The most pressing questions asked around the General Data Protection Regulation (GDPR)

What is GDPR?

In January 2012, the European Commission (EC) in Brussels proposed a reform of the European Union’s (EU’s) 1995 data protection rules to “make Europe fit for the digital age.” New technologies and globalisation have had a profound impact on how information is collected, accessed, and used. Furthermore, the 27 EU member states interpreted and enforced the 1995 directive differently. The EC believed that having one law would eliminate this fragmentation. The result is the General Data Protection Regulation (GDPR). The overarching aim of the reform was to better protect the rights individuals have regarding their personal data.

When does GDPR take effect?

The EC states that following a 2-year post-adoption grace period, GDPR will become fully enforceable throughout the EU on May 25, 2018.

What are an organisation’s main responsibilities under GDPR?

The UK Information Commissioner’s Office (ICO) states that if an organisation processes personal data of EU residents, it is obligated to instil comprehensive, yet commensurate, means of governing that data. Processing includes collecting, storing, altering, retrieving, transmitting, using, erasing, or otherwise performing any operation on data.

Practices and tools championed by the ICO (e.g., privacy impact assessments and privacy by design) are now legally required by GDPR. Consequently, organizations whose activities fall within the scope of GDPR must implement new policies and procedures to comply with GDPR. The goal of these measures is to reduce the occurrence of breaches while safeguarding personal data.

What’s the definition of “personal data” under GDPR?

Under GDPR, personal data includes any information relating to a resident of the EU, whether it regards his or her private, professional, or public life. Personal data can be anything from a name to a photo, an email address, bank details, posts on social networking websites, medical information, a computer IP address, and so on.

What’s the difference between a data controller and a data processor under GDPR?

GDPR states, “A controller determines the purposes, conditions and means of the processing of personal data. A processor processes personal data on behalf of the controller.” So, a data controller exercises overall control over why and how data are processed, and a data processor controls the more technical aspects of an operation, such as data storage, retrieval, or erasure. A processor might be a datacentre or document management company. Both organisations (controller and processor) are responsible for complying with GDPR in their processing of personal data.

Concrete examples of data controllers and processors:

  • A bank (controller) collects data about customers opening new accounts but sends the information to another organization (processor) to be stored and cataloged.
  • An investment bank (controller) uses a clearinghouse (processor) to settle trades.
  • A local retailer (controller) collects customer email addresses and contracts a third party (processor) to create and send monthly newsletters to customers.

What are the penalties for noncompliance with GDPR?

There is a tiered approach to penalties, with a maximum fine for violating GDPR of up to 4% of annual global turnover or €20 million, whichever is greater. GDPR guidelines and penalties apply to any member of the supply chain who processes an EU resident’s data. This means that cloud providers will not be immune to GDPR enforcement.

Examples of noncompliance:

  • Having insufficient consent to process an individual’s personal data
  • Contravening the privacy-by-design concept
  • Failing to have records in order
  • Not informing the supervising authority and data subject (individual) about a breach
  • Not conducting an impact assessment

 Article 25: Data protection by design and by default

Security must be built into the software and systems that personal data passes through, from the start, with documented standards and practices to minimise the attack surface. Article 25 specifically calls for measures to ensure that personal data is not made accessible without the individual’s intervention (including during a breach).

Article 32: Security of processing

The complex technologies involved in processing personal data present multiple potential points of entry for hackers. Article 32 expands on application security requirements with a keen focus on the ongoing confidentiality, integrity, availability, and resilience of processing systems and services. Thus, organisations must secure every piece of software that plays a role in processing personal data and regularly assess the effectiveness of the measures they’re taking to do so.

Article 35: Data protection impact assessment

Awareness is a key component of data privacy, and GDPR asserts that before processing, an organisation must conduct an impact assessment to measure the risk to data privacy and evaluate the measures and mechanisms in place to secure it.

The organisation must review this assessment carefully to determine whether its security standards can evolve as the risk landscape changes. And it must regularly assess its software security posture and the risks posed by third parties with access to data at any point in the process.

By Steve Giguere, EMEA engineer, Synopsys