IT Briefcase: Demystifying Common GDPR Terms
Back in May, the world marked the one-year anniversary of the General Data Protection Regulation, or GDPR as it’s now commonly known. Over the course of the year, GDPR and related stories were rarely out of the headlines. GDPR was mentioned in seemingly every story written about data privacy if not covered exclusively. In the wake of all the hype, companies around the world with a data presence in the EU spent millions to comply with the newly passed regulations. GDPR was, and in many ways remains, everywhere.
Yet despite all the buzz, many companies are still struggling to meet GDPR compliance. Even among those organizations that are in the process of complying or see it as an inevitability, GDPR definitions, and associated terms often remain head-scratchers for many organizations. In order to help enterprises navigate GDPR regulations, I’ve put together an easily digestible explanation of words or phrases associated with GDPR that are frequently used but not always clarified.
Since GDPR at its core is a set of rules designed to give EU citizens more control over their personal data, it makes sense to begin by defining “Personal Data.” According to the regulations, personal data is any information about an individual who can be identified (even indirectly), by name, number, location, or online identification. This can also include things such as the physical, physiological, genetic, mental, economic, cultural, genetic, biometric, or social identity of the person.
Organizations then use this information about an individual to conduct “Profiling.” This means they automatically analyze and sort a person based on aspects related to their personal data, such as their location, health, or interests. For example, a company may set up an automation mechanism in their system that places all identities living in a specific place under a tag that defines their financial situation.
Typically, an organization will compile personal data into a “Personal Data Inventory.” This is a central place that manages information relating to an identified or identifiable natural person that your organization stores, processes or shares. If your inventory is missing even one part (for example: it is unable to automatically identify new network elements that process personal data) it is unreliable, preventing you from complete and comprehensive reporting, which equals noncompliance.
The personal data inventory of any organization should be carefully placed in a “Filing System.” The essential component of any organizational filing system, whether automatic or manual, is that it is structured, or organized, in such way that allows anyone to easily extract (or access) all personal data information they seek.
It is well documented in GDPR that businesses are required to know what personal data they are “Processing.” Processing is essentially any action an organization can take with personal data. This can mean storing, recording, organizing, erasing, altering and so on. Simply changing a person’s address, or moving it to a different file, or deleting dated information all count as processing.
Organizations that handle personal data are required to designate both a “Controller” and a “Processor.” A controller is the person or entity that lawfully collects information and manages what is done with the personal data. A processor is the person or entity who has been given personal data by the controller and has permission to use it. The controller must take measures to ensure that all processors of the personal data abide by GDPR rules. Both the controller and the processor must be concerned with “Consent.” Consent is when a fully informed person agrees with the controller (or processor) that data can be used for the purposes agreed upon.
This brings us to “Third Party.” A third party is any person or organization, excluding the data subject, who has been authorized by the controller or a processor to process the data. Within that organization is a “Recipient.” This is a person or organization to which any and all personal data was disclosed. The recipient does not include public authorities who receive personal data when acting in accordance with local laws.
The last term is one you hope your organization never utters: “Personal Data Breach.” As defined by GDPR, a personal data breach occurs when personal data is destroyed, lost, changed, given away or otherwise used in any manner by unlawfully accessing the data.
Like it or not, the GDPR is here to stay and it will surely expand parameters as it adds years to its life. Again, any company with a data presence in the EU – or looking to expand business there – is subject to its regulations and subsequent compliance. While these are only a few terms related to GDPR and in no way will make you an expert on the subject, they should give you a baseline understanding of the regulations and the ability to speak on them, especially if you’re new to the territory.