16 simply states that “the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement”.
Per Article 17, if an individual requests access to his or her data or requests that data be removed from a company’s records, your organisation must take action within one month. This Right to Erasure is also known as the “right to be forgotten”. This concept will likely prove particularly difficult for many organisations since data is easily stored and copied to many places. Now is the time to think about technical solutions that will assist with your compliance.
Any changes or erasure requested by the data subject pursuant to its Right to Rectification or Right to Erasure should happen “without undue delay and in any event within one month of receipt of the request” (although this period can be extended in some limited circumstances) and, in most cases, free of charge (see Article 12). In addition, the controller must generally notify any processors/vendors that it has provided the information to that the data subject has exercised these rights, and the data subject has the right to request information about the identities of such processors/vendors (see Article 19). Article 19 does allow controllers to request information necessary to confirm the identity of the data subject where it has reasonable doubts though.
9. Data Minimization Principle
Under the GDPR, organisations should only collect and process the specific information they require. For example, if all your company requires to offer its services is a name and an email address, your company should not, under the GDPR, collect additional personal information. Also, the processor should only keep the data they collect for the amount of time required to properly perform the functions it was hired or required to do. For additional details, read Article 5.
10. Right To Data Portability
The right to data portability grants the data subject the right to request a transfer of their data to another controller. The lynchpin here is that this could be quite difficult for a processor to do, which is reflected in this language in article 20: “In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible [emphasis added]”. So, in theory, if it were “technically feasible”, your customers could ask you to send their data to one of your competitors.
11. Right To Object
The right to object to processing gives a data subject the power to require that a company no longer use his or her data unless the controller can demonstrates “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims”. The burden is on the controller to prove this point though and it will be a hard standard for most companies to meet.