What is General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR), which became effective in 2018, is considered by many to be the world’s most comprehensive data privacy regulation. Because of its wide scope of application, many organizations, including Web2GoTech, have chosen to implement GDPR as their global data privacy standards.  Key points of GDPR include:

  • Establish data privacy as a fundamental human right, including the individual’s right to access, correct, erase, or port his or her personal data.
  • Strengthen baseline requirements and define roles and responsibilities for ensuring personal data protection.
  • Provide standardized application of data protection rules across the EU, thereby facilitating the legitimate flow of personal data within and beyond the EU and European Economic Area (EEA).

This is part of an extensive series of guides about compliance management.

GDPR Personal Data Definition

Under GDPR, personal data is anything, alone or in combination with something else, which can identify a living individual.  Some examples of personal data include:

  • Information commonly considered personal identifying information (PII), such as name, national identification number, social security number, email address, telephone number, or home address.
  • Online identifiers such as IP addresses.
  • Device identifiers such as MAC addresses
  • Location data.

GDPR further identifies special categories of personal data, which when processed, require additional protections.

  • Biometric data such as DNA, fingerprints, or facial recognition images.
  • Genetic characteristics acquired at birth, such as ethnic or racial characteristics.
  • Health data, including records of physical/mental conditions and healthcare codes.

Which Companies Does the GDPR Affect?

GDPR has a wide territorial scope, which is set forth in Article 3.  In addition to companies located in the EU, GDPR also applies to companies offering goods and services to EU residents or monitoring the activities of EU residents.

Key Terms

The GDPR defines various roles and activities essential for implementing its requirements, including:

Key Term   Definition
Data ControllerEntity determining the purposes and means of processing of personal data. Examples: A manufacturing company collecting personal data from its employees. An ISP requiring user payments.
Data ProcessorEntity that processes data on behalf of the data controller. Examples: A payroll company processing employee paychecks on behalf of a manufacturing company. A cloud service provider storing personal data.
Data ProcessingAny operation performed on personal data. Examples: Adapting, altering, collecting, combining, consulting, destroying, disseminating, erasing, organizing, recording, restricting, retrieving, storing, structuring, or using.
Data SubjectA natural person whose personal data is processed by a controller or processor. Example: An employee of a manufacturing company.
ProfilingAny data processing intended to evaluate, analyze, or predict Data Subject behavior. Examples: Performance at work, economic situation, health, personal preferences, interests, reliability, consumer behavior, location/movements.

GDPR Rights: What are a Data Subject’s Rights?

The GDPR grants data subjects the following basic rights:

  • The right to be informed about how companies collect their personal data, how long they will retain it, how they will use it, and who they will share it to.
  • The right of access to the personal information collected by companies, including the ability to request a copy of the data.
  • The right to rectification (correction) of data when it is incomplete or inaccurate.
  • The right to erasure of personal data by a company, including the “right to be forgotten”.
  • The right to restrict processing of personal data by data controllers, even if the individual cannot request erasure.
  • The right to data portability, meaning that data subjects can obtain and use their personal data, and request that companies send it electronically to third parties.
  • The right to object to the processing of personal data, for example for scientific research.
  • The right to not be subject to automated decision making and request a human review, including the right to be informed when a decision is made by an algorithm.

Each of these rights has exceptions, such as where the data controller may be required by the applicable law to retain the personal data even where a data subject has requested erasure.  For example, an employer may be required by local law to retain the personal data of its former employees for a period of 10 years.  In that case, if the former employee requests erasure, the employer would need to carefully evaluate its competing legal obligations and make a determination on the appropriate action.  In certain cases, the employer may delete some data and retain other data to meet its competing legal obligations.  In every situation, however, the data controller should be transparent with the data subject about what actions are being taken and what rights of appeal the data subject may have.

Key Articles of the GDPR

The GDPR contains 99 articles describing data protection and enforcement rules. The following are select articles from the GDPR that can be useful for understanding compliance risk.

  • Article 9 – Processing of special categories of personal data.
  • Article 25 — Data protection by design and default.
  • Article 28 – Processor
  • Article 30 – Records of Processing
  • Article 32 — Security of data processing.
  • Article 33 — Notification of a personal data breach to a supervisory authority.
  • Article 34 — Communication of a personal data breach to the data subject.
  • Article 35 — Data protection impact assessment.
  • Article 44 — General principle for transfers.

What is a GDPR Data Breach Notification?

When personal data breaches occur at an organization covered by the GDPR, the company is required to report the breach to a Data Protection Authority. This applies to personal data breaches which are likely to result in a high risk to the rights and freedoms of the individuals whose personal data has been compromised.

The GDPR requires notification of the breach to the Data Protection Authority within 72 hours. In addition, in some cases the organization must personally notify individuals affected by the breach.

