Quantify Cyber Risk Now

header ads

A Primer On GDPR: Data Protection & Privacy Regulation 2018 | Lucideus Research

Image Source

GDPR stands for General Data Protection Regulation which is a regulation made by the European Parliament and council on the protection of natural persons with regards to the processing of personal data and on the free movement of such data. It essentially replaces the Data Protection Directive which was created in 1995. Since GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable. GDPR was adopted on 27th April 2016 and it will be implemented starting from 25th May 2018.

According to the European Commission, this regulation shall be applicable if the data controller (entity that collects data), or processor (the entity that processes data on behalf of the controller) or the data subject (the person whose data is collected) is settled in one of the member nations of the European Union. This is also enforceable if the concerned organizations are based out of Europe, but the individuals whose data is being collected reside in an EU nation.

Supervisory Authority

GDPR can be viewed as a one-stop shop for data security and privacy. It unifies the set of rules for the entire EU. Under this, each member state has to establish a supervisory authority (SA) that would handle complaints, investigations and consultations for the relevant organizations. Different SAs will co-operate with each other and conduct joint operations if required. They all will be supervised by a body called European Data Protection Board (EDPB).

Data Protection Officer
If the processing is carried out by a public authority or a private organization, that involves continuous monitoring of the data subjects, then they need to hire an expert, Data Protection Officer, with the knowledge of data protection law, practices, IT processes and security to support them in ensuring compliance with this regulation.

Pseudonymisation is the process of transforming the data collected from users in such a way that it cannot be attributed to any specific individual. Different encryption methods and tokenization are the examples of pseudonymisation techniques. As per GDPR, the controllers and processors need to implement appropriate pseudonymisation measures to ensure the security of data and any medium that links the transformed data to a data subject should be kept separately.

The controller is bound to take the consent from the data subject in an appropriate way in order to collect the data and subsequently perform processing operations and he should be able to demonstrate this if required. The data subject should be clearly made aware of the processing operation and its purposes, profiling and its consequences, whether he/she is obliged to provide such personal data and the consequences if he/she chooses not to.

Any information addressed to the data subject should be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualization should be used.

Information to be shared with the data subjects includes the following items:

1) identity and the contact details of the controller and, where applicable, of the controller’s representative

2) contact details of the data protection officer, where applicable

3) Purpose and legal basis for processing of personal data

4) legitimate interests pursued by the controller or by a third party

5) recipients or categories of recipients of the personal data

6) Intimation about the transfer of data to a third country or international organization and the supporting regulation

7) the period / the criteria for determining the period for which the data will be stored

8) The existence of all the rights of the data subject

9) Intention to process the data for a purpose different from the original one and the relevant further details

10) Restrictions on the rights of the data subjects in special situations


Following are the rights of the data subject as far as GDPR is concerned:

1) Right to access of data

2) Right to rectification of data

3) Right to the erasure of data (Right to be forgotten)

4) Right to the restriction of processing

5) Right to data portability

6) Right to object processing of data

7) Right to withdraw consent at any time

8) Right to lodge a complaint with a supervisory authority

Processing of personal data of a child shall be lawful when the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility for the child.

Data Breaches
In the case of a personal data breach, the controller is bound to notify the supervisory authority within 72 hours of having become aware of it. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. In case of high risk, the data subject shall also be communicated about the breach.

The controller should be obliged to respond to requests from the data subject at the latest within one month of receipt of the request and provide appropriate reasons when he/she chooses not to or in case of delay.

Record Keeping
Each controller shall maintain a record of processing activities under its responsibility including all the relevant details about the people, purpose, data, transfers, time limits and measures taken.

The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial actions taken.

Data Transfer
A transfer of personal data to a third country or an international organization may take place without any specific authorization if the European Commission has decided that the country/organization ensures an adequate level of protection. In the absence of such a decision by the commission, a controller or processor may transfer personal data only if he has provided appropriate safeguards, and on condition that enforceable rights and effective legal remedies for data subjects are available.

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. Fines under GDPR can be as high as 20 million EUR or 4% of the total worldwide annual turnover of the organization for the preceding financial year, whichever is higher.

Regulations like GDPR are formidable tools to tackle the issue of data privacy and security in today’s highly connected and digital world. Given recent occurrences like the Facebook-Cambridge Analytica scandal, these regulations hold extremely high significance. I believe such strict laws would come into existence in other parts of the world very soon and it will be great for a normal user if such an agreement can be made on a global level through bodies like the UN.


1) https://gdpr-info.eu/

2) Image: https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/

Post a comment