Skip to content

2.0 - GDPR Basics

2.1 - Overview of GDPR Basics

  • GDPR - General Data Protection Regulation
  • Created in 2016, contains 99 articles covering basic data privacy for individuals in the EU and european economic area
  • Requires businesses to protect the personal adata and privacy of EU citizens for transactions that occur within the EU.
  • Safe Harbor Privacy Principles were used up to 2015 before deprecation, after they were deemed insufficient.
  • Privacy Shield agreements took over July 2016 - May 2018, but were deemeed insufficient again.

  • GDPR took over as EU law in May 2018.

  • GDPR has 3 primary objectives:

  • Control: Give people more control over how their personal data is used
  • Trust: Tighter controls and tougher enforcement will improve trust in digital economy
  • Simplicity: Give businesses a clear legal environment to operate that is identical across the EU.

2.2 - Scope

  • Organizations in Scope to adhere to GDPR:
  • All sectors or industries

  • Small and midzie business (SMB) and large enterprise

  • Both automated and manual systems are included in the scope of GDPR.

  • GDPR Data Exclusions:

  • Natural persons who are not EU citizens

  • National security activities

  • Data in the GDPR Scope:

  • Personal data of natural persons
  • Anything that can identify a natural person
  • Any information relating to an identifie dor identifiable natural person

  • Does not precisely match personally identifiable information (PII) under US NIST SP 800-122

  • To determine if data is personal, one should consider:

  • Its content
  • Its purpose

  • The results of processing that data

  • Examples of Personal Data

  • Name
  • Identification Number
  • Location data
  • One or more of physica, physiological, genetic, mental, economic, cultural, or social data.

2.3 - Important Dates

  • GDPR was adopted by EU parliament on April 14th, 2016
  • Parliament gave any impacted states and organizations 2 years to comply with the regulation
  • After May 25th 2018, GDPR ewas enacted as law.
  • Compliance - GDPR Definition:
  • Companies must provide a reasonable level of protection for personal data
  • If a company fails to comply within GDPR regulations, they may suffer a fine or associated punshiment.
  • Lower Limit - A company may be fined up to 2% of a company's annual revenue or 10 million euros flat (whichever is higher).
  • Upper limit - 4% annual revenue or 20 million euros flat.
  • Determination of Fines is based on a number of factors:
  • Nature
  • Mitigation
  • Prevention
  • History
  • Cooperation
  • Data Types
  • Notification
  • Certifications

Example: TalkTalk Data Breach

  • Fined £400,000
  • Assessed based on breach being proven to have been preventable
  • Under GDPR, this could have been up to £59 million.