This is the last article of a series of four on the basics of the General Data Protection Regulation (GDPR). In the first article, we covered context, motivations, and goals. In the second article, we reviewed terminology and basic definitions. In the third article, we discussed examples and applications of some of the main building blocks of GDPR. In this fourth article, we review some of the most critical issues in the GDPR while identifying, classifying, and analyzing each one in practical terms.

Without any concrete instance of an application subject to GDPR compliance, one might look into the GDPR text from a dangerously relaxed perspective which can lead (and it has been leading) to GDPR violations, overwhelming fines, and further administrative penalties. On the other hand, generally speaking, it is not always clear how to ensure GDPR compliance. Resorting to the GDPR text without a strategy might feel like drinking from a fire hose. The whole point of this series of four articles on GDPR was to propose a gentle introduction to the subject matter in a gradual, structured way.

The primary motivation behind this fourth and last article is to propose a way to identify key regulatory components that can be classified into major groups so we can discuss their importance and practical implications. 

We organized the following discussion in four major groups: Must Know, Must Do, Better Have, and Better Do. It goes without saying that this is a non-exclusive and non-exhaustive discussion. Instead, for each of these major groups, we will select one or a few examples that configure a good start on the road to GDPR compliance. The “analysis” piece of this article will be presented as an informal discussion to keep this article within an acceptable length.

Must Know

If there are components that anyone interested in GDPR must know, these are probably the applicability and non-applicability of the Regulation and associated fines. The GDPR text can sometimes be very specific and practical, while some other portions leave too much room for interpretation. In any case, establishing a knowledge foundation is the best one can do towards GDPR compliance.

Applicability and Non-Applicability of the GDPR

The General Data Protection Regulation (GDPR) establishes rules for protecting natural persons concerning the processing of personal data (Article 1). The GDPR “applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system” (Article 2). The Regulation applies to any data processing related to members of the European Union (EU) regardless of the processors’ location. (Article 3)

Natural person and data subject are synonymous. Personal data is a term for data that reveals information that identifies or has the potential to identify a natural person. Processing is the term used to describe any operation executed on personal data. A processor is a term to describe a natural or legal person who processes data (Article 4).

The GDPR does not apply to “the processing of personal data which concerns legal persons and in particular, undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person” (Recital 14). Legal entities many times operate as a processor. Although the GDPR does not apply to data that identifies legal entities, legal entities often possess data that identifies natural persons (their customers). Therefore, GDPR protects these customers’ right to privacy (Article 28).

Penalties

Perhaps the most important exercise an organization intending to process data that can be seen as personally identifiable information (PII) can do is to identify what from the GDPR applies and does not apply in the context of the application that the organization is responsible for. It is not rare to see organizations downplaying the need to comply with privacy regulations such as the GDPR in an attempt to overlook its severity. However, in 2021, the GDPR issued fines up to $823.9 million for violations. 

Violations can seem subtle for some organizations already in possession of personal data. In 2020 the GDPR issued a fine of $29.3 million to a company that failed to obtain consent or to inform customers about using their personal data for telemarketing purposes.

The first step towards compliance is, obviously, to know the requirements and their applicability. In some portions of its text, the GDPR advises that in case of doubt, the requirement must be fulfilled regardless, such as in the case of performing a privacy impact assessment.

Furthermore, all the general conditions for imposing fines, with different levels of severity, can be found in Article 83 of the GDPR. 

The GDPR establishes fines and further remedies or corrective powers when a violation occurs. Fines must be “effective, proportionate and dissuasive for each individual case. For the decision of whether and what level of penalty can be assessed, the authorities have a statutory catalogue of criteria which it must consider for their decision”. Severe violations (Article 83) are subject to fines of up to 20 million euros or up to 4% of an organization’s global turnover of the preceding year, whichever is higher (GDPR Fines and Penalties).

Must Do

Not all procedures and specifications in the GDPR are mandatory, and most of what is mandatory is subject to exceptions under proper conditions. However, if there is one issue above all others that can never be neglected, that could easily be the requirement for consent. We discussed consent in the previous articles of this series, and we return to this subject to place it in the Must Do group from a practical perspective.

Consent 

As we discussed in previous articles of this series, if an organization aims to process personal data, a mechanism for obtaining the consent of data subjects must be in place. According to Council Directive 93/13/EEC, consent must be requested via a pre-formulated interface presented in an intelligible and easily accessible form, using objective and easy-to-understand language, avoiding any terms that might be considered unfair. Before providing consent, the data subject should have no doubt of the controller’s identity and the purpose of processing personal data that is being requested.

