Beginning from May 25th, 2018, companies which operate in the European Union have to adhere to the GDPR. Coursedot has a special quick and easy guide to provide the basics of GDPR. This is the fourth part of the series and we get in details. The third part is right here.
Today, we get techincal and we will explore
What Your Business Needs to Know About GDPR
As this is quite a broad topic, we will split it into two subparts. This one is the first. It will cover the basic definitions given by the GDPR. The second will take a look at the new rights for individuals.
Now, let’s take the definitions and delve a bit more in them. We will take a look at the main definitions and their exact impact on a company and its business.
Personal Data
The official definition as per the GDPR: “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
What it means: Most of the definition is the same as per the 1995 Directive. It though adds additional definitions for personal data. So, companies should analyze whether these additional classifications are related to their current or future data practices.
Sensitive personal data
The official definition as per the GDPR: “Sensitive Personal Data” are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU’s legislative competence).
What it means: This is also generally the same as per the 1995 Directive. What’s new is that health or biometric or genetic data are now classified as sensitive personal data under the GDPR. So, companies which process such data, have to make sure they have done all steps in order to get proper consent from users, have proper security etc.
Pseudonymous data
The official definition as per the GDPR: Pseudonymous data is still treated as personal data. The reason is because it enables the identification of individuals. However, provided that the “key” that enables re-identification of individuals is kept separate and secure, the risks associated with pseudonymous data are likely to be lower.
What it means: Companies can obscure personal data with pseudonyms and can use this as a way to give more privacy to the data. This can also help them process data in more ways and for more purposes. GDPR encourages companies to use pseudonymisation as a way to add extra security to individuals’ data.
Processor of Data
The definition as per the GDPR for data processing is quite broad. In short, it means any operation or set of operations performed on a set or sets of personal data, no matter how it’s collected. The Processor of Data is any legal person, public authority, agency or other body which processes personal data on behalf of the controllers.
What it means: The GDPR doesn’t bring big changes to this definition. So, it’s not going to bring many changes to companies. If they use personal data in any way, they are processors of data.
Controller of Data
The definition as per the GDPR for Controllers of Data is also broad. It covers the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller (or the criteria for nominating the controller) may be designated by those laws.
What it means: Despite sounding quite complicated, the definition is basically unchanged from the 1995 Directive. So, if an entity is already defined as a Controller of data, this will remain unchanged.
Consent
The original definition as per the GDPR: “The consent of the data subject” means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed
What it means: While the definition is quite similar with the old Directive, the GDPR makes it much harder for organizations to obtain this consent from individuals. Companies will have to review the processes by which they obtain consent from their users and make appropriate changes. This can result in changes in the Terms and Conditions and Privacy Policy of web services to reflect the GDPR requirements. It will also require the setup of a special page/form or another suitable method with which the company can give users a clear description of what data it uses, how it collects it, for what and how it’s stored and then ask for consent and permission from the user. This is a crucial step in the GDPR compliance.
Those are the basic terms and their definitions given by the GDPR. Your business has to know them and be sure your data practices and actions reflect them accordingly. In the next part we will take a detailed look at the new rights for individuals.
Part 2 – Usage of Data and The Need for Regulation
Part 4 – What Your Business Needs to Know About GDPR (Definitions)
Part 5 – What Your Business Needs to Know About GDPR’s Rights for Individuals
Part 6 – The GDPR Fines and What Do They Mean