The General Data Protection Rule (GDPR) is a regulation of the European Union (EU) that went into effect on May 25, 2018. It enhances and expands on the present EU General Data Protection Regulation (GDPR), which replaces the 1995 Data Protection Directive. In essence, the GDPR is a new set of laws that gives EU residents more control over their personal data. Their purpose is to simplify the regulatory environment for businesses so that European Union residents and enterprises may fully benefit from the digital economy. The revisions are intended to reflect the world we live in now, bringing laws and duties across Europe up to date for the internet-connected era, especially those concerning personal data, privacy, and consent. In Contemporary digital era almost every element of our life revolves around data in some way. Almost every service we use requires the gathering and analysis of our personal data, from social media firms to banks, shops, and governments. Organizations acquire, analyze, and, probably most significantly, keep your name, address, credit card number, and other information.
What is the purpose of GDPR?
The GDPR’s goal is to safeguard individuals and the data that identifies them, as well as to guarantee that enterprises who acquire such data do so responsibly. The GDPR also requires that personal data be stored securely; the rule states that personal data must be safeguarded against “unauthorized or illegal processing, as well as accidental loss, deletion, or degradation.”
The GDPR also defines the justifications for collecting personal data; the information must be gathered for a specified, legal reason and shouldn’t be utilized for any other purpose. A restriction on the amount of data that can be collected is also suggested by the legislation, which states that data collection should be “limited to that which is essential in connection to the purposes for which they are processed.”
According to the GDPR, the company collecting the data must make sure it is correct and updated as needed.
Companies cannot lawfully process any person’s personally identifiable information (PII) unless they fulfill at least one of the six standards outlined in GDPR.
- Express consent of the data subject.
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter a contract.
- Processing is necessary for compliance with a legal obligation.
- Processing is necessary to protect the vital interests of a data subject or another person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is required to further the controller’s or a third party’s legal interests unless such interests conflict with the subjects’ interests, rights, or freedoms.
What data does GDPR protect?
Any business or organization that wants to gather and utilize personal data must have the users’ permission. Personal data is information that refers to “an identified or identifiable natural person” (also known as a “data subject”), as stated by the GDPR.
Personal data can include these types of information:
- Name
- Identification number
- Location data
- Any information that is specific to “the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
- Biometric data that is acquired through some form of technical processes, such as facial imaging or fingerprinting
- Information related to a person’s health or healthcare
- Racial or ethnic information of an individual
- Political opinions or religious beliefs
- Union membership
GDPR does not only serves as a guideline or another compliance regulation but it actively helps organizations define and clearly identify what data needs to be protected. Identity has become a major part of data that is collected online. Also the data collected is correlated to the identity for reasons such as targeted marketing, advertisements, polls, conduct study etc. GDPR acts as a platform to people and emphasizes on the right to privacy and right to be forgotten, it does so by requiring data processors and data controllers to implement exclusive security protections to protect data privacy and lower the risk of breach.
Seven GDPR principles
The GDPR outlines seven fundamental principles on which it rests its laws and guidelines for compliance with personal data, including:
- Lawfulness, fairness, and transparency: The use of the data must be made crystal clear to the data subject.
- Purpose limitation: Only particular purposes allow for the collection of data.
- Data minimization: Data collection is restricted to what is required for a given process.
- Accuracy: Data collection organizations are required to maintain their accuracy and update it as required. When a data subject makes a request like this, data must be updated or erased.
- Storage limitation: Data collection will not last longer than necessary.
- Integrity and confidentiality: To keep personal information secure and guarded against loss or illegal use, appropriate protective measures must be employed.
- Accountability: Data collectors are in charge of ensuring GDPR compliance.
Specific rights of data subjects are supported by the seven GDPR principles, which include:
- Right to be forgotten: A company’s storage of PII might be requested to be deleted by data subjects. If the business is able to effectively establish a legal justification for its denial, it has the right to decline requests.
- Right of access: The information a company holds about a data subject can be viewed by them.
- Right to object: Data subjects have the right to object to a firm using or processing their personal information. If the organization can meet one of the legal requirements for processing the subject’s personal data, it may disregard the refusal; nevertheless, it must notify the subject and provide justification.
- Right to rectification: The correction of erroneous personal information pertaining to data subjects is expected.
- Right of portability: Data subjects have the right to view and transfer any personal information that an organization may have on them.
How SecurDI can help?
If your organization deals with PII of EU citizens as defined in GDPR, then you are responsible for all the personal data you collect and process, and to be compliant with GDPR you need to safeguard that data and protect it, failing to do so could result in fines upto 4% of your organisation’s annual turnover. PII basically boils down to personal Identity and information related to or comprising a persons identity, therefore Identity Management is critical to be GDPR compliant and hence critical to data security.
SecurDI helps organizations assess, implement, manage and maintain solutions that helps them achieve their Cyber Security goals and helps reducing time and effort of manual operations. We holistically prepares a plan keeping in mind the individual needs and resources available to the organization and prepare plan that best fits our clients need. This holistic approach is made possible by our professionals varying experiences and expertise.
Authored By – Amit Kr Sharma