Understanding the General Data Protection Regulation
Enacted in May of 2018 by the EU, the GDPR is considered the most stringent privacy protection and security law in the world. Although the EU enacted the regulation, it applies to any organization, regardless of location, that handles the personal data of anyone visiting or living in the EU.
Personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Under this definition in the GDPR, “any information” encompasses a range of personal data.
There are six data protection principles outlined in the GDPR related to how personal data should be processed (summarized below from Article 5 of the GDPR. See the full text for a complete description of each item):
1. Personal data must be processed lawfully, fairly, and in a transparent manner.
2. The reasons for collecting the data must be specified, explicit, and legitimate.
3. Organizations must focus on “data minimization” — data collection must be limited to what is necessary.
4. Data must be kept accurate and up to date.
5. Data must only be stored for as long as necessary for a specified purpose.
6. Data processing must be done in a manner that ensures appropriate security of the personal data.
In the last point, appropriate security extends to many security measures for personal data. These include protecting against unauthorized or unlawful processing of the data, accidental loss, and destruction or damage. Data protection and cybersecurity measures such as encryption can be enacted to safeguard personal data against threats such as data breaches. Touchstone’s GDPR Compliance Service can help you identify areas for improvement where you can implement security measures in alignment with GDPR’s complex requirements.
Disclosure: in no way is this document to be considered legal advice, as this is our best attempt at interpreting the GDPR. Always seek legal counsel when in doubt