by Jesse Lyons, Solutions Consultant at G2 Tech Group
As you probably know by now, GDPR, or the General Data Protection Regulation, is the European Union’s new data privacy regulation, replacing 1995’s Data Protection Directive. If you’re brand new to GDPR, check out our FAQ to get you started. In this blog, we’re going to run through the basic principles in GDPR. Of course, we’re not lawyers, and we’re not trying to be and this blog is not at all intended to be an exhaustive, comprehensive, everything-you-could-ever-need-to-know review of GDPR. But it should help you get beyond the headlines and start understanding how it’s set up and how it affects you.
How GDPR Views Data
In the world of GDPR, data is divided into two types: content and personal data. Content consists of anything that an end user or customer stores or processes through your system. That includes software, images, video, audio and text. Personal data, on the other hand, is any information that is identifiable to a living individual. In some circumstances, personal data can include content. It’s worth noting that GDPR takes a pretty broad view of the data that could be linked to an identifiable individual.
The Core Principles of GDPR
GDPR clearly establishes principles for how personal data should be treated. The first principle the regulation states is that personal data must be processed “lawfully, fairly and in a transparent manner.” Fairness in particular may seem a bit squishy, but it’s probably a good gut-check kind of standard—and, of course, the regulation provides lots of guidance on how to do specific things (like get a user’s consent) in a way that meets the “fair and transparent” standard.
GDPR also asserts that data should be collected only for “specified, explicit and legitimate purposes” and then not used for other purposes. Similarly, the regulation requires that only data that is relevant to those purposes may be collected, that the data be stored only for as long as necessary to accomplish those purposes, and that it be processed in a way that ensures “integrity and confidentiality” of the data.
Data controllers are responsible for complying with these principles, and for being able to demonstrate that they’re complying. (As you may recall from the FAQ, GDPR defines controllers as the companies that are in charge of the data and that determine how personal data is processed, while processors are the service providers, like AWS, that act on behalf of controllers.)
Individuals’ Rights Under GDPR
Within the context of those core principles, GDPR establishes a number of customer/user rights and expectations regarding data privacy:
The Right to Transparency
GDPR requires data controllers to inform users “in a concise, transparent, intelligible and easily accessible” manner what data is being collected, how it’s being used, etc. There’s a lot of detail about what has to be communicated to users and when, but the clear bottom line is controllers have to communicate what they’re doing.
The Right to Data Access & Data Portability
All individuals have the right to a copy of all of the personal data an organization has acquired regarding that individual. In addition, the data must be available in a way that is usable by the individual and can be reused by them. In other words, all personal data and content must be portable and cannot be tied to proprietary formats.
The Right to Rectification & the Right to Erasure
The Right to Rectification requires that controllers correct any errors in an individual’s data, while the Rigth to Erasure—also called “The Right to Be Forgotten”—gives individuals the right to get their personal data permanently deleted from companies’ systems. If an individual asks to be deleted, retaining their data violates GDPR.
The Right to Object & the Right to Restriction of Processing
When individuals believe their data is inaccurate or being misused, GDPR allows those individuals to ask controllers not to process or utilize their data. Individuals have the right to object to their data being used for certain purposes, such as direct marketing.
Controller Responsibilities Under GDPR
We’ll go into more detail on this in a later blog, but GDPR also establishes several core responsibilities controllers have in exercising responsible stewardship of individuals’ data.
Data Protection by Design and Default
GDPR requires that your applications and systems be designed with user privacy in mind. We’d argue that’s a good idea no matter what and that everyone should follow basic security and privacy best practices, like making sure data is encrypted both in flight and at rest. Some US regulations (e.g., HIPAA) require similar attention to protecting personal information, so this requirement may feel like old hat to you.
Records of Processing
Controllers are required by GDPR to maintain clear and accurate records what types of data are being collected and what that data is used for and how it’s processed.
Data Breach Notification
Data breaches have been an unfortunately familiar headline—think Equifax, Under Armour and Uber—and we’ve seen companies take very different approaches to notifying their users of a possible exposure. GDPR takes away a lot of that latitude and requires that controllers report a breach or possible breach within 72 hours of discovery to the appropriate supervisory authority. Additionally, if there is a high risk to the customer, controllers must notified those users within that same 72-hour timeframe. No waiting to see how things turn out before you notify users or authorities.
How to Get in Compliance with GDPR
GDPR puts a lot of responsibility for protecting customers’ private data on controllers, but you’re not on your own. Fortunately, AWS has been working for a long time on the processor side of compliance, and all AWS tools and services meet GDPR’s standards.
That said, it’s not as simple as saying “we’re on AWS so we’re good to go with GDPR.” AWS provides a compliant toolset for you to use, but as a controller, there’s a lot you have to do to ensure you’re in compliance with GDPR. As with HIPAA and other such regulations, GDPR compliance requires an understanding of the “Shared Responsibility Model” and requires that your system is architected with compliance in mind and that you operate with compliant procedures.
In the next blog, we’ll talk in more detail about the specific responsibilities of controllers and processors. In the meantime, if you need some help sorting through all this, give us a call or fill out the form below!