An overview guide to understand the GDPR
General Data Protection Regulation (GDPR) is a new legal framework formalised in Europe Union (EU) in 2016, and it’s expected that all the applicable organisations will comply with the GDPR by May 2018. The GDPR effectively replace the Data Protection Directive (DPD) introduced in 1995 and considered as a much stronger than the Data Protection Directive (DPD). Before we discuss anything further about the GDPR, it’s worth to identify significant distinction between the DPD and the GDPR, that is the DPD is a directive while the GDPR is a regulation.
The DPD is a directive: In EU ‘Directive’ is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual states to devise their own laws on how to reach these goals.
The GDPR is a regulation: In EU ‘Regulation’ is a binding legal force throughout every Member State and enter into force on a set date in all the member states, It must be applied in its entirety across the EU.
One can quickly get a wrong impression about the GDPR by understanding it as an attempt to constrain the processing of personal data belong to individuals for commercial purposes. But the reality is, the GDPR facilitated to the expansion of digital transformation by providing certainty to business organisations and put the customer back in control over his/her personal data, with the GDPR business can engage with customers within a properly defined legal context.
- The GDPR enhance and accept the fundamental rights of protection of personal data belong to an individual, also ensure the freedom in personal processing data based on individual’s explicit and affirmative consent. This will enable customers to engage with business organisations under a well-defined context with an assurance on consumer rights.
- The GDPR provides business organisations certainty on data processing, and now organisations can make proper judgment on customer data processing without getting into the risk of data protection related lawsuits.
The DPD formalised in 1995 is the original root of the GDPR, then there were significant proposal level discussions happened from 2012 to 2014, and EU Parliament and Council have come to an agreement on the GDPR on December 2015. Finally, the GDPR became EU regulation in April 2017, and it will be in effect from 25th May 2018. Following reference on eugdpr.org provide a detailed timeline.
The subject of the GDPR
The GDPR is only applicable to natural person not for a legal person; Wikipedia defines a natural person as follows.
“In jurisprudence, a natural person is a person (in legal meaning. i.e., one who has its own legal personality) that is an individual human being, as opposed to a legal person, which may be a private (i.e., business entity or non-governmental organization) or public (i.e., government) organization”
In very basic terms, GDPR is applicable for living human beings on EU, but the GDPR is not effective on personal data belongs to any deceased individual.
Objectives of the GDPR
As per the very first article, the GDPR mainly concern about two areas.
- Processing of personal data belong to a natural person.
- Free movement of personal data within the union.
It’s important to understand that the GDPR does not try to restrict or prohibit free movement of personal data “within the EU”, instead it strengthen fundamental right to protect personal data and freedom of individuals. The GDPR also provide transparent process and safeguard measures to transfer personal data outside the EU.
The GDPR and Brexit
Impact of the Brexit on GDPR is a controversial topic for some people, but in reality, there is a very high chance that the UK will establish a similar policy on data protection which will closely follow the GDPR. There is already a press release from the UK government to strengthen data protection laws through a new bill. Additionally, the Data Protection Act (DPA) currently used in the UK is closely following the EU Data Protection Directive (DPD).
There is no universally accepted definition for personal data, in practice each country uses their own formal meaning defined within their national policies but most of these definitions are close to each other and fundamentally based on the same set of privacy principles.
In US “Personally Identifiable Information (PII)” defined by the NIST is used to identify personal data, in their system, personal data are further categorised as Personally Identifiable Information (PII) and Sensitive Personal Information (SPI). In the UK, the Data Protection Act (DPA) formalised in 1998 define personal data. Here is the GDPR definition of personal data.
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
- Any information that can be used to identify a natural person is considered as personal data and need to be regulated according to the GDPR.
- It could be an online identifier such as username, email address, IRC username, Cookie, IP address, Radio Frequency Identification (RFID) tags, devices, or applications.
- It could be a biometric element such as facial recognition, fingerprint or something similar.
As a conclusion, if you process any of above data categories, then your business needs to comply with GDPR.
So far we have heavily used the term “processing” in this post, but the GDPR definition of the term is not precisely aligned with generally accepted meaning, according to the GDPR, the term “Processing” refers to any of followings.
- Collection of personal data.
- Recording of personal data.
- Organising, cataloguing or structuring of personal data.