Providing a full description on the EU General Data Protection Regulation is not a simple task. Why?
Because it is not merely a compliance framework; rather, it is a blueprint for a combination of legal, technological and work habit changes within an organization. And it directly affects all currently accepted ideas and methods used in data management processes.
To gain a proper understanding of what is within the regulation and what to expect from it, some keywords needs to be discussed and understood.
First and foremost who is involved in the process? The regulation differentiates three major entities that are present in all scenarios where personal data is present.
First of all there are the ‘data subjects’ – those people whose personal data is collected. Those doing the actual data collection are called ‘data controllers’ and finally come the ‘data processors’; organizations tasked with processing the information collected.
Not only are the entities declared but also the concept of personal data is redefined. Whereas previously, personal data was simply any information that is relevant to an individual it is relevant to any information that can be directly or indirectly correlated to a natural person. In other words, any information that is specifically attributable to the user is considered personal data. So, anything from a simple IP address, to a user name or even health records can be described as personal data, and the list just goes on. That is why we need to reconsider what type of information is collected at an organization.
There is also a territorial scope around this. Any organization within or outside the EU that collects or processes personal data of EU citizens must take action according to the requirements of the GDPR.
The GDPR is therefore relevant to anyone responsible for the collection or processing of the personal data of EU citizens. And of course this does not except non EU businesses, because if they want to trade with the EU, they have to play by the EU’s rules.
But what are those rules? To get a better understanding, let’s look at what rights Data Subjects will have and what responsibilities Data Controllers and Processors will need to consider:
These are the rules that directly apply to data subjects, but the responsibilities of both data controllers, known as responsibilities, are also very much in the interests of the data subjects
The previously described rights and responsibilities are a perfect reflection of one of the main goals of the GDPR; namely, to shift focus more onto the data subjects, giving them much greater control over what can be done with their personal data and constantly informing them about its current state.
Alongside that, the GDPR aims to increase the level of protection of citizens’ data, unifying processes and regulating data collection and processing.
Once we have these terms settled we can finally get to the interesting part. How does this work in practice?
Stay tuned, the next post in this topic is coming soon in the mean time get a copy of our official document on the GDPR here.
With 2017 now done and dusted, it’s time to think ...
Like many years before it, 2017 has seen a large ...
When a child goes near something hot, a parent will ...
“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”
– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser