The General Data Protection Regulation (GDPR) is one of the most wide-ranging pieces of legislation passed by the EU. The aim is to:
GDPR came into effect in May 2018, it is the successor to the European Union’s Data Protection Directive 1995.
British Airways data breach
British Airways has been fined £20m. Вata breach affected more than 400,000 customers.
The breach took place in 2018 affected both personal and credit card data. The data stolen included log in, payment card and travel booking details as well name and address information. An investigation concluded that security measures, as multi-factor authentication, were not in place at the time. British Airways informed its customers when they had found out about the attack on its systems.
What is personal data under GDPR?
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
An individual personal resident of European Union countries, the subject of the personal data.
Examples of personal data:
Examples of data not considered personal data:
Organizations will need to:
Individuals (how can you identify if you follow GDPR)?
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
Examples of data breaches:
GDPR applies if the company falls into one of the two categories:
1. Your company processes personal data and is based in the EU, regardless of where the actual data processing takes place
2. Your company is established outside the EU but processes personal data in relation to the offering of goods or services to individuals in the EU, or monitors the behavior of individuals within the EU.
`For example: if your company has a website that displays any EU member state currency (not all EU countries have instated EUR), or ship goods to EU.
1. Lawfulness, fairness, and transparency
2. Purpose limitation
Organizations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose. Processing that’s done for archiving purposes in the public interest or for scientific, historical, or statistical purposes is given more freedom.
3. Data minimization
Organizations must only process the personal data that they need to achieve its processing purposes. Doing so has two major benefits. First, in the event of a data breach, the unauthorized individual will only have access to a limited amount of data. Second, data minimization makes it easier to keep data accurate and up to date.
The accuracy of personal data is integral to data protection. The GDPR states that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete. Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.
5. Storage limitation
Similarly, organizations need to delete personal data when it’s no longer necessary. How do you know when information is no longer necessary? According to marketing company Epsilon Abacus, organizations might argue that they “should be allowed to store the data for as long as the individual can be considered a customer. So the question really is: For how long after completing a purchase can the individual be considered a customer?” The answer to this will vary between industries and the reasons that data is collected. Any organization that is uncertain how long it should keep personal data should consult a legal professional.
6. Integrity and confidentiality
This is the only principle that deals explicitly with security. The GDPR states that personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures”.
The GDPR is deliberately vague about what measures organizations should take, because technological and organizational best practices are constantly changing. Currently, organizations should encrypt and/or pseudonymize personal data wherever possible, but they should also consider whatever other options are suitable.
The author of the lesson: Ruud Altena, Head of compliance for Braskem Europe and Asia at Braskem, The Netherlands