The GDPR will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The regulation will also apply to the processing of EU citizens’ personal data by a controller or processor not established in the EU, if their activities relate to the offering of goods and services to EU citizens, or to the monitoring of behavior that takes place within the EU.
So this is, in a nutshell, what the GDPR means and who it concerns. To fully grasp the contents, you should familiarize yourself with the basic concepts of GDPR.
Key Concepts of GDPR
The EU GDPR only applies to personal data. Personal data means any information relating to an identified or identifiable person, a data subject. An identifier can be a name, an identification number, location data or an online identifier.
Special categories of personal data
Some sensitive personal data categories are subject to additional protection. Special categories of personal data include, but are not limited to, data on an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, health, genetic and biometric data.
A data controller is one that, either alone or jointly with others, determines the purposes and means of the processing of personal data. Controllers bear the primary responsibility for compliance.
Any entity that processes personal data under the controller’s instructions. Many service providers, for example, are processors. Data processors can be held directly liable for the security of personal data.
At the heart of the GDPR is the concept of accountability for the handling of personal data. The controller is responsible for making sure all privacy principles are adhered to. Moreover, the regulation requires that your organization can demonstrate compliance with all its principles.
The consent of the data subject means any freely given, specific, informed and unambiguous indication of wishes by which the data subject, either by a statement or by a clear affirmative action, proclaims agreement to the processing of their personal data. For organizations that rely on consent for their business activities, the processes through which they obtain consent will need to be reviewed and revised to meet the requirements of the GDPR.
The GDPR combines numerous transparency obligations that already apply across the EU. Data controllers have to provide information about personal data processing in a concise, transparent, intelligible and easily accessible way.
Privacy Impact Assessment (PIA)
A Privacy Impact Assessment (PIA) is the cornerstone of preserving privacy and GDPR compliant business processes and services. A PIA is intended to produce a systematic description of the envisaged processing operations and determines the legal basis for the processing. PIAs should describe the approach that an organization will take to mitigate the risks.
Privacy by Design
In short, privacy by design means that each new service or business process that makes use of personal data must take the protection of that data into consideration.
Privacy by Default
Privacy by Default simply means that the strictest privacy settings automatically apply once a customer acquires a new product or service. Controllers or processors are only allowed to store data for the shortest possible time it takes to provide a product or a service.
Pseudonymization refers to a privacy-enhancing technique where personal data is processed without the ability to link it to a specific person. This is achieved by making the information non-attributable without additional information, which must be kept separately and is subject to various technical and organizational controls. Although pseudonymized information is still a form of personal data, its usage is heavily encouraged by the GDPR – it is even identified as a viable security measure.
The overall understanding of the key concepts will help you get started.