The full GDPR text (Regulation (EU) 2016/679), available in multiple languages, can be accessed on the European Commission's website. Follow the link below to be redirected.
Countries outside of the EU that have been deemed to provide adequate levels of protection for the personal data rights stipulated by the GDPR are listed on the European Commission's website. Follow the link below to be redirected.
Anonymisation, and its cousin 'pseudonymisation', is the process of entirely (the former) or partly (the latter) removing personal identifiers from data. While the concept of anonymisation is fairly straightforward, pseudonymisation is not as clear cut: even if, for example, an external coding system is required for identification, the data is not truly anonymised. When reaching a retention limit or receiving a 'request for erasure', anonymisation is a compliant approach for retaining the non-personal elements of data while upholding your data subjects' rights.
Data breaches are often associated with malicious intent, but the reality is that the vast majority are caused instead by human error. A data breach is any unauthorised access to personal data, either in digital or analogue (paper) format - this can therefore include everything from a compromised server, to an accidentally-shared email, to paperwork being kept in-view of prying eyes. With only 72 hours to report a breach to the applicable data protection authority and to inform affected data subjects, all organisations should be prepared for immediate action.
A 'data controller' is one (e.g. company, public authority, agency, etc.) who decides the purposes and means of processing personal information, providing the guidelines for any associated data processors. Under the EU GDPR, data controllers are expected to have introduced 'Data Processing Agreements' (DPAs) with their data processors in order to ensure compliance with their instructions. With these responsibilities comes the expectation for a data controller to closely monitor, assess, and define the risks and intentions of their personal data processing.
'Data processing' is any operation performed on personal data, regardless of whether or not that operation is automated. Collection, recording/storage, organisation, alteration, dissemination (making available), restriction, and erasure/destruction of personal data is all considered processing. Consequently, as many of these operations are commonplace, the vast majority of businesses are liable for compliance with data privacy legislation. If the personal data being processed is that of EU/EEA individuals, the GDPR is where to begin.
A 'data processor' is anyone (natural or legal) who processes personal information (e.g. collection, organisation, erasure, etc.). This personal information can be that of customers, staff members, partners or affiliates, or any other individual ('data subject'). A data processor must follow the guidelines set out by the associated 'data controller', although data controllers are also themselves categorised as data processors. Data processors must maintain compliance with applicable privacy legislation, which may include the EU GDPR, UK GDPR, and others.
The General Data Protection Regulation (GDPR) includes 8 rights of the data subject: the rights to access, erasure, rectification, portability, restriction, objection, the right to be informed, and rights related to automated decision making and profiling. Individuals can enter Data Subject Requests (DSRs) for any of these rights, which the data processor must then address within 1 month. Under certain conditions, this 1-month period can be extended within reason, and exemptions do exist to allow organisations to altogether deny specific DSRs.
The GDPR protects the rights of 'identifiable natural persons', also known as 'data subjects', who are within the European Union (EU). A 'natural person' is a living human being, as opposed to a 'legal person', which may be a private or public organisation. Identifiers of data subjects can exist in many formats, ranging from social security number and location data (physical or digital) to genetic or economic information, to name only a few. During compliance efforts, be sure to consider all data subjects: customers, colleagues, and staff alike.
The Information Commissioner's Office (ICO) is the United Kingdom's (UK) independent authority whose role it is to uphold information rights in the public interest. Covering several sets of legislation, including the General Data Protection Regulation (GDPR), the ICO's focus extends beyond data privacy and into data protection, investigatory powers, freedom of information, and more. While also performing the common duties of any data protection authority, the ICO is of particular importance for the implementation of the post-Brexit 'UK GDPR'.
Integritetsskyddsmyndigheten (IMY) is the Swedish Data Protection Authority (DPA). Tasked with protecting individuals' data privacy and security, the IMY facilitates the education and implementation of the European Union's General Data Protection Regulation (GDPR). Alongside handling data breach reports and complaints of non-compliance, the IMY provides frequent updates on legislative amendments, issued fines, and published material advising on best practices for any organisation processing personal data.
Standard Contractual Clauses (SCCs) are regulated sets of terms that must be signed by sender and receiver prior to personal data being transferred to a third party operating outside of the General Data Protection Regulation's (GDPR) jurisdiction. Although there are some mechanisms in place for simplifying compliance when transferring personal data to third countries, such as the recently invalidated EU-US Privacy Shield, SCCs remain small- and medium-sized enterprises' best alternative for ensuring the compliance of extra-EU/EEA third parties.