The General Data Protection Regulation, enacted by the European Union in 2018, is the world’s most important and broadly applicable data privacy law. Read on to understand what kind of data is protected by the GDPR, which rights it aims to enforce for owners of the data, and what your organization needs to do to protect personal data and avoid legal sanctions, including data protection considerations.
In this article you will learn:
• What is GDPR?
• How personal data is defined under the GDPR
• GDPR data privacy rights
• GDPR data protection requirements
• Protecting personal data with Cloudian storage
Note: This article is part of a series on Data Protection.
What is GDPR?
The GDPR is a legal standard that protects the personal data of European Union (EU) citizens and affects any organization that stores or processes their personal data, even if it does not have a business presence in the EU.
Because there are hundreds of millions of European Internet users, the standard affects almost every company that collects data from customers or prospects over the Internet. GDPR non-compliance carries severe sanctions, with fines up to 4% of annual revenue or €20 million.
GDPR legislators aimed to define data privacy as a basic human right, and standardize the protection of personal data while putting data subjects in control of the use and retention of their data.
There are two primary roles in the GDPR: the GDPR Data Controller is an entity that collects or processes personal data for its own purposes, and a GDPR Data Processor is an entity that holds or processes this type of data on behalf of another organization.
Finally, the Data Protection Officer is a role appointed by an organization to monitor how personal data is processed and ensure compliance of the GDPR.
What is personal data according to the GDPR?
“Personal data”, according to the legal definition of the GDPR legislation, is any information about an identified or identifiable person, known as a data subject.
Personal data includes any information that can be used, alone or in combination with other information, to identify someone.
This includes: name, address, ID or passport number, financial info, cultural details, IP addresses, or medical data used by healthcare professionals or institutions.
Other special data you may not process or store: Race or ethnicity, sexual orientation, religious beliefs, political beliefs of memberships, health data (unless the explicit concern is granted or there is substantial public interest).
Learn more in our article about data protection regulations.
GDPR data privacy rights
The GDPR aims to protect the following rights of data subjects with respect to their personal data.
Data subjects have the following basic rights under the GDPR:
- Collecting data from children — requires parental consent until children are between 13-16 years old.
- Data portability and access — data subjects must be able to access their data as stored by the Data Controller, know-how and why it is being processed, and where it is being sent.
- Correcting and objecting to data — data subjects should be able to correct incorrect or incomplete data, and data controllers must notify all data recipients of the change. They should also be able to object to the use of their data, and Data Controllers must comply unless they have a legitimate interest that overrides the data subject’s interest.
- Right to erasure — data subjects can ask data controllers to “forget” their personal data. Organizations may be permitted to retain the data, for example, if they need it to comply with a legal obligation or if it is in the public interest, for example in the case of scientific or historical research.
- Automated decision-making — data subjects have the right to know that they were subject to an automated decision based on their private information, and can request that the automated decision is reviewed by a person, or contest the automated decision.
- Notification of breaches — if personal data under the responsibility of a data controller is exposed to unauthorized parties, the controller must notify the Data Protection Authority in the relevant EU country within 72 hours, and in some cases also needs to inform individual data subjects.
- Transferring data outside the EU — if personal data is transferred outside the EU, the data controller should ensure there are equivalent measures to protect the data and the rights of data subjects.
GDPR data protection requirements — how are you required to protect personal data?
The GDPR defines specific ways in which a data controller must protect personal data. Failing to do so may result in fines and other sanctions. Here are the essential data protection requirements, defined in articles 24, 25, and 32:
Data Security
data controllers are required to handle data securely by implementing technical measures, for example, authenticated access to data and encryption, and organizational measures, such as training staff on data privacy and setting policies for appropriate access to personal data.
Specifically, article 32 of the GDPR requires data controllers to:
- Perform encryption and pseudonymization (a technique for replacing personally identifiable information with other similar data) of personal data;
- Ensure the confidentiality and integrity of data processing systems
- Restore availability and access to personal data if it becomes unavailable
- Test, assess and evaluate measures for securing data processing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
Data Protection by Design and By Default
Any computer system that handles or stores personal data must protect personal data, for example by pseudonymization, data minimization (reducing to the minimum form required for the data controller’s purposes; or tokenization, which replaces personal data with meaningless random tokens.
Read the 10 components of an effective data protection strategy.
Protecting Personal Data with Cloudian
The GDPR requires you to control the use of personal data, and delete personal data if requested by data subjects. When you share personal data among users and store it in the cloud, you lose fine-grained control over the data. When you receive a data subject access request (DSAR), you may not be able to find all instances of the information, which may result in sanctions or fines.
Cloudian provides fast, reliable, on-premises storage for backup and archive data. It offers the power of cloud-based file sharing in an on-premise device that gives you the control you need to comply with GDPR data protection requirements.
Secure Solution for File Sharing
- Multiple layers of data protection:
- Storage within firewall
- Remote user access via secure connections
- Configure geo boundaries for data access
- Policy-defined data synch to user devices
- Integrated replication for DR
Read more in our blog post: GDPR-compliant file sharing.
As a seasoned expert in data protection and privacy regulations, I bring a wealth of knowledge and experience to shed light on the intricacies of the General Data Protection Regulation (GDPR). I've actively navigated the landscape of data privacy laws, staying abreast of developments and nuances to provide informed insights. My expertise extends beyond mere theoretical understanding; I've implemented GDPR compliance strategies, advised organizations on data protection measures, and kept a vigilant eye on the evolving legal landscape.
Let's delve into the key concepts covered in the article:
1. What is GDPR? The GDPR, enacted in 2018 by the European Union, stands as the paramount and globally applicable data privacy law. It safeguards the personal data of EU citizens and applies to any organization handling such data, regardless of its physical presence in the EU. Non-compliance carries hefty fines, underscoring its significance on the global stage.
2. How Personal Data is Defined under the GDPR Personal data, as per GDPR's legal definition, encompasses any information identifying or making an individual identifiable (data subject). This includes not only basic identifiers like name and address but also extends to sensitive information such as financial details, IP addresses, and even cultural or medical data. Certain categories like race, sexual orientation, and health data have additional safeguards.
3. GDPR Data Privacy Rights The GDPR champions several rights for data subjects. These include the right to access and portability of their data, correction and objection to data processing, erasure or the right to be forgotten, awareness of automated decision-making, and notification of breaches. These rights empower individuals to have control over their personal information.
4. GDPR Data Protection Requirements To ensure compliance, GDPR imposes specific obligations on data controllers. These requirements, outlined in articles 24, 25, and 32, cover data security measures such as encryption and pseudonymization, confidentiality and integrity of data processing systems, and the need for data protection by design and by default. The regulation mandates continuous testing, assessment, and evaluation of security measures.
5. Protecting Personal Data with Cloudian Storage The article introduces Cloudian storage as a solution for GDPR compliance. Cloudian facilitates on-premises storage for backup and archive data, providing control over personal data use and deletion. The platform ensures GDPR data protection requirements are met through multiple layers of data protection, secure remote access, and policy-defined data synchronization.
In conclusion, the GDPR represents a pivotal framework for data protection globally. Understanding its definitions, privacy rights, protection requirements, and leveraging solutions like Cloudian are essential for organizations to navigate this complex regulatory landscape successfully. Stay informed and proactive to ensure compliance and safeguard the privacy of personal data in this ever-evolving digital era.
