What Is Personal Data Under GDPR And How To Protect It?
The General Data Protection Regulation or GDPR, in short, is a European Union (EU) law regulation concerning the data protection and personal data privacy of EU citizens or residents. As some of you may already know the GDPR replaces the old 1995 Data Protection Directive and after being adopted in 2016, it becomes enforceable on 25 May 2018. This is why you are most likely receiving emails asking to confirm you wish to continue getting newsletters from all the websites you ever subscribed for. On the other hand, if you own a company and collect any personal data from your clients you have probably already taken all necessary steps to meet the new requirements. In any case, for those who do not fully understand what all the fuss is about we recommend keeping reading this blog post as further in it, we will tell more about what this regulation is and what it will change once it gets enforced. Also, in this text, we will explain what personal data under GDPR is and how such information can be protected.
What is GDPR personal data protection regulation?
“The aim of the rules is to return control to users over their personal data and introduce a high and uniform level of data protection across the EU that is needed for the digital age,” the comment was said by the European Parliament press office right after the GDPR was adopted. As mentioned earlier, this regulation was created back in 2016 by the European Parliament and Council of the EU. The law applies to all companies in the EU and even outside of it if such organizations collect or process personal data of EU citizens.
What GDPR considers to be personal data?
It is not so easy to answer what GDPR personal data is because in many cases it depends in which context the information was collected and what other data was obtained together with it. According to the EU parliament and council members, in general, personal data could be any information related to a person’s private, professional, or public life. For example, it can be your name, photos, email address, medical information, posts on social media, work or home address, or even your IP address, and so on. To be more precise, it is data that could help identify a person or at least allow someone to clarify your identity fairly. For instance, a particular address would not let identifying its provider if other people live or work at the given location. Nevertheless, if besides the address the company gathering such data also learns the individual’s name, telephone number, or even details like his political views or character traits (hair, eye color, weight, etc.), it could make it possible to identify the person. Therefore, just to be safe, it is best for companies to ensure they protect all information they gather, in case some of it could appear to be personal under specific circumstances.
What are the differences between GDPR and the old Data Protection Directive?
Once the new regulation is enforced, individuals will be able to access all of their data gathered by various companies, including the firm the individual works for. The organization who receives such a request will now have 30 instead of 40 days to assemble and provide the individual with a list of personal data collected by the company. Besides the list of sensitive information, you also have the right to know for what purpose such data was collected, how it is used, with whom it is shared, and so on. Moreover, the GDPR will eliminate the cost for such requests, although if they occur repeatedly, it is said the firm could charge a reasonable fee. While in the 1995 Data Protection Directive the access to your data cost about $14. This means with the new regulation individuals will be able not only access their data faster but also free of charge.
How personal data will be protected and what measures should be taken?
One of the new regulation’s requirements says the organizations who collect personal data have to ensure privacy with “appropriate technical and organizational measures.” In other words, the GDPR allows companies choose their methods, although it recommends using the best possible means available at the moment, such as encryption and pseudonyms (a way of processing an individual’s data so it could no longer be assigned to him). Security experts recommend using tokenization as well, especially for companies that need to protect sensitive data like their clients’ banking details, birth dates, and so on. It is a process when sensitive data gets replaced with randomly generated tokens before being processed or stored by third parties. This method is highly evaluated and is already being used in a lot of banks and other financial institutions.
Furthermore, it is important to know the GDPR states the companies controlling collected data are legally obliged to alert the supervisory authority about any data breaches without any delay except in situations when doing so could endanger the rights and freedoms of the individuals. Nonetheless, if the exposed personal data was not encrypted, the statement of a breach should be provided within 72 hours after the organization becomes aware of it. Lastly, to ensure the organizations comply with the described regulations, it is said the companies that fail to adjust and keep up with the new regulations might face heavy fines of up to four percent of total worldwide annual revenue or about 20 million euros.