In a previous post, we started discussing the European Union’s recently enacted General Data Protection Regulation (GDPR). Even though we are dedicating several posts to this subject, it is important to stress that this is an extremely significant set of rules and regulations, and we are only just barely scratching the surface to provide a general overview.
In our previous post, we discussed the basics of the GDPR—the timeline of the regulations, who they apply to, and what kinds of data it covers. Here, we’ll look at some of the basic provisions to be aware of.
Governing Principals
First, let’s look at the fundamentals. According to IT Governance, under the GDPR, personal data must be processed according to six data protection principals:
- Processed lawfully, fairly, and transparently
- Collected only for specific legitimate purposes
- Adequate, relevant, and limited to what is necessary
- Must be accurate and kept up to date
- Stored only as long as necessary
- Ensure appropriate security, integrity, and confidentiality
Each of these principals has many subcomponents and nuances that should be evaluated in detail by organizations that may be subject to them. For example, there are a number of provisions that relate specifically to the question of when consent to hold a European Union subject’s data has been validly given.
Data Processor Versus Data Controller
The GDPR makes an important distinction between a data “processor” and a data “controller.” As EUGDPR.org states, “A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.” As one might imagine, the GDPR regulations are more onerous for controllers than for processors.
Penalties
The penalties for noncompliance with the GDPR are potentially massive. According to EUGDPR.org, “Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.”
The GDPR has understandably made many businesses very anxious over compliance with its data protection rules. We’ve discussed some of the most important provisions here, but a thorough review of the regulation is certainly recommended for any business that may be subject to its provisions.
In our next post on the GDPR, we’ll suggest some basic steps for training employees on compliance.