This blogpost was created in cooperation with tenfold : https://www.tenfold.com .
The GDPR is a regulation passed by the European Union on April 27, 2016, with an effective start date of May 25, 2018. Officially classified as regulation 2016/679, the GDPR expands upon and replaces the Data Protection Directive 95/46/EC of 1995. It serves as the EU’s effort to synchronize and harmonize laws on citizen and resident data privacy throughout its member states.
GDPR is based on Privacy by Design/Default, a set of user-centric principles that bequeath a sacred status to user privacy from the get-go rather than as an afterthought. Piggybacking on that is ability of users to sue organizations under the GDPR who might mishandle personal data. To accomplish this, the GDPR mandates new user-oriented information-handling processes to which EU companies will soon find themselves beholden, not to mention subject to significant penalties in the event of a violation.
The complete text of the GDPR legislation clocks in at 88 pages. There exist within it 173 recitals and 99 articles, each one applying universally to all EU member states. The key provisions of this sweeping legislation are provided below, and constitute the essence of what the law entails and how it affects data storage and retrieval for all related EU entities.
Who the Law Protects
There is a slight bit of confusion when it comes to just who falls under the protective auspices of the GDPR measure. The term “natural person” appears frequently throughout the text, and while this indeed refers to EU citizens, it actually extends further to those merely residing in the EU.
To wit, a natural person in EU nomenclature is any human possessing “legal personality”. That’s a very law-like definition that essentially boils down to a person who acts on their own behalf rather than in the interests of a business entity (sometimes known as a “legal entity”) or a government entity (or “public entity”).
To simplify matters, all humans native to or residing inside the EU with data to protect are blanketed under the term “data subject”. The rights of these data subjects to control and even extensively delete their private data is at the heart of the GDPR.
How GDPR Defines Personal Data
The GDPR defines personal data quite simply: Information (“data”) that can be used to identify a natural person (“data subject”). This seems self-evident on its surface, and indeed, certain identity-related elements fall naturally within this definition, such as name, ID number, home address, and more.
But in the current era of sophisticated online data tracking technology, the amount of transmittable, personally identifiable data has ballooned (at least in the EU’s opinion), and with it, the number of privacy touch points potentially available to corporate and government bodies.
This massive list includes, but is not limited to, online identifiers such as IP addresses, social media accounts, email addresses, accounts numbers, browser cookies, and more.
Constituent to this are direct identifiers and indirect identifiers, both of which establish the data subject’s identity by degrees. For instance, a direct identifier is a name, ID number, home address, and so on. Indirect identifiers include date of birth, location, or even title, and while they don’t pinpoint data subjects directly, they can nevertheless unmask a person’s identity when used in concert.
Personal Data vs Sensitive Personal Data: What’s the Difference?
In short, sensitive personal data is more or less a subset of personal data. However, as the name implies, sensitive personal data is information that is not as objectively verified as standard personal data.
For instance, a data subject’s home address or date of birth can be independently and objectively verified. Under the GDPR, this is personal data, but it’s not “sensitive”. Another way to think of sensitive data is as “privileged” information, i.e. data that must be communicated by the subject themselves.
Some examples of sensitive personal data include:
- Racial or ethnic origin
- Religious beliefs
- Genetic data
- Trade union membership
- Biometric data
- Health data
- Sexual orientation
- Data pertaining to the subject’s sex life
The GDPR’s aim is not to restrict the processing of personal data altogether, only to eliminate those instances where data might be processed without the full and clear consent of the data subject.
In any respect, the GDPR dictates that data must be processed transparently and equitably at all times. This sounds simples on the surface, but unfortunately for the controllers handling personal data, there are a number of requisites in the GDPR that reveal the attendant difficulty involved.
How can Lexidy help?
At Lexidy we can help you asses your company’s situation regarding the GDPR and advise you on how to take the right measures to be compliant with the new regulations. Contact us and get a free consultation!