The Regulation summarily prohibits the processing of personal data unless expressly allowed by law or by the data subject. Besides consent, other mechanisms also apply for allowing the processing of personal data, such as contract, legal obligations, vital interest of the data subject, public interest, and legitimate interest according to Article 6(1). Processing personal data in the clear without consent or the previously mentioned mechanisms is a violation. (Key Issues: Consent)

Recall that consent must be “freely given, specific, informed, and unambiguous.” If processing personal data has been enabled by consent, whoever is processing that data must be able to prove that the data subject has indeed consented to the processing of their data. The data subject has the right to withdraw their consent at any time, and this process must be as easy as it was to give the consent. Withdrawing consent does not affect the lawfulness of the processing of data based on consent before its withdrawal. Conditions for Consent, Article 7, is part of the main principles of the GDPR.

At any indication that consent was obtained under pressure, penalty, and/or by some form of imposition, consent will not be regarded as freely given since, in this case, the data subject is unable to refuse or withdraw consent without detriment.

The GDPR prohibits the processing of personal data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” Article 9 establishes several exceptions to this prohibition, including law enforcement activities, support of court procedures, public interest, and legal inability of a data subject to give consent.

The processing of data (by third parties) that leads to identifying data subjects is a violation of the GDPR. (Key Issues: Personal Data)

Processing of personal data is allowed when the processing no longer permits the identification of data subjects, provided that appropriate safeguards exist, such as pseudonymization (Recital 156).

Consent for personal data collection and processing for a particular purpose is not everything and certainly not the end of an organization’s concerns with respect to GDPR compliance. Still, it is undoubtedly one of the most important first steps toward the lawful processing of personal data.

Better Have

The term “better” here does not imply any relaxation with respect to obligations imposed by the GDPR. As mentioned earlier, some requirements are followed by conditions and exceptions which might release an organization from associated obligations. The term “better” here implies that even if it is not objectively mandatory, some requirements are so important that it is better for an organization to address them than otherwise. That is, the benefits of implementing some measures outweigh any associated inconvenience.

Data Protection Officer

The GDPR establishes the concept and conditions for the obligation of organizations to have a Data Protection Officer (DPO). The legal obligation to appoint a DPO does not depend on the size of the organization “but on the core processing activities, which are defined as those essential to achieving the company’s goals. If these core activities consist of processing sensitive personal data on a large scale or a form of data processing which is particularly far-reaching for the rights of the data subjects, the company has to appoint a DPO.” The GDPR also establishes that “willful or negligent failure to appoint a Data Protection Officer despite a legal obligation is an infringement subject to fines” (Key Issues: Data Protection Officer).

Organizations need to take the need and role of a DPO seriously. The DPO must be impartial and empowered to assist the organization in implementing all necessary protective measures to meet GDPR requirements. The DPO cannot perform functions that place them in a position of conflict of interest.

Electing a DPO is one of those measures that an organization processing personal data might want to have in place regardless of a clear conviction of its legal obligation, providing immediate benefits versus risks and penalties associated with failing to do so.

Additional information about the DPO, including the associated qualification they might have and how to hire one, is available.

Better Do

Once again, “better” here does not intend to relax any obligations from the Regulation. Instead, we use it to identify and put together mechanisms, procedures, and requirements which are better to address even if an organization falls into some condition in which it is not obligated to comply.

Privacy Impact Assessment

An organization that intends to process data must first conduct a privacy impact assessment (PIA) or data protection impact assessment (DPIA) and document it. If certain measures are in place, a PIA or DPIA might not be absolutely necessary. A PIA or DPIA is mandatory if risks from data processing are high. In case of doubt or difficulty in determining risk, a DPIA should be conducted. (Key Issues: Privacy Impact Assessment)

Records of Processing Activities

When personal data is processed, the GDPR obligates written documentation and an overview of the procedures by which personal data is processed. (Article 30) This documentation must be made entirely available to authorities upon request. (Key Issues: Records of Processing Activities) Not maintaining records of processing activities is a violation of the GDPR (Article 83(4)(a)).

Procedural Rights

A data subject has the right to access personal data being processed. Omitted or incomplete disclosure of access to personal data being processed upon request is subject to fines. (Key Issues: Right to Access) Any right provisioned by the GDPR, such as the Right to be Forgotten and the Right to be Informed, must be observed when applicable. 

