Understanding the GDPR: General Data Protection Regulation

By Dan Sincavage

JanBaby / Pixabay

The GDPR–or General Data Protection Regulation–is a regulation passed by the European Union on April 27, 2016, with an effective start date of May 25, 2018. Officially classified as regulation 2016/679, the GDPR expands upon and replaces the Data Protection Directive 95/46/EC of 1995. It serves as the EU’s effort to synchronize and harmonize laws on citizen and resident data privacy throughout its member states.

GDPR is based on Privacy by Design/Default, a set of user-centric principles that bequeath a sacred status to user privacy from the get-go rather than as an afterthought. Piggybacking on that is ability of users to sue organizations under the GDPR who might mishandle personal data. To accomplish this, the GDPR mandates new user-oriented information-handling processes to which EU companies will soon find themselves beholden, not to mention subject to significant penalties in the event of a violation.

The complete text of the GDPR legislation clocks in at 88 pages. There exist within it 173 recitals and 99 articles, each one applying universally to all EU member states. The key provisions of this sweeping legislation are provided below, and constitute the essence of what the law entails and how it affects data storage and retrieval for all related EU entities.

Who the Law Protects

There is a slight bit of confusion when it comes to just who falls under the protective auspices of the GDPR measure. The term “natural person” appears frequently throughout the text, and while this indeed refers to EU citizens, it actually extends further to those merely residing in the EU.

To wit, a natural person in EU nomenclature is any human possessing “legal personality”. That’s a very law-like definition that essentially boils down to a person who acts on their own behalf rather than in the interests of a business entity (sometimes known as a “legal entity”) or a government entity (or “public entity”).

To simplify matters, all humans native to or residing inside the EU with data to protect are blanketed under the term “data subject”. The rights of these data subjects to control and even extensively delete their private data is at the heart of the GDPR.

How GDPR Defines Personal Data

The GDPR defines personal data quite simply: Information (“data”) that can be used to identify a natural person (“data subject”). This seems self-evident on its surface, and indeed, certain identity-related elements fall naturally within this definition, such as name, ID number, home address, and more. But in the current era of sophisticated online data tracking technology, the amount of transmittable, personally identifiable data has ballooned (at least in the EU’s opinion), and with it, the number of privacy touch points potentially available to corporate and government bodies.

This massive list includes, but is not limited to, online identifiers such as IP addresses, social media accounts, email addresses, accounts numbers, browser cookies, and more. Constituent to this are direct identifiers and indirect identifiers, both of which establish the data subject’s identity by degrees. For instance, a direct identifier is a name, Go to the full article.

Source:: Business 2 Community

Be Sociable, Share!