GDPR for Dummies
Sameera Ramachar
Quality Engineering, Program/Release Management, Engineering Management
This Article is a quick and dirty introduction to GDPR which can get you started.
General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals who reside in the European Union. It also addresses the export of personal data outside the EU. This regulation primarily aims to gives control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
GDPR was approved by European Parliament on April 14, 2016 and a two-year transition period for organizations to reach compliance was provided. That ended on May 25, 2018. This regulation is now applicable to all existing systems storing data of EU residents. You can see that they took enough time to deliberate on the regulation and must have went through multiple rounds of reviews and discussions.
GDPR Supersedes EU previous laws/directive on data privacy and this was drafted by the Council of the European Union, European Parliament, and European Commission. GDPR is a law and applies to all companies doing business with European data subjects (EU residents), irrespective of where the company is located.
Data can be as simple as Name, Photo, Email, Phone number, Race and as complex as Medical records, tax records, bio-metric etc. Basically any data that can be used to determine your identity. This also includes Pseudonymous data. In case of minors below 16, consent from parent/legal guardian must be obtained to collect and store data.
GDPR consists of 11 chapters and 99 articles. Here is the link
Compliance to GDPR can be validated by getting audited via either internal SME or external agency.
GDPR is being actively looked at by other countries like US and might soon become a standard in other counties too.
Laws in India are also being worked up to increase privacy of user data. As of now, certain companies in India are referring to ISO27001
GDPR expects data protection and privacy by design and by default
Data should only be accessed via explicit consent and not publicly. Also data should not lead to a data subject directly without additional info which needs to be stored separately. Basically full anonymization.
Data subject has the right to revoke consent anytime and systems should provide a way to enable this. Consent provided should not be assumed as permanent and immutable.
Data protection officer role should be established in an organization. This role should have authority, independence and should be the internal gate keeper for data privacy.
Organizations coming under National Defense, Financial Fraud Prevention, Revenue/Tax and Law Enforcement are exempted from GDPR implementation
You can read more at following locations:
- https://www.coredna.com/blogs/general-data-protection-regulation
- https://www.hipaaguide.net/gdpr-for-dummies/
There is also a book with the same name https://www.metacompliance.com/media/2002/dummiesguide.pdf