Safeguards

The GDPR establishes that security measures must be considered and implemented according to risk assessment. These measures include (but are not limited to) pseudonymization, encryption, mechanisms for ensuring confidentiality, integrity, availability, and resilience, regular testing, ongoing evaluation of the effectiveness of present measures, and continuous improvement of the security of processing (Article 32).

Data Minimization

Data minimization is the term used to describe “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” (Article 5). It is about only collecting and processing data that is absolutely required for the purposes stated when consent was requested.

Data minimization can prevent organizations from accidentally violating GDPR requirements for processing personal data, such as purpose limitation, where data is only collected for the legitimate purposes stated when requesting consent and not further processed in a way that violates its limits. Data minimization can also reduce risks and liabilities when processing personal data, such as in the case of data leakage.

Processing personal data might be allowed for particular purposes such as archiving, scientific or historical research, or statistical purposes as long as appropriate safeguards are in place. These safeguards aim to ensure that required measures are in place, particularly the principle of data minimization (Recital 156).

Data minimization is part of general data protection principles recognized by the GDPR, such as purpose limitation, limited storage periods, data quality, data protection by design and by default, the legal basis for processing, processing of special categories of personal data, measures to ensure data security, among others (Article 47).

Anonymization

The GDPR does not apply “to anonymous information, namely, information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.” Furthermore, the GDPR “does not, therefore, concern the processing of such anonymous information, including for statistical or research purposes” (Recital 26).

Although allowed by the GDPR, it is well known that techniques such as anonymization are faulty (Broken Promises of Privacy: Responding To The Surprising Failure of Anonymization). At least since the late 2000s, schemes for de-anonymizing data have been proposed (Robust De-Anonymization of Large Sparse Datasets).

Pseudo-anonymization

Pseudonymization “means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person” (Article 4).

The GDPR establishes that techniques such as pseudonymization can reduce risks to the data subjects and help controllers and processors meet their data-protection obligations. The explicit introduction of pseudonymization is not intended to exclude any other measures for data protection (Recital 28).

The GDPR acknowledges that techniques such as pseudonymization may be reversed by unauthorized parties, which constitutes a violation (Recital 85).

Encryption

Organizations can reduce the probability of a data breach as well as the risks of fines by resorting to the encryption of personal data. Processing data is naturally associated with a certain degree of risk. The GDPR recognizes encrypted data as unreadable by non-key owners, which therefore minimizes the risks in case of incidents during data processing. Furthermore, the GDPR recognizes encryption as the best way to protect data in transit and at rest (Key Issues: Encryption).

Authentication

User authentication is part of the concept of Privacy by Design discussed in the Regulation (Key Issues: Privacy by Design). If not done properly, instead of a safeguard, authentication can be an opening for a GDPR violation. One example would be to collect from a natural person more information than necessary for implementing an authentication mechanism and, from there, make inferences about the individual that exceeds the scope of authentication. The GDPR clearly states that personal data is, by nature, sensitive data (Recital 51). 

Requesting additional data for identification purposes is allowed if a controller can’t identify a natural person but is not mandatory. The controller should not refuse to take additional information from the data subject (Recital 57).

Where To Go From Here

The IDPro Body of Knowledge offers an introduction to the GDPR and a discussion on the impact of GDPR on identity and access management. The full GDPR text is available online in a friendly format. Some templates are also available such as the Data Processing Agreement, instructions on how to write a GDPR-compliant privacy note, and the Right to Erase Request Form. The European Data Protection Board has a GDPR-centric news feed which can be useful for keeping up with the latest developments about GDPR.

About the Author

David William Silva is a Senior Research Scientist at Symetrix Corporation and Algemetric and is responsible for the research and development of innovative products related to security, privacy, and efficient computation powered by applied mathematics. David started his career as a Software Engineer focused on web services and agile software development, which led him to be involved with several projects from startups to government and large corporations. After 17 years of conducting R&D in Brazil, David moved to the US to engage in scientific research applied to a global industry of security and privacy, which has been his focus for the past seven years. 

The post GDPR Part 4: Identification, Classification, and Analysis appeared first on IDPro.

This is the second of four posts about the General Data Protection Regulation (GDPR) according to a proposed scheme for inspecting the Regulation, which starts by examining its context, motivations, and goals. In the first post, we saw that the GDPR protects natural persons concerning the processing of personal data, which is considered by the European Union (EU) a fundamental right that every EU citizen has. The Regulation is about establishing enforced standards for improving security and privacy mechanisms associated with the collection and use of personal data.

