A Quick Guide to GDPR Concepts

The EU General Data Protection Regulation marks the biggest change in EU data privacy laws in 20 years. Companies are busy with the preparations, as the change will affect the whole organization. Are you familiar with the key concepts?

Author: Taija
Date: 23.01.2018
Read Time: 4 Minutes

The GDPR will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The regulation will also apply to the processing of EU citizens’ personal data by a controller or processor not established in the EU, if their activities relate to the offering of goods and services to EU citizens, or to the monitoring of behavior that takes place within the EU.

So this is, in a nutshell, what the GDPR means and who it concerns. To fully grasp the contents, you should familiarize yourself with the basic concepts of GDPR.

GDPR, controller, processor, personal data

 

Key Concepts of GDPR

 

Personal data

The EU GDPR only applies to personal data. Personal data means any information relating to an identified or identifiable person, a data subject. An identifier can be a name, an identification number, location data or an online identifier.

 

Special categories of personal data

Some sensitive personal data categories are subject to additional protection. Special categories of personal data include, but are not limited to, data on an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, health, genetic and biometric data.

gdpr, personal data gdpr, personal data categories

 

Data controller

A data controller is one that, either alone or jointly with others, determines the purposes and means of the processing of personal data. Controllers bear the primary responsibility for compliance.

 

Data processor

Any entity that processes personal data under the controller’s instructions. Many service providers, for example, are processors. Data processors can be held directly liable for the security of personal data.

 

Accountability

At the heart of the GDPR is the concept of accountability for the handling of personal data. The controller is responsible for making sure all privacy principles are adhered to. Moreover, the regulation requires that your organization can demonstrate compliance with all its principles.

gdpr, accountability, compliance, management

 

Consent

The consent of the data subject means any freely given, specific, informed and unambiguous indication of wishes by which the data subject, either by a statement or by a clear affirmative action, proclaims agreement to the processing of their personal data. For organizations that rely on consent for their business activities, the processes through which they obtain consent will need to be reviewed and revised to meet the requirements of the GDPR.

 

Transparency
The GDPR combines numerous transparency obligations that already apply across the EU. Data controllers have to provide information about personal data processing in a concise, transparent, intelligible and easily accessible way.

 

Privacy Impact Assessment (PIA)

A Privacy Impact Assessment (PIA) is the cornerstone of preserving privacy and GDPR compliant business processes and services. A PIA is intended to produce a systematic description of the envisaged processing operations and determines the legal basis for the processing. PIAs should describe the approach that an organization will take to mitigate the risks.

 

Privacy by Design

In short, privacy by design means that each new service or business process that makes use of personal data must take the protection of that data into consideration.

 

Privacy by Default

Privacy by Default simply means that the strictest privacy settings automatically apply once a customer acquires a new product or service. Controllers or processors are only allowed to store data for the shortest possible time it takes to provide a product or a service.

 

Pseudonymization

Pseudonymization refers to a privacy-enhancing technique where personal data is processed without the ability to link it to a specific person. This is achieved by making the information non-attributable without additional information, which must be kept separately and is subject to various technical and organizational controls. Although pseudonymized information is still a form of personal data, its usage is heavily encouraged by the GDPR – it is even identified as a viable security measure.

 

The overall understanding of the key concepts will help you get started. For a deeper knowledge of how the change will affect different functions of organizations and what are the main elements in a successful GDPR project, download our eBook below.


Post Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s