GDPR - morgan-hanrahan/Tech-Journal GitHub Wiki

History and Background

  • 1984: Data Protection Act passed (UK)
  • 1995: Data Protection Directive passed (EU)
  • 1998: Data Protection Act 1998 passed (UK)
  • 2000: International Safe Harbor Privacy Principles established
  • 2012: European Commission announces its plan to develop the GDPR
  • 2015: International Safe Harbor Privacy Principles overturned
  • 2016: EU-US Privacy Shield replaces the International Safe Harbor Privacy Principles
  • 2016: GDPR is approved by EU Parliament
  • 2018: GDPR takes effect

General Description

  • GDPR: General Data Protection Regulation
  • Massive set of regulations for sensitive data within the EU
  • Applies to foreign companies if they deal with EU citizens
  • Rights to the data
    • Right to be forgotten, see or change your own data, know if the data has been leaked, object to specific types of data processing, and request your data.
  • Any data that can lead back to you

Who must comply

  • Almost every business operating on a global scale must comply
  • "Any organization that processes the personal data of people in the EU must comply with the GDPR"
  • Even if an organization isn't connected to the EU, if it processes the personal data of people in the EU it must comply
    • Means if a business caters to customers in the EU, they are subject to GDPR requirements
    • If you track visitors to your website, you are also under the scope
  • Exceptions include, but aren't limited to:
    • Purely personal/household activities
    • Organizations with <250 employees are exempt from most requirements of GDPR

Specific controls/requirements

  • Article 5 Section C
    • "Personal data shall be: adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed ('data minimization')"
  • Example:
    • Bookstore sells books online to EU citizens
    • Need specific parts of data to facilitate the purpose
      • Name & Address to ship the books. Payment information.
    • The bookstore can't require the collection information that is needed to facilitate the transaction
      • Birthday, email of a friend, or even an address.

Difficulty for Organizations to comply

  • Harder for organizations to apply due to the backlash it originally got and how companies were scrambling to meet the new standards.
  • Smaller businesses without infrastructure required to violate GDPR can get by easier by not needing to store as much information nor having the want to sell customer data to advertising agencies. It applies far less to any company under 250 employees.
  • Due to how wide the scope of GDPR is, it can be difficult for businesses to determine if they’re required to comply.

Benefits

  • GDPR helps protect citizens of the EU and their personal data
  • Holds businesses accountable for handling personal data
  • Improves data security for people outside the EU, since it's applied on a broad scope

Drawbacks

  • There isn't much flexibility for organizations that do benefit from data sales. This can hurt the potential for industry in areas covered by these laws, should the government refuse to relent on fining, driving companies out of their economy. (Due to this is hasn't been heavily enforced).