Now it is time to move to the second layer of understanding of the GDPR by discussing highlights of its terminology and basic definitions. Our goal is to go beyond a dictionary-style of terms and definitions in this post. Instead, the building blocks of the Regulation’s terminology will be presented within a narrative that naturally continues the initial discussion about context, motivations, and goals.

Organization

When we look at the GDPR, we see some terms repeating more frequently than others, and we see many terms being defined in terms of fundamental ones. We refer to these terms as the main objects. These main objects are associated with main actions via a main tool, which is accessed or somehow explored by main actors. We will also single out what we describe as a main event. We will see that these labels are all related, directly or indirectly, to data. Therefore we will also discuss the main types of data covered by the Regulation. The pattern “the main _____” indicates that although there are other elements in each of these categories, the ones discussed in this post are clearly the most representative in the Regulation.

The Main Objects

When reading the GDPR, it is clear what the main actors of the Regulation are. We will talk about them later in this post. We will first look at the highlights within the actors, which we refer to here as the main objects: natural person and personal data.

A natural person or data subject is anyone that can be directly or indirectly associated with an identifier such as a name, an identification number, location data, email, or factors related to the identity of a person, including physical, physiological, genetic, economic, cultural, or social. All the data that can lead to identifying a natural person is referred to as personal data.

The Main Actions

The main objects are the foundation for the remainder of the discussion in this post. Virtually everything in the Regulation is related to a natural person, personal data, or one of their derivatives. We refer to the portion of the Regulation that covers how to appropriately interact with the main objects as the main actions.

Personal data can be collected, generated, structured, adapted, consulted, organized, transmitted, altered, stored, and deleted. Whether or not by automated means, any of these actions or operations is a form of data processing. Personal data can be processed in many ways to achieve many purposes. To prevent unauthorized use of personal data, a restriction of processing is invoked, which consists of collecting and marking data to limit its processing in the future, according to some well-defined scope.

The automated processing of personal data to analyze or predict aspects of a natural person associated with their performance at work, economic situation, health, personal preferences, interests, behavior, among others, is known as profiling. Sometimes personal data can be organized and processed so that it is no longer attributed to a natural person without additional information, often kept separately and subject to administrative measures that ensure that it is not used for identifying a natural person. This is referred to as pseudonymization.

Consent is a freely given, specific, informed, and unambiguous declaration of the data subject’s wishes concerning collecting and processing their personal data. This can be done by a complete and formal statement or any explicit affirmative action of their understanding and agreement of the access and processing of their personal data.

The Main Tool

There are many tools associated with the GDPR in some capacity. But one tool stands out by itself for its generality and central role in the Regulation: a filing system.
Personal data is typically located in what is known as a filing system, which can be described as any structured set of personal data, whether centralized, decentralized or dispersed in terms of functional or geographical criteria.

The Main Actors

Some particular actors in the GDPR can be generally described as an entity, that is, a natural or legal person, public authority, agency, or any other body. In this sense, the GDPR discusses the attributes and responsibilities of the following entities: controller, processor, recipient, and third party.

A controller is an entity that determines the purposes and means of processing personal data. The controller can act either alone or jointly for ruling over what type of data can be used, how it can be used, via what means, and for what purposes. Suppose the purposes and means of personal data processing are determined by Union or Member State law, in which case the controller will also be provided by Union or Member State law. An entity that processes personal data on behalf of the controller is a processor.

When a controller and/or a processor is/are directly involved in more than one Member State, the main establishment refers to the place of its central administration in the Union.

A recipient is an entity that receives personal data, regardless if the recipient is a third party or not. Whenever the entity receiving data is a public authority (according to specific criteria of particular inquiry), that entity may not be referred to as a recipient.

A third party is an entity that is not the data subject, controller, processor, or any other person authorized to process data under the authority of the controller.

A representative is a natural or legal person designated by the controller or processor to represent the controller or processor concerning their obligations under the Regulation. An enterprise is a natural or legal person engaged in economic activity.

The Main Event

Similar to the notion of highlighting a single tool while acknowledging the existence of several tools in the GDPR, we also single out an event in the Regulation due to its criticality (and it is not a good one): a personal data breach.
A personal data breach refers to a security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of (or access to) personal data access and/or processing.

