GDPR is an incredibly far-reaching regulation that has impacted organizations globally. The risk of financially material fines has led to companies making greater in their security & privacy programs so they can avoid those fines.
With GDPR being so impactful, it’s critical for organizations to, at a minimum, have a cursory understanding of the regulation; however, the regulation’s principle-based nature makes it more complex & nuanced than most other regulations/standards out there, especially when compared to US-based regulations/standards like PCI-DSS and HIPAA, which take a more prescriptive approach.
Because of this, we’ve taken the time to read through & summarize each line and article of GDPR. The result of these efforts is this foundations article. Our objective here is to provide a meaningful and accurate overview of the regulation and enable you, the reader, to meaningfully contribute to GDPR-related discussions at your organization. Before implementing any GDPR-related changes, we encourage you to speak to GDPR experts at your organization, including your legal counsel, in order to understand how this complex and highly important regulation applies to your organization.
In part of this blog series on the foundations of GDPR, we will cover the back story behind GDPR, important definitions to know around the regulations and some key scoping details.
How GDPR Came to Be
Historical background provides meaningful context when interpreting a principles-based regulation, like GDPR.
In 2012, the European Commission (the Commission) recognized that the European Union’s (EU’s) data protection rules no longer effectively protected EU citizens’ privacy rights. A new regulation was proposed with the objective of regulating based principles rather than specific technologies, so that the regulation would remain unaffected by technological changes.
During the first year or so of drafting, the proposed regulation faced significant pushback from technology companies. These companies succeeded in watering down and weaken the proposal’s provisions until mid-2013. In mid-2013, classified US government documents were published, through Edward Snowden. These documents revealed that major US-based technology companies, whose services were and are used ubiquitously by internet users, were sharing user data with US intelligence agencies.
This news outraged EU officials and citizens, in part because many of them and their ancestors had been surveilled by their nations’ oppressive governments. This outrage led to greater support for the proposed regulation, and over the next few years the proposal was made to be far more stringent than it would have been otherwise.
On 27 April 2016, the proposal was signed into law as The General Data Protection Regulation (GDPR), and enforcement of GDPR began two years later on 25 May 2018.
Important Definitions
Before we can discuss GDPR, there are a few terms that are critical when it comes to understanding the Regulation. While we list these terms here alphabetically, pay special attention to the terms controller, processor, processing and personal data, as these are the most frequently used terms and sometimes most easily misunderstood:
- Consent
- A clear, affirmative act that establishes an individual has agreed to the processing of their PII
- Controller
- An entity that decides how personal data is to be processed
- Note that this is different than the traditional definition of controller (i.e., someone who ensures an organization’s policies are being properly implemented and followed)
- Data Breach (of PII)
- Any of the following in regards to PII:
- Accidental or unlawful:
- Destruction,
- Loss, or
- Alteration
- Unauthorized disclosure of or access to PII
- The European Union (EU)
- The EU is a union of various European countries (referred to as “Member States”)
- Because it’s a union and not an actual government, responsibility for enforcing the EU’s laws falls on the individual Member States1
- Personal Data (PII)
- Any information (physical or digital) that relates to an individual, directly or indirectly
- Examples include:
- Name
- ID number
- Location data
- Online identifier
- The following characteristics:
- Physical
- Mental
- Economic
- Cultural
- Social
- Processing
- In short, any interaction with PII
- More formally, any operation performed on personal data (whether automated or not), such as:
- Adapting/altering
- Aligning
- Collecting
- Combining
- Consulting
- Destroying
- Erasing
- Making available (e.g., distributing through transmission or dissemination)
- Organizing
- Recording
- Restricting
- Retrieving
- Storing
- Structuring
- Using
- Processor
- An entity that processes personal data on behalf of a controller
- Special Data Categories
- Processing the following types of PII is prohibited, including inferring these attributes of an individual (listed alphabetically)
- Biometric data
- Genetic data
- Health
- Political opinions
- Racial or ethnic origin
- Religious or philosophical beliefs
- Sex life
- Sexual orientation
- Trade union membership
- Pseudonymization
- Anonymizing PII such that the data can no longer be linked to an individual
- Pseudonymization is used throughout GDPR and is synonymous with anonymization
- Supervisory Authority
Each Member State of the EU is required to setup a supervisory authority that have responsibility to ensure organizations are complying with GDPR
GDPR Scope
GDPR’s scope applies in three ways:
- Geographical
- People-focused
- Organizational
Note, however, that GDPR does not apply in personal, day-to-day life. For example, if you write in your journal about your neighbor, your neighbor can’t require you to hand over your notes about them. Similarly, if you meet someone at a tavern, you needn’t sign a formal contract in order to get their number.
Geographical
GDPR applies solely within the EU.
People-focused
GDPR covers all individuals who are in the EU, regardless of their residency or citizenship status. The way the Regulation is currently written, an American citizen visiting France for a week is covered by GDPR while they are in France. As time progresses, the EU may provide additional guidance on this, but for now know that any individual who’s physically in the EU is covered by GDPR.
Organizational
GDPR applies to any organization (including charities, nonprofits and churches) that meets at least one of the following conditions:
- Processes the PII of people who are in the EU,
- Has an office in the EU, or
- Actively targets EU citizens (yes, citizens in this case). Examples of targeting EU citizens include:
- Marketing or offering goods/services to EU Citizens
- Selling goods/serves in euros (or any currency used within the EU)
- Offering websites in languages that are used within the EU
GDPR doesn’t apply in situations where an individual in the EU visits a website of an organization that doesn’t meet at least one of the conditions met above. For example, if a company offers plumbing services only people in the Midwestern US and someone from Italy visits their website, the plumbing company wouldn’t need to worry about complying with GDPR.
Read part two of our series here.
1As of July 2019, the EU Member States are (listed alphabetically): Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Spain, Sweden and the United Kingdom