What is General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR), which became effective in 2018, is considered by many to be the world’s most comprehensive data privacy regulation. Because of its wide scope of application, many organizations, including Web2GoTech, have chosen to implement GDPR as their global data privacy standards.  Key points of GDPR include:

  • Establish data privacy as a fundamental human right, including the individual’s right to access, correct, erase, or port his or her personal data.
  • Strengthen baseline requirements and define roles and responsibilities for ensuring personal data protection.
  • Provide standardized application of data protection rules across the EU, thereby facilitating the legitimate flow of personal data within and beyond the EU and European Economic Area (EEA).

This is part of an extensive series of guides about compliance management.

GDPR Personal Data Definition

Under GDPR, personal data is anything, alone or in combination with something else, which can identify a living individual.  Some examples of personal data include:

  • Information commonly considered personal identifying information (PII), such as name, national identification number, social security number, email address, telephone number, or home address.
  • Online identifiers such as IP addresses.
  • Device identifiers such as MAC addresses
  • Location data.

GDPR further identifies special categories of personal data, which when processed, require additional protections.

  • Biometric data such as DNA, fingerprints, or facial recognition images.
  • Genetic characteristics acquired at birth, such as ethnic or racial characteristics.
  • Health data, including records of physical/mental conditions and healthcare codes.

Which Companies Does the GDPR Affect?

GDPR has a wide territorial scope, which is set forth in Article 3.  In addition to companies located in the EU, GDPR also applies to companies offering goods and services to EU residents or monitoring the activities of EU residents.

Key Terms

The GDPR defines various roles and activities essential for implementing its requirements, including:

Key Term   Definition
Data ControllerEntity determining the purposes and means of processing of personal data. Examples: A manufacturing company collecting personal data from its employees. An ISP requiring user payments.
Data ProcessorEntity that processes data on behalf of the data controller. Examples: A payroll company processing employee paychecks on behalf of a manufacturing company. A cloud service provider storing personal data.
Data ProcessingAny operation performed on personal data. Examples: Adapting, altering, collecting, combining, consulting, destroying, disseminating, erasing, organizing, recording, restricting, retrieving, storing, structuring, or using.
Data SubjectA natural person whose personal data is processed by a controller or processor. Example: An employee of a manufacturing company.
ProfilingAny data processing intended to evaluate, analyze, or predict Data Subject behavior. Examples: Performance at work, economic situation, health, personal preferences, interests, reliability, consumer behavior, location/movements.

GDPR Rights: What are a Data Subject’s Rights?

The GDPR grants data subjects the following basic rights:

  • The right to be informed about how companies collect their personal data, how long they will retain it, how they will use it, and who they will share it to.
  • The right of access to the personal information collected by companies, including the ability to request a copy of the data.
  • The right to rectification (correction) of data when it is incomplete or inaccurate.
  • The right to erasure of personal data by a company, including the “right to be forgotten”.
  • The right to restrict processing of personal data by data controllers, even if the individual cannot request erasure.
  • The right to data portability, meaning that data subjects can obtain and use their personal data, and request that companies send it electronically to third parties.
  • The right to object to the processing of personal data, for example for scientific research.
  • The right to not be subject to automated decision making and request a human review, including the right to be informed when a decision is made by an algorithm.

Each of these rights has exceptions, such as where the data controller may be required by the applicable law to retain the personal data even where a data subject has requested erasure.  For example, an employer may be required by local law to retain the personal data of its former employees for a period of 10 years.  In that case, if the former employee requests erasure, the employer would need to carefully evaluate its competing legal obligations and make a determination on the appropriate action.  In certain cases, the employer may delete some data and retain other data to meet its competing legal obligations.  In every situation, however, the data controller should be transparent with the data subject about what actions are being taken and what rights of appeal the data subject may have.

Key Articles of the GDPR

The GDPR contains 99 articles describing data protection and enforcement rules. The following are select articles from the GDPR that can be useful for understanding compliance risk.

  • Article 9 – Processing of special categories of personal data.
  • Article 25 — Data protection by design and default.
  • Article 28 – Processor
  • Article 30 – Records of Processing
  • Article 32 — Security of data processing.
  • Article 33 — Notification of a personal data breach to a supervisory authority.
  • Article 34 — Communication of a personal data breach to the data subject.
  • Article 35 — Data protection impact assessment.
  • Article 44 — General principle for transfers.

What is a GDPR Data Breach Notification?

When personal data breaches occur at an organization covered by the GDPR, the company is required to report the breach to a Data Protection Authority. This applies to personal data breaches which are likely to result in a high risk to the rights and freedoms of the individuals whose personal data has been compromised.

The GDPR requires notification of the breach to the Data Protection Authority within 72 hours. In addition, in some cases the organization must personally notify individuals affected by the breach.