The Personal Data Protection or General Data Protection Regulation, or GDPR, is one of the most wide-ranging pieces of legislation passed by the EU.
The aim is to:
- Standardize data protection laws across the single market
- Give people a growing digital economy greater control over how their personal information is used.
Timeline
GDPR came into effect in May 2018 as the successor to the European Union’s Data Protection Directive 1995.
British Airways Data Breach
British Airways has been fined £20 million. More than 400,000 customers were affected by the BATA breach.
What Happened?
The breach in 2018 affected both personal and credit card data. The data stolen included login, payment card, travel booking details, and name and address information. An investigation concluded that security measures, like multi-factor authentication, were not in place at the time. British Airways informed its customers when they found out about the attack on its systems.
What is Personal Data Protection under GDPR?
Personal data refers to any information relating to an identified or identifiable natural person or data subject which can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to that natural person’s physical, physiological, genetic, mental, economic, cultural, or social identity.
Data Subject
An individual personal resident of European Union countries is the subject of the personal data.
Personal Data
The following are examples of personal data:
- Name and surname
- Age
- Home address
- An email address such as [email protected]
- Managing directors of a company
- An identification card or passport number
- Location data, such as the location data function on a mobile phone
- Internet Protocol or IP address which can sometimes be logged automatically by websites and analytical tools, and this would count as personal data collection
- Cookies ID
Organization Responsibilities
Organizations will need to do the following:
- Protect all personal data of any kind;
- Determine the purpose and methods that will be used for processing the data;
- Be responsible for any errors involving third parties;
- Get individuals to consent to data processing;
- Be completely transparent about the individual’s data on how and why they are using it;
- Notify individuals and authorities of any data breaches.
How can individuals identify if they follow GDPR?
- Do I have permission to use this data?
- How can I protect this data?
- Do I need to process that personal data, and why?
Data Breaches
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to personal data.
Here are some examples of data breaches:
- An accidental update of a database that leads to incorrect data being written to individuals’ records;
- A hacker accessing your computer network and taking customer data;
- A malicious, incompetent, or untrained member of staff introducing errors into personal data stored about individuals or deleting records; and
- A malicious staff member is copying customer data and selling that data to a third party.
GDPR Scope
GDPR applies if the company falls into one of the two categories:
- Your company processes personal data and is based in the EU, regardless of where the actual data processing occurs.
- Your company is established outside the EU but processes personal data concerning the offering of goods or services to individuals in the EU or monitors the behavior of individuals within the EU.
Here are some examples:
- If your company has a website that displays any EU member state currency or ships goods to the EU
- If your company uses cookies or tracks the IP addresses of your website visitors from EU countries, the GDPR will also apply to your business
Practical Guidelines
Here are some privacy guidelines:
- Don’t gather personal data unless you have a specific purpose
- Ensure all Data Protection requirements are in place when processing personal data
- Don’t share personal data unless you are sure you can
- Document retention policies (only process for as long as needed).
Here are some security guidelines:
- Use secure passwords on your computer and the files you share
- Lock your screen when you are not at your desk
- Whenever possible, paper files and other personal data documents should be kept locked and removed from your desk when you are no longer working with them.
- Take care to treat information and data with confidentiality in face-to-face and telephone conversations.
- Do not store sensitive information on One Drive or SharePoint Online without password protection or encryption.
The Six Principles of GDPR
- Lawfulness, Fairness, and Transparency
The first principle is relatively self-evident: organizations need to make sure their data collection practices don’t break the law and that they aren’t hiding anything from data subjects. To remain lawful, you need to thoroughly understand the GDPR and its rules for data collection. To remain transparent with data subjects, you should state in your privacy policy the type of data you collect and why you’re collecting it.
- Purpose Limitation
Organizations should only collect personal data for a specific purpose, clearly state that purpose, and only collect data for the length of time required to complete that purpose. Processing is done for public interest archiving, or scientific, historical, or statistical purposes are given more leeway.
- Data Minimization
Organizations must only process the personal data needed to achieve its processing purposes. Doing so has two major benefits. First, in the event of a data breach, the unauthorized individual will only have access to a limited amount of data. Second, data minimization makes it easier to keep data accurate and up to date.
- Accuracy
The accuracy of personal data is critical to data security. According to the GDPR, «every reasonable step must be taken» to erase or rectify inaccurate or incomplete data. Individuals have the right to have inaccurate or incomplete data erased or corrected within 30 days.
- Storage Limitation
Similarly, organizations need to delete personal data when it’s no longer necessary. How do you know when information is no longer necessary? According to marketing company Epsilon Abacus, organizations might argue that they «should be allowed to store the data for as long as the individual can be considered a customer. So, for how long after completing a purchase can the individual be considered a customer? The answer to this will vary between industries and the reasons that data is collected. Any organization uncertain how long it should keep personal data should consult a legal professional.
- Integrity and Confidentiality
Integrity and confidentiality are the only principles that deal explicitly with security. The GDPR states that personal data must be processed to ensure appropriate security of the personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures».
The GDPR is deliberately vague about what measures organizations should take because technological and organizational best practices are constantly changing. Currently, organizations should encrypt and/or pseudonymize personal data wherever possible, but they should also consider whatever other options are suitable.
Final Thoughts
The EU General Data Protection Regulation, or GDPR, is a regulation aimed at guiding and regulating how companies around the world handle their customers’ personal information, as well as creating strengthened and unified data protection for all individuals within the EU.
