What is the GDPR?
Known as the General Data Protection Regulation (GDPR), the law, with enforcement beginning on May 25, 2018, imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze personal data tied to EU residents. The GDPR applies no matter where you are located as an organization.
The law updates European privacy regulations for the first time in more than two decades, bringing them more in line with current technologies, and increases the uniformity of privacy regulations across the EU’s member states. The GDPR is also a complex regulation that may require vast changes in how you gather and manage data.
The type of personal data that the GDPR covers can include: name, identification number (e.g., SSN), location data (e.g., home address), and online identifier (e.g., e-mail address, screen names, IP address, device IDs). It also can cover a category of personal data that is considered as highly sensitive including: genetic data, biometric data (e.g., fingerprints, facial recognition, retinal scans), and other sub-categories of personal data (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health; or data concerning sexual orientation).
Among the key elements of the GDPR are the following:
- Enhanced personal privacy rights—The GDPR strengthens and unifies data protection for individuals within the European Union (EU) by ensuring they have the right to have access to data, to correct inaccuracies, to erase data, to object to processing of their information, and to have the ability to move their data. Additionally, data controllers and processors have increased security requirements to ensure data is more secure.
- Increased duty for protecting data—The GDPR contains rule changes that reinforce the accountability of companies and public organizations that process personal data, providing increased clarity of responsibility in ensuring compliance.
- Mandatory Breach Reporting—the GDPR requires companies to report data breaches to their supervisory authorities without undue delay, and generally no later than 72 hours.
- Significant penalties for non-compliance—The regulation features steep administrative sanctions, including substantial fines that are applicable whether an organization has intentionally or inadvertently failed to comply.
The GDPR also introduces a new concept of pseudonymous data, or personal data which have undergone pseudonymization. This is different from anonymized data, where the direct link to personal data is destroyed. With anonymized data, there is no way to re-identify the data subject and, therefore, it is outside the scope of the GDPR. However, this type of data may not be very useful in your application.
As noted in the GDPR (Provision 28), “The application of pseudonymization to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymization’ in this Regulation is not intended to preclude any other measures of data protection.”
You can achieve data pseudonymization in a couple of ways. You can use a “token” such using as a separate look up table linking a person’s name with a randomly generated identification number (e.g., “12345” is the identifier for “John Smith”). You can also use encryption where a mathematical algorithm is utilized to protect the data of a natural person. If you lose the token or encryption key you essentially have anonymized data.
If your organization pseudonymizes your data you will benefit from the relaxation of certain provisions of the GDPR, with respect to data breach notification requirements. The GDPR also encourages pseudonymizing in the interests of enhancing security and as a privacy by design measure.
You will have very strong incentives to employ data pseudonymizing technologies under the GDPR to mitigate your compliance obligations and manage your risks. But bear in mind, while the GDPR considers both encryption or pseudonymization as safeguards, under Article 34, breach notification may be avoided if “the controller has implemented appropriate technical and organizational protection measures…such as encryption.”
In the next blog, we’ll look at how the GDPR impacts IT and the use of Cloud Services. Future blogs will look at how Microsoft is responding to the GDPR and how our GDPR Framework for the Microsoft Cloud and the GDPR Baseline built into various CloudAtlas solutions can help you meet your GDPR compliance related to Microsoft Cloud Services such as Azure and Office 365.