What is GDPR?
The European Union's ("EU") General Data Protection Regulation ("GDPR") replaces the 1995 Data Protection Directive, and while the new requirement became effective May 25, 2018, Data Protection has been part of everyday business in Europe since 1984.
GDPR is extraterritorial, meaning it applies to any company, processing EU resident data, irrespective of their location.
If your organization is providing services to those in or from Europe then it has to comply with these new regulations even if the company or you are based outside of Europe. Companies that do not comply could be fined 4% of global revenues or up to $24.5M, which ever is greater.
Personal Data is information relating to a named or otherwise identifiable individual. This includes any expressions of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
- Employee Number
- Employee appraisals
- National Insurance Number
- Social Security Number or similar
- Passport or Id details
- Bank account details
- Email address
- Telephone number
- Internet Protocol Address (the number that you are given when you connect to the internet)
- Location data (including address, zip code or postal code)
Personal data is anything that can identify an individual. It can be structured data such as a name, employee id, social security id. But is can also be unstructured data such as:
The woman who lives at 1200 Main Street who owns a red Porsche.
If there is only 1 woman or one Porsche owner, 1 owner of a red car or only 1 person living at that address, this information will be considered personal information.
Importantly personal identifiers such as social security number, driver’s license number or passport number are considered personal information even without access to the full database of information, etc.
So even a simple spreadsheet such as:
|Passport Number||Amount Spent in 2018|
Is information that can identify an individual and is therefore personal information.
Personal data doesn’t just mean data that is stored digitally. It applies to paper records too.
Sensitive Personal Data
Personal data containing information relating to the racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life or criminal history of a data subject. Biometric and genetic information is also added to this list as part of GDPR.
In addition, the GDPR also recognises the importance of information such as biometric and genetic information and this is considered to be sensitive personal information.
Information that can be used to deduce or infer sensitive information about an individual is also considered to be sensitive for example:
If a passenger is asked if they will require assistance in boarding the aircraft whilst booking an airline ticket, when the checkbox is checked, this reveals information about the passenger’s physical health.
If a person applying for insurance is asked to provide the details of their spouse, partner or significant other, this information may reveal that the individual is in same sex relationship.
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Any person, or company undertaking data processing on behalf of (but not employed by) the data controller.
The purpose(s) for which the data is collected and will be processed (i.e. the provision of a service, recruitment, provision of employment).
Under the GDPR personal data can only be collected and used for the purpose that the data subject has agreed to.
This means that if the purpose(s) agreed to did not include marketing, then the data must not be used for marketing.
Some organizations use a copy of their live database of customers when testing a new version of their computer systems. Under the GDPR this will not be allowed unless it is part of your company’s purpose.
Make sure that you check before using data for something that may not be part of your company’s purpose.
A freely given specific and informed indication by the data subject signifying their agreement to their personal data being processed.
Consent should be positive consent (i.e. opt-in).
Below is an example opt-in - You’ll notice that the checkbox isn’t pre-checked.
Processing Without Consent
While consent is required in most cases, there are exceptions that allow for lawful processing of personal data without consent.
Data Subject's Rights
Under the GDPR individuals’ have rights that may restrict the way that their data can be used. These rights are:
- The Right to be informed – The data subject has the right to know what their data will be used for before they provide the data
- The Right of Access – The data subject has the right to request a copy of their personal data that an organisation holds on them
- The Right of Rectification – The data subject has the right to request that their personal data is maintained and updated
- The Right of Erasure – The data subject has the right to request that their personal data be deleted
- The Right to Restrict Processing – The data subject has the right to restrict the processing of their data. This will typically occur whilst data is being corrected or updated having been identified as being incorrect.
- The Right of Data Portability – The data subject has the right to request a copy of their personal data in a computer readable format.
- The Right to Object – The data subject has the right to object to the processing of their personal data. This may occur if the data is being used without consent or other legal basis for use.
- The Right to Manual Processing – The data subject has the right to request to have an automated decision processed by a person (e.g. an automated mortgage decision for example).
The GDPR require that data breaches are reported within 72 hours of their discovery.
The GDPR defines a data breach not only as something like a hacker stealing data or a laptop being stolen, but also data being lost (data stored on a USB drive and left on public transport for example). Data misuse (use of data for purposes other than the purposes intended or agreed to by the data subject) is also considered a data breach.
Organizations are required to ensure that you can recognise a data breach and help you make sure that you follow your organization’s data breach process. Your responsibilities could include following your organization’s formal breach process and informing your direct supervisor aware of an breaches you discovery immediately. If you haven’t been instructed how to respond to data breaches, we encourage you to ask your organization about your specific responsibilities.
About Fifth Step
Fifth Step was formed in 2009 by a small team of senior information technologists and IT management professionals to meet the increasing demand for high-quality IT Leadership, Change Leadership, Resiliency Leadership, Data Protection and Cybersecurity. Fifth Step works with clients globally from our offices in London, Bermuda and New York.
Fifth Step provides support and services to executives and senior management to enhance, magnify and completed exiting capabilities. They do this by taking a collaborative approach, using standard frameworks and methodologies combined with FS BOK, their structured body of knowledge. They are performance and delivery focused, using proven techniques that allow yourbusiness to benefit from all of their experience and expertise no matter if you are an SMB or a multinational enterprise.
Ataata helps companies around the world visibly and quantifiably reduce security breaches caused by employee mistakes. By combining modern, effective training techniques with predictive analytics, Ataata transforms a company’s security culture – enabling the employee to be the first line of defense against breaches.
Research shows that humor is the best mechanism for breaking through the flood of information we are inundated with every day. And so, Ataata leverages humor to engage employees, to educate and train them, and ultimately, to transform a company’s security culture from one of compliance to that of commitment. With Ataata, employees truly understand how a secure workplace helps them succeed in their jobs. And for those responsible for a company’s security, Ataata helps them take on that most difficult of adversaries: Human Error.