Report about error or idea
YouControl
logo youcontrol
ENG
youcontrol youcontrol
0 800 309 077
Free call

Register and check 10 companies for free, or get a phone consultation by calling us at 0 800 309 077.

The General Data Protection Regulation (GDPR)
10 min

 

                                               

What is GDPR?

 

The General Data Protection Regulation (GDPR) is one of the most wide-ranging pieces of legislation passed by the EU. The aim is to:

  • standardize data protection law across the single market 
  • give people in a growing digital economy greater control over how their personal information is used.

 

Timeline:

GDPR came into effect in May 2018, it is the successor to the European Union’s Data Protection Directive 1995.

 

Resource

 

British Airways data breach

British Airways has been fined £20m. Вata breach affected more than 400,000 customers.

What happened?

The breach took place in 2018 affected both personal and credit card data. The data stolen included log in, payment card and travel booking details as well name and address information. An investigation concluded that  security measures, as multi-factor authentication, were not in place at the time. British Airways informed its customers when they had found out about the attack on its systems.

 

Definition of personal data 

 

What is personal data under GDPR?

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Data Subject

 An individual personal resident of European Union countries, the subject of the personal data.

 

Personal data

Examples of personal data:

  • name and surname
  • age
  • home address
  • email address such as name.surname@company.com
  • managing directors of a company
  • identification card or passport number
  • location data (for example the location data function on a mobile phone)
  • Internet Protocol (IP) address (IP addresses can sometimes be logged automatically by websites and analytical tools, and this would count as personal data collection)
  • Cookies ID.

 

Examples of data not considered personal data:

  • company name, address, and registration number
  • email address such as info@company.com
  • anonymized data.

 

Organization responsibilities  

Organizations will need to:

  1. Protect all personal data of any kind;
  2. Determine the purpose and methods that will be used for processing the data;
  3. Be responsible for any errors involving third parties;
  4. Get individuals consents for data processing;
  5. Be completely transparent about the individual’s data on how and why they are using it;
  6. Notify individuals and authorities for any data breaches.

 

Individuals (how can you identify if you follow GDPR)?

  • Do I have permission to use this data?
  • How can I protect this data?
  • Do I need to process that personal data and WHY?

 

Data breaches

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

 

Examples of data breaches:

  • An accidental update of a database that leads to incorrect data being written to individuals' records;
  • A hacker accessing your computer network and taking customer data;
  • A malicious, incompetent, or untrained member of staff introducing errors into personal data stored about individuals, or deleting records;
  • A malicious member of staff copying customer data and selling that data to a third party.

 

GDPR Scope

 

GDPR applies if the company falls into one of the two categories:

1. Your company processes personal data and is based in the EU, regardless of where the actual data processing takes place

2. Your company is established outside the EU but processes personal data in relation to the offering of goods or services to individuals in the EU, or monitors the behavior of individuals within the EU.

 

`For example: if your company has a website that displays any EU member state currency (not all EU countries have instated EUR), or ship goods to EU.

For example: If your company uses cookies or tracks the IP addresses of your website visitors from EU countries, the GDPR will apply to your business as well.

 

Practical guidelines

Privacy

  • Don’t gather personal data unless you have a specific purpose
  • Ensure all Data Protection requirements are in place when processing personal data
  • Don´t share personal data unless you are sure you can
  • Document’s retention policies (only process for as long as needed).

Security

  • Use secure passwords on your computer and files you share
  • Lock your screen when at you are not at your desk
  • Whenever possible, paper files and other documents containing personal data should be kept locked and removed from your desk when you are not working with them anymore
  • Take care to treat information and data with confidentiality both in face to face and telephone conversations
  • Do not store sensitive information on One Drive or SharePoint Online without password protection or encryption.

 

The Six principles of GDPR

 

1. Lawfulness, fairness, and transparency

The first principle is relatively self-evident: organizations need to make sure their data collection practices don’t break the law and that they aren’t hiding anything from data subjects. To remain lawful, you need to have a thorough understanding of the GDPR and its rules for data collection. To remain transparent with data subjects, you should state in your privacy policy the type of data you collect and the reason you’re collecting it.

2. Purpose limitation

Organizations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose. Processing that’s done for archiving purposes in the public interest or for scientific, historical, or statistical purposes is given more freedom.

3. Data minimization

Organizations must only process the personal data that they need to achieve its processing purposes. Doing so has two major benefits. First, in the event of a data breach, the unauthorized individual will only have access to a limited amount of data. Second, data minimization makes it easier to keep data accurate and up to date.

4. Accuracy

The accuracy of personal data is integral to data protection. The GDPR states that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete. Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.

5. Storage limitation

Similarly, organizations need to delete personal data when it’s no longer necessary. How do you know when information is no longer necessary? According to marketing company Epsilon Abacus, organizations might argue that they “should be allowed to store the data for as long as the individual can be considered a customer. So the question really is: For how long after completing a purchase can the individual be considered a customer?” The answer to this will vary between industries and the reasons that data is collected. Any organization that is uncertain how long it should keep personal data should consult a legal professional.

6. Integrity and confidentiality

This is the only principle that deals explicitly with security. The GDPR states that personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures”.

The GDPR is deliberately vague about what measures organizations should take, because technological and organizational best practices are constantly changing. Currently, organizations should encrypt and/or pseudonymize personal data wherever possible, but they should also consider whatever other options are suitable.

 


https://www.itgovernance.eu/blog/en/the-gdpr-understanding-the-6-data-protection-principles

https://gdpr-info.eu/

https://www.cpomagazine.com/data-protection/uk-ico-levies-gdpr-fine-of-20-million-for-british-airways-2018-data-breach-substantially-less-than-the-initial-183-million/

 

The author of the lesson: Ruud Altena, Head of compliance for Braskem Europe and Asia at Braskem, The Netherlands

Отримайте знання від кращих експертів на ринку
Реєстрація в академії
Add "YouControl" app to your home screen
Press load -> ‘Add to Home Screen’