What Is GDPR Requirements and Objectives

What Is GDPR? 


The GDPR (General Data Protection Regulation) is focused on personal information and how and why it should be protected especially from a third party that may monetise that data. As a result the GDPR protects EU (European Citizens) from international technology giants that feel it may be their right and within their business model to pertain personal information as a right of access to a service. The General Data Protection Regulation (GDPR) goes into effect in May 25th 2018, and most interestingly it will require companies around the world that do business within the European Economic Area (EEA) to comply with the new regulation. 
As a result this means that companies around the globe that market in the EEA should make sure that their data governance plans comply with the new regulation – it is not optional it is mandatory. However, many organisations out with the EEA and even within, or are intending to leave, such as the UK believes these regulations will not be a concern to them. This unfortunately is folly as indeed any organisation that wishes to trade within the EAA market will have to comply with GDPR.

GDPR Readiness 

GDPR compliance is not particularly easy, but it is basically common sense in an organisation with good data governance specially one with the previous Data Protection Directive (DPD) under control. Indeed many suggest that GDPR compliance = common sense + diligent data security policy + transparency of processing. Moreover, when properly executed, GDPR compliance can have lasting beneficial effects on an organization.

37 percent of organizations think that their general IT capabilities will improve as they seek readiness, and 30 percent of respondents agree that complying with the GDPR will improve their image as the GDPR is seen to strengthen and harmonize data protection laws across EU nations. The regulation mandates a high level of responsibility and accountability for these organizations while giving individuals greater control over their data through measures including pseudonymization, data minimization and controls around data collection, processing, storage and accessibility. 

GDPR Requirements

Compliance with GDPR will apply to all companies whether they have a physical presence in the EU or are located outside Europe, but market their goods or services to EU residents. Hence the geographical scope of the regulation is far greater than the borders of the European Economic Area (EEA). Consequently, companies wishing to trade within the EEA will need to take the necessary steps to govern and protect their customers’ data.
Nonetheless we must consider what are the key strategies, tactics and the fundamentals of privacy that will obtain GDPR readiness or GDPR compliance? The following guidelines in this book will demonstrate how EU or Non-EU businesses regardless of their size and resources can comply with the spirit and rule of the regulation. 

Key Data Protection Objectives of GDPR 

The GDPR has fundamental objectives that must be met by all participants within the EEA. These relate to financial and trading transactions as well as fair goods and financial services trading across borders. In addition the EEA expects fair behaviour when it comes to citizen rights and privacy as the EU considers the rights of an individuals privacy as a human right. Consequently, the GDPR goes to some length to protect the rights of the individual and ensure their right to privacy, so they have dictated that the rights of the individual: 

Establish data privacy as a fundamental right
The GDPR considers data protection as a fundamental human right of an individual such as an EU resident, which includes a “right to the protection” of their personal data. Anyone therefore that is resident in the EU, or anyone handling or targeting the personal data of an EU-based individual must have processes, technology, and automation to effectively protect that individual’s personal data. 

Clarify the responsibilities for EU data protection The EU GDPR applies to all controllers and now also to any processor who is based or established in the EU, or to a company not based in the EU but who offers goods or services from outside the EU borders to a data subject in the EU or who monitors the behaviour of data subjects in the EU. The major difference being between the Data Protection Act and the latest GDPA is that Processors are now held liable for data privacy. 

Define a baseline for data protection
To avoid fragmentation and ambiguity, GDPR has set a baseline for data protection by requiring anyone processing the personal data of an individual that is in the European Union to follow the requirements laid down in the GDPR. 

Elaborate on the data protection principles 
The GDPR considers encryption as only one of the components of a broad security strategy, and mandates that organizations need to consider assessment, preventive, and detective controls based upon the sensitivity of the personal data they have. 

Increase enforcement powers 
The EU aims to ensure compliance with the GDPR by enforcing huge fines of up to 4% of the global annual revenue upon non-compliance 

Core Actors of the GDPR 

The GDPR defines a privacy law but without various actors to explain the data protection concepts and their associated roles it is difficult to comprehend therefore the GDPR determines that: 

Data Subject A person, who can be identified directly or indirectly by means of an identifier for example, an identifier can be a national identifier, a credit card number, a username, or a web cookie. 

Personal Data Any personal information, which is deemed to be sensitive personal information, which relates to a Data Subject, for example, address, date of birth, name, location and nationality. 

Controller A natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. For example, a controller can be an organization such as a service provider or a bank or an employee’s HR or CIO. 

Data Protection Officer This is a role filled by an individual working for a Controller or a Processor that has extensive knowledge of GDPR data privacy laws. The Data Protection Officer (DPO) shall advice the controller or the processor of their obligations according to the GDPR and shall monitor its implementation. The DPO acts as a liaison between the controller/processor and the supervisory authority. A DPO for example can be a Chief Security Officer (CSO) or a Security Administraton.

Processor As opposed to a controller a processor is a natural or legal person, agency or any other body which processes Personal Data on behalf of the Controller. A Processor can be a cloud service provider for SaaS or an outsourcing company for example payroll. However it can also extend to be a developer, a tester, or an analyst if they handle personal data. 

Recipient This is the term for a natural or legal person, agency or any other body to whom the personal data is disclosed. For example, it could be an individual, a tax consultant, an insurance agent, or an agency. 

Enterprise Any natural or legal person engaged in an economic activity. This essentially includes all organizations whether in the public or private sector, whether in the EU or outside of the EU. Third party This term includes any natural or legal person, agency or any other body other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorized to process the data. For example, these could also be vendors, partners or subcontractors. 

Supervisory Authority An independent public authority established by a Member State (known as the National Data Protection Authority under the current EU Data Protection Directive), or auditing agency. 

Post a Comment