European Union’s General Data Protection Regulation, passed in 2018, is one of the world’s most important and broadly applicable data privacy laws. Identify what types of data are protected by the GDPR, which rights will be enforced by it, and how you can protect personal data and avoid legal repercussions, including considerations for data protection.
What is GDPR?
A GDPR is a legal standard that protects the personal data of EU citizens, regardless of whether an organization is physically present in the EU.
The European Internet users number hundreds of millions, so the standard affects almost every company that collects customer or prospect information online. If you do not comply with GDPR, you may be penalized up to 4% of your annual revenue or €20 million.
Data privacy has been defined as one of a person’s basic rights by GDPR legislators. The act aims to standardize the protection of personal data, while putting the data subject in control of its use and retention.
A GDPR Data Controller is an organization that collects and processes personal information for its own purposes, and a GDPR Data Processor is an organization that conducts these activities on behalf of another organization.
Lastly, the Data Protection Officer oversees how personal data is processed by an organization and ensures compliance with GDPR.
What is personal data according to the GDPR?
“The GDPR legislation defines personal data as any information about an identified or identifiable individual, also called a subject, who is a data subject.
Identifying information is any information that can, alone or in combination with other information, identify an individual.
Information such as name, address, ID number or passport number, financial information, cultural data, IP addresses, or medical data may be collected.
You may not process or store the following special data: Race, ethnicity, sexual orientation, religion, political beliefs, health information (unless an explicit concern is granted or there is substantial public interest).
GDPR data privacy rights
Personal data subject rights under GDPR are as follows:
Following are the basic rights of data subjects under the GDPR:
Children under the age of 13 need parental consent before they can be collected.
The Data Controller must be able to provide data subjects with access to their information as it is stored, how and why it is being processed, and where it is being sent.
The right to correct and object to data – data subjects should be allowed to correct incorrect or incomplete data, and data controllers must inform all recipients of the changes. The data subject may also object to the use of their data, and the Data Controller must comply unless their legitimate interests override theirs.
A data subject has the right to request that the data controller “forget” about their personal information. In the case of scientific or historical research, for example, organizations may be allowed to retain data if there is a legal requirement or if it is in the public interest.
Those subject to automated decisions may request to have the automated decision reviewed by a person, or contest the automated decision based on their private information.
Personal data under the control of a data controller must be reported to the Data Protection Authority within 72 hours of it being exposed to an unauthorized party, and in some cases, the controller must also notify the individual data subjects about the breach.
When data is transferred outside the EU, the data controller must ensure there are equivalent safeguards to protect the data and data subjects’ rights.
The GDPR data protection requirements – what should you do to ensure that your personal data is protected?
In the GDPR, data controllers are required to take specific measures to protect personal data. It is possible to be fined or sanctioned for failure to comply. As defined in articles 24, 25, and 32 of the GDPR, the following are the essential requirements for data protection:
Authenticated access to data and data encryption, as well as training staff on data privacy and implementing a policy for appropriate access to data, are all examples of technical measures that data controllers are required to implement to secure data.
In particular, GDPR article 32 requires data controllers to:
Provide encryption and pseudonymization (the replacement of personally identifiable information with other data) of personal information;
Maintain the integrity and confidentiality of data processing systems
In the event that personal data is not available or accessible, make sure it is restored
Assessments and evaluations of technical and organizational measures for securing data processing, as well as testing, assessing, and evaluating the effectiveness of these measures
Data Protection by Design and By Default
Computer systems that handle or store personal data must protect that data, for example by pseudonymizing, minimizing data to the bare minimum required for the data controller’s purposes, or by tokenizing, which replaces personal data with meaningless random tokens.
Protecting Personal Data with Cloudian
In accordance with GDPR, you are required to control the use of personal data, and to delete that data if the data subject requests it. By sharing personal data among users and storing it in the cloud, you lose fine-grained control. Data subject access requests (DSAR) may not be able to be answered in all instances, resulting in fines or sanctions.
Storage for backup and archival is provided by Cloudian in a fast, reliable, on-premises environment. You get the power of cloud-based file sharing on premise while maintaining GDPR compliance.
- Secure Solution for File Sharing
- Multiple layers of data protection:
- Storage within firewall
- Remote user access via secure connections
- Configure geo boundaries for data access
- Policy-defined data synch to user devices
- Integrated replication for DR