publication

GDPR: General Data Protection Regulation

Miquel Canal

Monday 11, April 2016
  • Big Data
  • Information and Security

The GDPR was approved by the EU Parliament on the 14th of Abril 2016 and is taking action next 25th of May 2018. The GDPR is a mandatory law, not just a directive, as it was defined as an EU regulation. The effect of the regulation not only applies to companies that are located within the EU but also to those based outside the EU but with access to users inside the European zone.

The goal of this regulation is to unify data protection across all countries in the European Union and to ensure companies and corporations meet the criteria when dealing with personal information about a digital user from Europe.

Personal data and the involved information about a user

Personal data is understood as any information which defines an online user and that helps to identify or categorize a certain subject. Name, e-mail, identifier, personal preferences, IP address or current location are examples of basic personal information.

Companies operating from outside the EU must also compliance with the new legislation if they have access to data of subjects within EU. There is a penalisation for those organisations who do not meet the new data regulation and the amounts could reach up to 20€ millions in case of serious infringements.

The regulation defines that users should give explicit consent for any use of their personal data. All digital websites and platforms must update their privacy policy to display a single and human readable text. A clear description of the purpose should be delivered without the use of any technical terms or legalese.

All these is required before accessing and processing any personal information.

Similarities and difference between a data controller and a data processor

They both are involved in the process of manipulating data and information. A controller is the one who defines the purpose of the information that is been gathered whereas the processor is the party that processes the technical requirements of the data collection on behalf of the controller.

It is common for large scale companies to externalise their data management and use a provided service from a data processor company. An example of the difference between them could be seen in a payroll company which offers payroll services to other companies. In this case, the payroll company itself is a data controller as it controls the personal data about its own staff. However, it is also a data processor as it processes the personal data of their clients.

Data controllers and data processors have responsibilities and are required to meet certain criteria when dealing with personal data. Data controllers are the ones with more responsibilities as they decided the final use of the information. They are required to comply with legislations such as the GDPR in order to make transparent their data practices to the final user.

Data processors, in the other hand, have less restrictions. They are usually requested to provide information about their security implementation, encryption procedures and backup processes of the data they manage. Additionally, data processors can be required to register with the Data Protection Commissioner as data processor entities.

User rights and access privileges

The new regulation also stablished a right for all users to have access to their personal data stored and processed by any digital platform. In case of a request, the controller should provide a digital copy in electronic format of the stored data for a particular user. This should be delivered free of charge and without any cost to the user.

According to the GDPR, companies should immediately notify their users in case of a data breach if their personal data has been compromised.

Another right that is been reflected on the GDPR is the right to be forgotten. This allows a user to request a removal of all its personal data stored in a digital platform. The company receiving the request should proceed to erase all data without undue delay.

Updates on the privacy policy

What are the key aspects that should be listed on a privacy policy page that is compliant with the new GDPR? Here is a basic list of items to cover under the privacy policy page:

References

Introduction to Algorithm Complexity Analysis

Introduction to Algorithm Complexity Analysis

A basic but helpul introduction to Algorithm Complexity Analysis. An overview of tools for analysing algorithms and representing their complexity.

Best Practices in Express JS (Node.js)

Best Practices in Express JS (Node.js)

Fast, unopinionated, minimalist web framework for Node.js. The post covers best practices for developing Node.js applications on top of the Express JS web framework.

Introduction to JSON Web Tokens

Introduction to JSON Web Tokens

Introduction to the JWT, a self-contained and secure way to transmit information between a applications and services across the network.

This site uses cookies to ensure a great experience. By continue navigating through the site you accept the storage of these cookies.