The Main Types of Data

Personal data related to a natural person’s inherited or acquired genetic characteristics are called genetic data. This type of data can provide unique information about a person’s physiology or health, typically obtained via examining biological samples from that natural person.

When personal data is more specifically related to physical or mental health, it is referred to as data concerning health, including healthcare services. This type of data can reveal information about a person’s health status.
When personal data is associated with specific technical processing relating to physical, physiological, or behavioral characteristics, it is called biometric data. Biometric data is typically used to confirm the identification of a natural person, which can be done by inspecting fingerprints, facial characteristics, body movement, among many other examples.

The Main Concepts

In the subject-matter and objects of the GDPR, it is clear that the Regulation establishes rules to protect natural persons with respect to their rights and freedoms, including freedom of movement of personal data, which can many times and for many reasons, undergo the process of pseudonymisation that we mentioned before, that is, the processing of personal data is performed in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information. Rights also include the right of privacy, data protection, data portability, erasure (the right of being forgotten), and the restriction of data processing.

The rules in the Regulation determine that personal data can only be accessed with consent, which must be freely given, specified, unambiguous, assessed, and informed. Consent also can be withdrawn. 

Overall, rules are defined to enforce security and privacy of processing personal data, which must be accurate, lawful, fair, and transparent, have limited purpose, and limited storage, ensure integrity and confidentiality, and involve data minimization. Rules also serve to regulate controllers, which must be accountable. Figure 1 provides visualization of how some of the main concepts in the GDPR are related to each other.

Summary

There are many terms, concepts, and definitions in the GDPR and they are all connected somehow. The GDPR can be described as a set of rules for protecting natural persons and their personal data in a variety of scenarios and objectives for the protection of their rights, including the right of privacy. Although there is clearly much more that can be said about terminology and definitions in the GDPR, hopefully this post can contribute for a better appreciation of the official main text of the Regulation and related materials. 

David William Silva, PhD

Senior Research Scientist at Symetrix & Algemetric

IDPro Member, CIDPRO

About the Author

David William Silva is a Senior Research Scientist at Symetrix Corporation and Algemetric and is responsible for the research and development of innovative products related to security, privacy, and efficient computation powered by applied mathematics. David started his career as a Software Engineer focused on web services and agile software development, which led him to be involved with several projects from startups to government and large corporations. After 17 years of conducting R&D in Brazil, David moved to the US to engage in scientific research applied to a global industry of security and privacy, which has been his focus for the past seven years.

The post GDPR Part 2: Terminology and Basic Definitions appeared first on IDPro.

The General Data Protection Regulation (GDPR) is considered the most comprehensive security and privacy law worldwide. The GDPR was drafted and passed by the European Union (EU) and enforced obligations onto organizations anywhere on Earth. These organizations target or collect data somehow associated with the people in the EU.

The full text of the GDPR is organized in 99 articles across 11 chapters and 88 pages. It is clearly a substantial amount of information that would not be possible to be exhaustively covered in a single blog post.

You certainly read and/or heard about GDPR many times in the past few years. In one way or another, the chances that the GDPR and related subjects have been brought to your attention are high. But even if you have never heard about the GDPR (although unlikely), I would like to provide a closer look at what is considered the world’s strictest security and privacy law. For that, I propose a simple technique I use when approaching any new subject, which consists of a representation of four layers of understanding, as shown in the figure below.

Our first step is to understand the context in which the GDPR came on the scene, the motivations, and its goals. This first layer of understanding is typically the minimum required to get the conversation started around any given subject. Next, we examine terminology and basic definitions. 

Getting into the second layer of understanding equips one to read and retain information from documents related to the topics at hand, which would be cumbersome without an established foundation of terms, acronyms, and definitions. 

The third layer is about examples and applications. In other words, it is about understanding terms and definitions in action in specific scenarios. Understanding how the building blocks of a subject under consideration relate to each other, how they are activated, and/or how they impact any given sequence of ideas or actions is paramount for solidifying the practical applications of the information gathered thus far. 

The fourth layer refers to observing arbitrary events and identifying the notions associated with the previous layers, relating actors and their roles, and classifying them according to terms and definitions in the second layer. It also involves applying critical thinking to what could be “gray areas” in the fundamentals of the referred subject and being able to propose new practical ideas, measures, and methods that are strongly aligned with the guiding principles of that particular subject. According to this simple 4-layer scheme, understanding all layers well means a good overview of the referred topic.

