GDPR Without the Hype

The key principles underlying the European Union's General Data Protection Regulation are: have minimal data, secure it, make sure it's accurate, and keep it for only as long as you need it.

Dark Reading Staff, Dark Reading

April 9, 2018

4 Min Read

The General Data Protection Regulation (GDPR) is complicated but it doesn’t have to be as scary as it’s made out to be if organizations understand five general principles about data security, have a sense of data subjects' rights, and enforce responsibilities of the controllers who manage the data. Let's start with five general principles:

  • Whenever you process people’s data, that activity needs to be lawful, fair and transparent.

  • What you do with the data should be expected by the person whose data it is.

  • You should only ever have enough data to do what your business or organization needs to do (data minimization).

  • The data you keep must be accurate, and you only keep it for as long as you need it.

  • Once you don’t need somebody’s data, you should delete it, and you should protect data with appropriate security.

In essence, these principles boil down to four elements: organizations hold only minimal data, they secure it, make sure it’s accurate, and keep it for only as long as they need it.

Data Subjects’ Rights

Data subjects have specific rights over data about them:

  • Data subjects have the right to know what you’re going to do with their data.

  • They can ask, at any time, for copies of all the data that you have about them, which you need to provide.

  • They need to know your justification for why you have that data, and how long you’re keeping it.

  • If any of their data is incorrect, they’ve got the right to ask you to correct it, and you have the obligation to correct it as soon as is feasibly possible.

  • A data subject can request that you erase their data. This is the so-called right to be forgotten. However, this is not an absolute right. For example, a customer with a loan can’t ask the bank that’s lending them the money to delete all their data. But if you don’t have a justification for processing the data, if it is not  part of a statutory obligation or fulfilling a contract, then the user can ask you to delete their data.

  • They have the right to data portability. In other words, you need to give them their data in a machine-readable format. A good example of this is an online supermarket. You want to try a different supermarket, but it’s a real pain to re-create your basket and all your favorites. The right to data portability says that you can go to the first supermarket and say, “Give me all my shopping data for the past two years because I want to send it to a different supermarket.”

  • Data subjects have the right to object to their data being processed in certain ways, such as profiling and direct marketing.

  • They have the right not to be subjected to decision making that has a material effect on them as a result of automated processing. If a computer makes a decision that creates a material, legal effect on someone (such as denying credit, turning down a loan application etc.), they generally have the right to say, “Actually, I’d like a human to look at that, as well.”

  • You cannot charge a fee to a data subject who is exercising these rights, and you have to respond to them within a month.

Responsibility of the Controllers

There are 20 articles that cover what data controllers and data processors must do but only three of them are about security. Some of the important responsibilities are:

  • You must be accountable and be able to demonstrate compliance. That means having appropriate governance structures and polices, and sticking to them.

  • You have to adopt data protection/privacy by design. So when you’re building systems, you have to integrate privacy into the design of those systems.

  • If you are a certain type or size of company not established in the EU, you may need to appoint an EU representative.

  • When using third-party processors, ensure that you do due diligence and that you have the right types of contracts.

  • If you have over 250 employees or have certain types of data, you must keep records of processing, which can be accessible to the regulator at any time.

  • If you have a breach, you need to tell your local regulator.

  • Every European country has a data protection regulator. For example, that’s the Information Commissioner in the UK; in France, it’s the CNIL.

  • If you have a breach, you have to inform the regulator within 72 hours, and if the risk is high, you also need to tell data subjects.

  • Finally, some data controllers, depending on the size and the type of data they’re dealing with, will have to appoint a data protection officer.

Learn more about the General Data Protection Regulation from John Elliott in this RSA Conference 2017 virtual session.


About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights