General Data Protection Regulation (GDPR)

GDPR introduces some new terms. Organizations should familiarize themselves with these terms to prevent confusion.

• Data subject: a human that can be identified (directly or indirectly) from some data
• Controller: a person or organization that decides how and why personal data will be processed
• Processor: a person or organization processing personal data on behalf of a controller
• Data protection officer: a designated specialist appointed by a controller and/or processor who must be involved in all matters related to protecting personal data
• Supervisory authority: an independent public authority designated by each member state to monitor the application of GDPR—for example, in the U.K., the Information Commissioner’s Office

Personal data. In relation to GDPR, personal data includes any data relating to a subject that is tied to a specific person or could be used to identify a person, directly or indirectly. Examples of personal data include names, physical addresses, email addresses, and IP addresses that can be tied to an individual.

Genetic data. This includes data relating to a person’s genetic characteristics. Such data could be used to find out information pertaining to an individual’s health, physical condition, gender, and/or ethnicity.

Biometric data. Data captured from physical, physiological, or behavioral characteristics of a person. Examples of biometric data include facial images and fingerprints.

Data concerning health. This type of data relates to physical or mental health, including treatment or health care services received by an individual.

The regulation applies to all  businesses (both within and outside of the EU) conducting automated or partially automated processing of personal data for people within the EU as it relates to offering goods or services or monitoring behavior.

Certain activities related to data controllers do not apply to organizations employing fewer than 250 people if they do not process sensitive data. GDPR does not apply to the actions of individual consumers.

Yes. GDPR applies to businesses that process data of people in the EU, whether the businesses have a physical presence in the EU or not. However, GDPR applies only to businesses intentionally offering goods or services to people in the EU.

Under GDPR, any data that could be used to identify an individual must be protected. As with Directive 95/36/EC, pseudonymized data (i.e., data without direct reference to a named individual) is still in scope, though GDPR recognizes that the risks to individuals are reduced when data is pseudonymized.

Organizations defined as data processors, even if they are processing data on behalf of a data controller, are accountable for protecting that data. These firms must report breaches and can be penalized if found to be noncompliant.

It is critical for organizations to demonstrate that they have the consent of a data subject to process the subject’s data. Subjects must give their consent freely, and any written declarations must use plain language that can be understood easily. The subject can withdraw this consent at any time, and the company must be able to remove the subject’s data from all its systems. This rule is often referred to as the “right to be forgotten.” For children, data can be processed only with the consent of a parent or legal guardian. Data subjects are also entitled to make subject access requests to organizations that hold their data, for free.

The largest fines will be imposed on organizations that haven’t even attempted to comply with GDPR. The maximum fine is either €20 million (approx. $24 million) or 4% of the organization’s worldwide annual turnover, whichever is higher.

To avoid GDPR fines, organizations need to communicate the following:

• This is what we are doing to comply with GDPR.
• This is what we are doing not to run afoul of compliance.
• This is what we’re doing to have a reasonable story to tell even when something bad does happen.