Next, we will take a quick look at some of the context, motivations, and goals of the GDPR.

Context

In November 1950, in Rome, Italy, the Convention for the Protection of Human Rights and Fundamental Freedoms took place. Better known as the European Convention on Human Rights (ECHR), it established the first instrument to enforce some of the rights stated in the Universal Declaration of Human Rights. ECHR was adopted by the Council of Europe to guard fundamental freedoms and human rights of the people in Europe. The original text signed in 1950 took effect on September 3, 1953, and amended its original version by 11 additional protocols. The official original text is available online.

Despite the date, this initiative from over 70 years ago is considered “the most advanced and successful international experiment in the field to date.” A part of the 1950 ECHR was a profound discussion on the right to privacy. The debate around privacy had to be adjusted to the advances in society and technology to the point that in 1995, the EU passed the Data Protection Directive (DPD), officially known as Directive 95/46/EC, establishing a minimum set of data security and privacy standards, enough to enable each member state to execute their own law implementation. In 2011, after a series of incidents involving personal data privacy violations, the EU recognized the need for a more comprehensive approach to personal data protection. Since 1995, the DPD has been updated to address new issues and needs.

The fact that each member state had its own way of implementing laws to protect the security and privacy of personal data worked until a certain point. In 2012, the European Commission submitted a draft proposal for substantial reform of the data protection rules in the EU. On December 15, 2015, the European Parliament, in conjunction with the Council and Commission, agreed upon what was called the new data protection rules, the EU General Data Protection Regulation. The final text of the GDPR was approved on April 14, 2016.

Motivations

The underlying concept of the right to privacy is that “everyone has the right to respect for his private and family life, his home and his correspondence.” This was the driving notion that led the EU to ensure the right to personal data protection via legislation.

There was also a hope that an EU-wide law would solve several problems directly related to the fragmentation and somewhat independence of member state members in enforcing data security and privacy laws. The idea was to facilitate cooperation fighting crimes and any form of violation against the right to privacy.

Therefore, the GDPR supersedes the DPD, building on top of crucial components of the DPD while adding more specific requirements concerning data protection. The GDPR adds more rigorous enforcement of security and privacy laws with harsh penalties and substantial fines.

Goals

The main goal of the GDPR is to create and enforce standards for data protection legislation applied to all EU members and those somehow in connection to data associated with EU citizens. The GDPR also aims to equip EU residents to be known and understand their right to privacy, the resources available to them, where to look for help and any kind of support, and what to expect from organizations requesting any form or volume of personal data.

The GDPR establishes specific rules for accessing and processing personal data, together with responsibilities and penalties for those who violate any aspect of data protection under the Regulation.

When examining the full-text of the GDPR, it is crystal clear that the Regulation is all about protecting people, their privacy, their right to privacy, their right to own and protect their data, to choose what can be shared and with who, in which conditions, for how long, and to which extent.

Summary

The cornerstone of the GDPR is the protection of natural persons concerning the processing of personal data, which is referred to as a fundamental right that everyone in the EU has. Protecting data is just one direct consequence of protecting the privacy of the individual, which can be violated through unlawful, unsolicited, or incorrect manipulation of personal data. The GDPR addresses modern concerns with data privacy, but its principles go back to 1950. Since then, the EU has been actively improving their security and privacy mechanisms of personal data from individual execution of privacy-preserving measures to a now unified, EU-wide security and privacy standards and laws to enforce, by all means necessary, the protection of personal data. As anticipated, we are just scratching the surface of GDPR, as we just entered the first layer of understanding the Regulation, according to our proposed simple scheme for organizing information. In the second part of this series, we will look at significant highlights of terminology and basic definitions and how they relate to each other in the grand scheme of all things GDPR.

David William Silva, PhD

Senior Research Scientist at Symetrix & Algemetric

IDPro Member, CIDPRO

About the Author

David William Silva is a Senior Research Scientist at Symetrix Corporation and Algemetric and is responsible for the research and development of innovative products related to security, privacy, and efficient computation powered by applied mathematics. David started his career as a Software Engineer focused on web services and agile software development, which led him to be involved with several projects from startups to government and large corporations. After 17 years of conducting R&D in Brazil, David moved to the US to engage in scientific research applied to a global industry of security and privacy, which has been his focus for the past seven years.

The post GDPR Part 1: Context, Motivations, and Goals appeared first on IDPro.