by David William Silva, PhD
The General Data Protection Regulation (GDPR) is considered the most comprehensive security and privacy law worldwide. The GDPR was drafted and passed by the European Union (EU) and enforced obligations onto organizations anywhere on Earth. These organizations target or collect data somehow associated with the people in the EU.
The full text of the GDPR is organized in 99 articles across 11 chapters and 88 pages. It is clearly a substantial amount of information that would not be possible to be exhaustively covered in a single blog post.
You certainly read and/or heard about GDPR many times in the past few years. In one way or another, the chances that the GDPR and related subjects have been brought to your attention are high. But even if you have never heard about the GDPR (although unlikely), I would like to provide a closer look at what is considered the world’s strictest security and privacy law. For that, I propose a simple technique I use when approaching any new subject, which consists of a representation of four layers of understanding, as shown in the figure below.
Our first step is to understand the context in which the GDPR came on the scene, the motivations, and its goals. This first layer of understanding is typically the minimum required to get the conversation started around any given subject. Next, we examine terminology and basic definitions.
Getting into the second layer of understanding equips one to read and retain information from documents related to the topics at hand, which would be cumbersome without an established foundation of terms, acronyms, and definitions.
The third layer is about examples and applications. In other words, it is about understanding terms and definitions in action in specific scenarios. Understanding how the building blocks of a subject under consideration relate to each other, how they are activated, and/or how they impact any given sequence of ideas or actions is paramount for solidifying the practical applications of the information gathered thus far.
The fourth layer refers to observing arbitrary events and identifying the notions associated with the previous layers, relating actors and their roles, and classifying them according to terms and definitions in the second layer. It also involves applying critical thinking to what could be “gray areas” in the fundamentals of the referred subject and being able to propose new practical ideas, measures, and methods that are strongly aligned with the guiding principles of that particular subject. According to this simple 4-layer scheme, understanding all layers well means a good overview of the referred topic.
Next, we will take a quick look at some of the context, motivations, and goals of the GDPR.
In November 1950, in Rome, Italy, the Convention for the Protection of Human Rights and Fundamental Freedoms took place. Better known as the European Convention on Human Rights (ECHR), it established the first instrument to enforce some of the rights stated in the Universal Declaration of Human Rights. ECHR was adopted by the Council of Europe to guard fundamental freedoms and human rights of the people in Europe. The original text signed in 1950 took effect on September 3, 1953, and amended its original version by 11 additional protocols. The official original text is available online.
Despite the date, this initiative from over 70 years ago is considered “the most advanced and successful international experiment in the field to date.” A part of the 1950 ECHR was a profound discussion on the right to privacy. The debate around privacy had to be adjusted to the advances in society and technology to the point that in 1995, the EU passed the Data Protection Directive (DPD), officially known as Directive 95/46/EC, establishing a minimum set of data security and privacy standards, enough to enable each member state to execute their own law implementation. In 2011, after a series of incidents involving personal data privacy violations, the EU recognized the need for a more comprehensive approach to personal data protection. Since 1995, the DPD has been updated to address new issues and needs.
The fact that each member state had its own way of implementing laws to protect the security and privacy of personal data worked until a certain point. In 2012, the European Commission submitted a draft proposal for substantial reform of the data protection rules in the EU. On December 15, 2015, the European Parliament, in conjunction with the Council and Commission, agreed upon what was called the new data protection rules, the EU General Data Protection Regulation. The final text of the GDPR was approved on April 14, 2016.
The underlying concept of the right to privacy is that “everyone has the right to respect for his private and family life, his home and his correspondence.” This was the driving notion that led the EU to ensure the right to personal data protection via legislation.
There was also a hope that an EU-wide law would solve several problems directly related to the fragmentation and somewhat independence of member state members in enforcing data security and privacy laws. The idea was to facilitate cooperation fighting crimes and any form of violation against the right to privacy.
Therefore, the GDPR supersedes the DPD, building on top of crucial components of the DPD while adding more specific requirements concerning data protection. The GDPR adds more rigorous enforcement of security and privacy laws with harsh penalties and substantial fines.
The main goal of the GDPR is to create and enforce standards for data protection legislation applied to all EU members and those somehow in connection to data associated with EU citizens. The GDPR also aims to equip EU residents to be known and understand their right to privacy, the resources available to them, where to look for help and any kind of support, and what to expect from organizations requesting any form or volume of personal data.
The GDPR establishes specific rules for accessing and processing personal data, together with responsibilities and penalties for those who violate any aspect of data protection under the Regulation.
When examining the full-text of the GDPR, it is crystal clear that the Regulation is all about protecting people, their privacy, their right to privacy, their right to own and protect their data, to choose what can be shared and with who, in which conditions, for how long, and to which extent.
The cornerstone of the GDPR is the protection of natural persons concerning the processing of personal data, which is referred to as a fundamental right that everyone in the EU has. Protecting data is just one direct consequence of protecting the privacy of the individual, which can be violated through unlawful, unsolicited, or incorrect manipulation of personal data. The GDPR addresses modern concerns with data privacy, but its principles go back to 1950. Since then, the EU has been actively improving their security and privacy mechanisms of personal data from individual execution of privacy-preserving measures to a now unified, EU-wide security and privacy standards and laws to enforce, by all means necessary, the protection of personal data. As anticipated, we are just scratching the surface of GDPR, as we just entered the first layer of understanding the Regulation, according to our proposed simple scheme for organizing information. In the second part of this series, we will look at significant highlights of terminology and basic definitions and how they relate to each other in the grand scheme of all things GDPR.
David William Silva, PhD
Senior Research Scientist at Symetrix & Algemetric
IDPro Member, CIDPRO
About the Author
David William Silva is a Senior Research Scientist at Symetrix Corporation and Algemetric and is responsible for the research and development of innovative products related to security, privacy, and efficient computation powered by applied mathematics. David started his career as a Software Engineer focused on web services and agile software development, which led him to be involved with several projects from startups to government and large corporations. After 17 years of conducting R&D in Brazil, David moved to the US to engage in scientific research applied to a global industry of security and privacy, which has been his focus for the past seven years.