Breaking Down the GDPR

There are many hot issues that the world is facing today in the area of Cyber. The top of the list is the remote workforce and how it will be further defined in its role in society in the future.

Another issue is data privacy. With most businesses now having a virtual presence (versus the traditional brick and mortar that they once had), protecting confidential information and data is becoming paramount.

In this article, we look at one of the pieces of legislation that has been designed to do this—the GDPR.

A Quick Recap

The GDPR is an acronym for the General Data Protection Regulation. It is a major data privacy regulation that was conceived and originally drafted in the European Union (EU). It was passed into law May 25, 2018.

While its primary intent is to regulate EU-based businesses that deal with the personal identifiable information (PII) datasets of both employees and customers, it has far-reaching implications on a global basis as well.

For example, if businesses in the US have offices in the EU and transact business there, they are equally bound by the stipulations as set forth by the GDPR. And, the financial penalties for non-compliance are extremely harsh.

If a company is found to be non-compliant, the fines can be as high as $2.3 million, or 4% of gross revenues, whichever is greater. Because of this, businesses all over the world have been scrambling to come into compliance since the law's inception.

The Scope of Information/Data Protection

While the main intent of the GDPR is to make sure that businesses have the necessary controls in order to protect the PII datasets, the scope of what that data is actually is far broader, and includes the following:

The collection of PII: In this regard, the PII is not just merely Social Security and credit card numbers. It also includes:

• Legal names
• Email addresses
• Location and other geographic information
• Gender
• Country of origin
• Political and religious beliefs
• Cookies that are deployed onto an end-user’s device.

The processing of information/data: This is the actual manipulation of the information and data that has been collected, whether it is manually or automatically done. This also includes the storage, transmittal, and deletion of the PII datasets as well.

The data controller: This is the entity or group of people that ultimately decides the exact techniques used to process the data and information.

The data processor: This is the person that will execute those techniques in order to process the PII datasets.

How the Data Can Be Processed

Although the business in question has the liberty to determine in what ways the information/data can be processed, there are very strict guidelines as to how this can be executed. These are as follows:

The business has received explicit and direct consent. This can be done via email, hard copy letter, or allowing it when a person fills in the contact form on the respective website.

The processing of information and data must only take place when there is a direct need for it. It cannot happen otherwise. For example, this would include the creation and formation of a business contract in which the person who is giving permission is involved.

The manipulation and further refinement of PII datasets can take place if there is a direct order from a court of law to do so.

It can be processed if it is needed for life and death situations. For example, if a patient arrives at an emergency room and is either critically ill or injured, the attending physician and his or her staff can collect the medical data in order to prescribe the necessary medications.

The business entity needs the information and data in order to serve a public interest cause that directly impacts those individuals whose PII datasets are being used.

If there is an otherwise legitimate reason to do so. Note that this a very broad and actually vague part of the GDPR that is open to a wide scale of interpretation and, as a result, there is much greater latitude given to conduct audits and levy financial penalties. Because of this, many businesses don’t process information and data under this stipulation; they typically do it only under the first five guidelines.

How the Information/Data Can Be Collected

The next question is, under what conditions can this data be collected. This is also covered by the GDPR under the following provisions:

• The information/data can only be collected for the explicit purposes that have been set forth.
• Only the most minimal amount of data should be collected in order to conduct the task that has been set forth.
• It is the responsibility of the business to make sure that all of the PII datasets are maintained the most accurately and as up to date as possible on a regular basis.
• The information and data can only be stored in the databases for as long as it is needed to complete the tasks for which they were collected.
• The principles of “CIA” (confidentiality, integrity, availability) must be adhered to for the PII datasets.

For more information about the GDPR and the California Consumer Privacy Act (CCPA), which is deemed to be a close “relative” of the GDPR, take a look at our vast library of Privacy Resources.