Security

GDPR – The Basics

Published on 12 October 2016

The Basics of GDPR

Providing a full description on the EU General Data Protection Regulation is not a simple task. Why?

Because it is not merely a compliance framework; rather, it is a blueprint for a combination of legal, technological and work habit changes within an organization. And it directly affects all currently accepted ideas and methods used in data management processes.

compliance

To gain a proper understanding of what is within the regulation and what to expect from it, some keywords needs to be discussed and understood.

First and foremost who is involved in the process? The regulation differentiates three major entities that are present in all scenarios where personal data is present.

First of all there are the ‘data subjects’ – those people whose personal data is collected. Those doing the actual data collection are called ‘data controllers’ and finally come the ‘data processors’; organizations tasked with processing the information collected.

Not only are the entities declared but also the concept of personal data is redefined. Whereas previously, personal data was simply any information that is relevant to an individual it is relevant to any information that can be directly or indirectly correlated to a natural person. In other words, any information that is specifically attributable to the user is considered personal data. So, anything from a simple IP address, to a user name or even health records can be described as personal data, and the list just goes on. That is why we need to reconsider what type of information is collected at an organization.

There is also a territorial scope around this. Any organization within or outside the EU that collects or processes personal data of EU citizens must take action according to the requirements of the GDPR.

The GDPR is therefore relevant to anyone responsible for the collection or processing of the personal data of EU citizens. And of course this does not except non EU businesses, because if they want to trade with the EU, they have to play by the EU’s rules.

GDPR rights and responsibilities

But what are those rules? To get a better understanding, let’s look at what rights Data Subjects will have and what responsibilities Data Controllers and Processors will need to consider:

  • The right to data correction: Simple enough yet giving subjects a chance to change any previously provided information and make adjustments if necessary.

 

  • Tighter consent requisitions: Data subjects must be informed and consulted on anything related to the processing of their personal data, or ways in which that data might be used.

 

  • The right to be forgotten: Giving subjects the chance to erase all stored information relating to them.

 

  • Notification on data endangerment and current state: During the whole data handling process subjects bust be informed on what is happening to their personal data and if it is at risk.

 

  • Privacy by default: Once an agreement has been made between the subject and the other data entities, divergence from the terms is only possible once an additional agreement has been made by the parties.

 

These are the rules that directly apply to data subjects, but the responsibilities of both data controllers, known as responsibilities, are also very much in the interests of the data subjects

  •  Accountability for violations and breaches: Both controllers and processors can be held responsible by the supervisory authority in the event of any negligence of personal data security or of not complying with the GDPR requirements.

 

  •  Harsh sanctions for not complying: The GDPR stipulates that not complying with the regulation can lead to penalties up to 4% of total global annual turnover or €20 million, whichever is the higher amount.

 

  •  Embedded security measures: The security of personal data should not be an afterthought when it comes to infrastructure development.

 

  •  Visibility in the data flow: Information and the actions executed to it must always remain visible and traceable.

 

  •  Full functionality of data handling: All implemented habits and technologies must serve the sole purpose they were intended for.

 

  •  End-to-end security: Not allowing any gaps during the data handling process. Constantly managing the security of information and the actions taken by users allowed to control the data flow.

 

The previously described rights and responsibilities are a perfect reflection of one of the main goals of the GDPR; namely, to shift focus more onto the data subjects, giving them much greater control over what can be done with their personal data and constantly informing them about its current state.

Alongside that, the GDPR aims to increase the level of protection of citizens’ data, unifying processes and regulating data collection and processing.

Once we have these terms settled we can finally get to the interesting part. How does this work in practice?

Stay tuned, the next post in this topic is coming soon in the mean time get a copy of our official document on the GDPR here.

by István Molnár

István is the Compliance expert at Balabit. With extended knowledge and understanding of international standards, regulations, and frameworks. He acts as an adviser in compliance-related sales projects and as a content specialist in the Product Marketing team.

share this article
Mitigate against privileged account risks
Get in touch

Recent Resources

The top IT Security trends to watch out for in 2018

With 2017 now done and dusted, it’s time to think ...

The key takeaways from 2017’s biggest breaches

Like many years before it, 2017 has seen a large ...

Why is IT Security winning battles, but losing the war…?

When a child goes near something hot, a parent will ...

“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”

– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser