by David William Silva, PhD
This is the second of four posts about the General Data Protection Regulation (GDPR) according to a proposed scheme for inspecting the Regulation, which starts by examining its context, motivations, and goals. In the first post, we saw that the GDPR protects natural persons concerning the processing of personal data, which is considered by the European Union (EU) a fundamental right that every EU citizen has. The Regulation is about establishing enforced standards for improving security and privacy mechanisms associated with the collection and use of personal data.
Now it is time to move to the second layer of understanding of the GDPR by discussing highlights of its terminology and basic definitions. Our goal is to go beyond a dictionary-style of terms and definitions in this post. Instead, the building blocks of the Regulation’s terminology will be presented within a narrative that naturally continues the initial discussion about context, motivations, and goals.
Organization
When we look at the GDPR, we see some terms repeating more frequently than others, and we see many terms being defined in terms of fundamental ones. We refer to these terms as the main objects. These main objects are associated with main actions via a main tool, which is accessed or somehow explored by main actors. We will also single out what we describe as a main event. We will see that these labels are all related, directly or indirectly, to data. Therefore we will also discuss the main types of data covered by the Regulation. The pattern “the main _____” indicates that although there are other elements in each of these categories, the ones discussed in this post are clearly the most representative in the Regulation.
The Main Objects
When reading the GDPR, it is clear what the main actors of the Regulation are. We will talk about them later in this post. We will first look at the highlights within the actors, which we refer to here as the main objects: natural person and personal data.
A natural person or data subject is anyone that can be directly or indirectly associated with an identifier such as a name, an identification number, location data, email, or factors related to the identity of a person, including physical, physiological, genetic, economic, cultural, or social. All the data that can lead to identifying a natural person is referred to as personal data.
The Main Actions
The main objects are the foundation for the remainder of the discussion in this post. Virtually everything in the Regulation is related to a natural person, personal data, or one of their derivatives. We refer to the portion of the Regulation that covers how to appropriately interact with the main objects as the main actions.
Personal data can be collected, generated, structured, adapted, consulted, organized, transmitted, altered, stored, and deleted. Whether or not by automated means, any of these actions or operations is a form of data processing. Personal data can be processed in many ways to achieve many purposes. To prevent unauthorized use of personal data, a restriction of processing is invoked, which consists of collecting and marking data to limit its processing in the future, according to some well-defined scope.
The automated processing of personal data to analyze or predict aspects of a natural person associated with their performance at work, economic situation, health, personal preferences, interests, behavior, among others, is known as profiling. Sometimes personal data can be organized and processed so that it is no longer attributed to a natural person without additional information, often kept separately and subject to administrative measures that ensure that it is not used for identifying a natural person. This is referred to as pseudonymization.
Consent is a freely given, specific, informed, and unambiguous declaration of the data subject’s wishes concerning collecting and processing their personal data. This can be done by a complete and formal statement or any explicit affirmative action of their understanding and agreement of the access and processing of their personal data.
The Main Tool
There are many tools associated with the GDPR in some capacity. But one tool stands out by itself for its generality and central role in the Regulation: a filing system.
Personal data is typically located in what is known as a filing system, which can be described as any structured set of personal data, whether centralized, decentralized or dispersed in terms of functional or geographical criteria.
The Main Actors
Some particular actors in the GDPR can be generally described as an entity, that is, a natural or legal person, public authority, agency, or any other body. In this sense, the GDPR discusses the attributes and responsibilities of the following entities: controller, processor, recipient, and third party.
A controller is an entity that determines the purposes and means of processing personal data. The controller can act either alone or jointly for ruling over what type of data can be used, how it can be used, via what means, and for what purposes. Suppose the purposes and means of personal data processing are determined by Union or Member State law, in which case the controller will also be provided by Union or Member State law. An entity that processes personal data on behalf of the controller is a processor.
When a controller and/or a processor is/are directly involved in more than one Member State, the main establishment refers to the place of its central administration in the Union.
A recipient is an entity that receives personal data, regardless if the recipient is a third party or not. Whenever the entity receiving data is a public authority (according to specific criteria of particular inquiry), that entity may not be referred to as a recipient.
A third party is an entity that is not the data subject, controller, processor, or any other person authorized to process data under the authority of the controller.
A representative is a natural or legal person designated by the controller or processor to represent the controller or processor concerning their obligations under the Regulation. An enterprise is a natural or legal person engaged in economic activity.
The Main Event
Similar to the notion of highlighting a single tool while acknowledging the existence of several tools in the GDPR, we also single out an event in the Regulation due to its criticality (and it is not a good one): a personal data breach.
A personal data breach refers to a security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of (or access to) personal data access and/or processing.
The Main Types of Data
Personal data related to a natural person’s inherited or acquired genetic characteristics are called genetic data. This type of data can provide unique information about a person’s physiology or health, typically obtained via examining biological samples from that natural person.
When personal data is more specifically related to physical or mental health, it is referred to as data concerning health, including healthcare services. This type of data can reveal information about a person’s health status.
When personal data is associated with specific technical processing relating to physical, physiological, or behavioral characteristics, it is called biometric data. Biometric data is typically used to confirm the identification of a natural person, which can be done by inspecting fingerprints, facial characteristics, body movement, among many other examples.
The Main Concepts
In the subject-matter and objects of the GDPR, it is clear that the Regulation establishes rules to protect natural persons with respect to their rights and freedoms, including freedom of movement of personal data, which can many times and for many reasons, undergo the process of pseudonymisation that we mentioned before, that is, the processing of personal data is performed in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information. Rights also include the right of privacy, data protection, data portability, erasure (the right of being forgotten), and the restriction of data processing.
The rules in the Regulation determine that personal data can only be accessed with consent, which must be freely given, specified, unambiguous, assessed, and informed. Consent also can be withdrawn.
Overall, rules are defined to enforce security and privacy of processing personal data, which must be accurate, lawful, fair, and transparent, have limited purpose, and limited storage, ensure integrity and confidentiality, and involve data minimization. Rules also serve to regulate controllers, which must be accountable. Figure 1 provides visualization of how some of the main concepts in the GDPR are related to each other.
Summary
There are many terms, concepts, and definitions in the GDPR and they are all connected somehow. The GDPR can be described as a set of rules for protecting natural persons and their personal data in a variety of scenarios and objectives for the protection of their rights, including the right of privacy. Although there is clearly much more that can be said about terminology and definitions in the GDPR, hopefully this post can contribute for a better appreciation of the official main text of the Regulation and related materials.
David William Silva, PhD
Senior Research Scientist at Symetrix & Algemetric
IDPro Member, CIDPRO
About the Author
David William Silva is a Senior Research Scientist at Symetrix Corporation and Algemetric and is responsible for the research and development of innovative products related to security, privacy, and efficient computation powered by applied mathematics. David started his career as a Software Engineer focused on web services and agile software development, which led him to be involved with several projects from startups to government and large corporations. After 17 years of conducting R&D in Brazil, David moved to the US to engage in scientific research applied to a global industry of security and privacy, which has been his focus for the past seven years.