The General Data Protection Regulation, enacted by the European Union in 2018, is the world’s most important and broadly applicable data privacy law. Read on to understand what kind of data is protected by the GDPR, which rights it aims to enforce for owners of the data, and what your organization needs to do to protect personal data and avoid legal sanctions, including data protection considerations.
In this article you will learn:
• What is GDPR?
• How personal data is defined under the GDPR
• GDPR data privacy rights
• GDPR data protection requirements
• Protecting personal data with Cloudian storage
What is GDPR?
The GDPR is a legal standard that protects the personal data of European Union (EU) citizens and affects any organization that stores or processes their personal data, even if it does not have a business presence in the EU.
Because there are hundreds of millions of European Internet users, the standard affects almost every company that collects data from customers or prospects over the Internet. GDPR non-compliance carries severe sanctions, with fines up to 4% of annual revenue or €20 million.
GDPR legislators aimed to define data privacy as a basic human right, and standardize the protection of personal data while putting data subjects in control of the use and retention of their data.
There are two primary roles in the GDPR: the GDPR Data Controller is an entity that collects or processes personal data for its own purposes, and a GDPR Data Processor is an entity that holds or processes this type of data on behalf of another organization.
Finally, the Data Protection Officer is a role appointed by an organization to monitor how personal data is processed and ensure compliance of the GDPR.
What is personal data according to the GDPR?
“Personal data”, according to the legal definition of the GDPR legislation, is any information about an identified or identifiable person, known as a data subject.
Personal data includes any information that can be used, alone or in combination with other information, to identify someone.
This includes: name, address, ID or passport number, financial info, cultural details, IP addresses, or medical data used by healthcare professionals or institutions.
Other special data you may not process or store: Race or ethnicity, sexual orientation, religious beliefs, political beliefs of memberships, health data (unless the explicit concern is granted or there is substantial public interest).
Learn more in our article about data protection regulations.
GDPR data privacy rights
The GDPR aims to protect the following rights of data subjects with respect to their personal data.
Data subjects have the following basic rights under the GDPR:
- Collecting data from children — requires parental consent until children are between 13-16 years old.
- Data portability and access — data subjects must be able to access their data as stored by the Data Controller, know-how and why it is being processed, and where it is being sent.
- Correcting and objecting to data — data subjects should be able to correct incorrect or incomplete data, and data controllers must notify all data recipients of the change. They should also be able to object to the use of their data, and Data Controllers must comply unless they have a legitimate interest that overrides the data subject’s interest.
- Right to erasure — data subjects can ask data controllers to “forget” their personal data. Organizations may be permitted to retain the data, for example, if they need it to comply with a legal obligation or if it is in the public interest, for example in the case of scientific or historical research.
- Automated decision-making — data subjects have the right to know that they were subject to an automated decision based on their private information, and can request that the automated decision is reviewed by a person, or contest the automated decision.
- Notification of breaches — if personal data under the responsibility of a data controller is exposed to unauthorized parties, the controller must notify the Data Protection Authority in the relevant EU country within 72 hours, and in some cases also needs to inform individual data subjects.
- Transferring data outside the EU — if personal data is transferred outside the EU, the data controller should ensure there are equivalent measures to protect the data and the rights of data subjects.
GDPR data protection requirements — how are you required to protect personal data?
The GDPR defines specific ways in which a data controller must protect personal data. Failing to do so may result in fines and other sanctions. Here are the essential data protection requirements, defined in articles 24, 25, and 32:
data controllers are required to handle data securely by implementing technical measures, for example, authenticated access to data and encryption, and organizational measures, such as training staff on data privacy and setting policies for appropriate access to personal data.
Specifically, article 32 of the GDPR requires data controllers to:
- Perform encryption and pseudonymization (a technique for replacing personally identifiable information with other similar data) of personal data;
- Ensure the confidentiality and integrity of data processing systems
- Restore availability and access to personal data if it becomes unavailable
- Test, assess and evaluate measures for securing data processing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
Data Protection by Design and By Default
Any computer system that handles or stores personal data must protect personal data, for example by pseudonymization, data minimization (reducing to the minimum form required for the data controller’s purposes; or tokenization, which replaces personal data with meaningless random tokens.
Read the 10 components of an effective data protection strategy.
Protecting Personal Data with Cloudian
The GDPR requires you to control the use of personal data, and delete personal data if requested by data subjects. When you share personal data among users and store it in the cloud, you lose fine-grained control over the data. When you receive a data subject access request (DSAR), you may not be able to find all instances of the information, which may result in sanctions or fines.
Cloudian provides fast, reliable, on-premises storage for backup and archive data. It offers the power of cloud-based file sharing in an on-premise device that gives you the control you need to comply with GDPR data protection requirements.
Secure Solution for File Sharing
- Multiple layers of data protection:
- Storage within firewall
- Remote user access via secure connections
- Configure geo boundaries for data access
- Policy-defined data synch to user devices
- Integrated replication for DR
Read more in our blog post: GDPR-compliant file sharing.