GDPR

General Data Protection Regulation

The European Union (EU) General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the EU. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. GDPR replaces the Data Protection Directive and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy.

Source: WSJ.com (2018, May 16). GDPR: What is it and how might it affect you?

Scope

This Regulation applies to the processing of personal data:

  1. in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the Union or not
  2. of data subjects who are in the European Union by a controller or processor not established in the Union, where the processing activities are related to:
    • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union or
    • the monitoring of their behaviour as far as their behaviour takes place within the Union
  3. by a controller not established in the European Union, but in a place where Member State law applies by virtue of public international law

Member Countries of the EU

Current list of the 28 EU member countries

Comply with the GDPR

As of May 25th 2018, the protection of natural persons in relation to the processing of personal data is a fundamental right for all member countries in the EU.

If you process personal data about EU residents:

Note: Personal data refers any information relating to an identified or identifiable natural person (‘data subject’) that originated in EU or links to EU residents, including IP addresses, cookies and images. See FAQ section for more examples.

Complete the GDPR Questionnaire so the Iowa State GDPR Working Group can assist in protecting, encrypting, and anonymizing personal data.

GDPR Questionnaire

Once submitted, the Iowa State GDPR working group will contact you with the next steps.

Additional Tools

More tools to help you get ready for GDPR.

Training

  • Lynda.com GDPR Training
    Log in to Lynda.com and search "GDPR" to browse training tutorials to help you learn more about the GDPR.

FAQs

What constitutes personal data?

Any information related to a natural person or 'Data Subject', that can be used to directly or indirectly identify the person.

Examples of Personal Data:

  • Personal details such as name, title, address, telephone number, e-mail address, marital status, nationality, date of birth, sex and gender identity, ID Photograph, household income, parental status, and details of dependants
  • Emergency contact information
  • National Insurance number (where you have voluntarily provided it)
  • Education and employment information (including the school(s), sixth form college(s) and other colleges or universities you have attended and places where you have worked, the courses you have completed, dates of study and examination results)
  • Other personal background information collected during the admissions process, e.g. whether you have been in care, your socio-economic classification and details of your parents’ occupation and education
  • Examination records (including records relating to assessments of your work, details of examinations taken, and your predicted and actual examination grades)
  • Information captured in your student record including progression, achievement of milestones and progression reports
  • Visa, passport and immigration information
  • Banks details, fees and financial support record (including records relating to the fees paid, student loan company transactions and financial support, scholarships, and sponsorship)
  • Supervision, teaching, and tutorial activities
  • Training needs analysis and skills acquisition records
  • Placement and internship record or study at another institution as an established component of your course of studies, or career development opportunity
  • Information about your engagement with the Language Centre, Careers Support, University sport facilities and the Counselling Service
  • Information about your use of library facilities, including borrowing and fines
  • Information about your use of facilities and collections provided by the University’s museums and Botanic Garden
  • Information about disciplinary actions (including academic misconduct), dispensations from regulations, and about any appeals and complaints raised

  • Attendance at University degree and award ceremonies

  • Information about your use of our information and communications systems, including CCTV and building access information
  • Posts on social networking websites and computer IP address

Examples of 'Special Category' (i.e., sensitive) Personal Data:

  • Information about your race or ethnicity and religious beliefs
  • Information about your health, including any disability and/or medical condition
  • Information about criminal convictions and offences, including proceedings or allegations

What is the EU-US privacy shield and how does it affect the GDPR?

The EU-US Privacy Shield is a framework for exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes is to allow US companies to receive personal data from EU organizations more easily, while complying to the EU privacy laws meant to protect EU citizens. The previous framework, called International Safe Harbor Privacy Principles was declared invalid in October 2015. Discussions about the new framework began immediately and on February 2nd, 2016 a political agreement was reached. On July 12th, 2016 the Commission adopted its decision on the Shield. The new arrangements include strong data protection obligations on companies receiving personal data from the EU as well as safeguards of US government access to data. An annual joint review is envisioned to monitor the implementation.

We know that the GDPR influences any entity that works with EU citizens, even if the entity did not collect the data. Taking into consideration the interconnected and vast online environment, it is obvious the GDPR has immense implications in many sectors and for many businesses. There are significant differences in how the US and the EU perceive privacy. The Article 29 Working Party has issued their opinion on a wide variety of issues from Internet of Things, Cloud computing and more. The GDPR puts a strong emphasis on how data is transferred to third parties, especially to non-EU countries and the US has never been on the green list due to its more relaxed privacy rules and rights. For example, the right to erasure is much more limited and can only be used in special cases, whereas the GDPR gives each individual this right in a much easier manner. The GDPR will bring with it a number of changes, not only to those organizations directly in processing personal data, but it is very possible it will bring changes to the EU-US Privacy Shield agreement. Discussions are still in place, so the topic should be closely monitored in the near future.

When is the GDPR coming into effect?

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government; meaning it will be in force May 2018.

Who does the GDPR affect?

The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Whether you are selling goods, processing their data when they create an account on your website, or employing someone, if any of the people you work with is a EU citizen, the GDPR applies to you.

What are the penalties for non-compliance?

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is higher. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.

What is the difference between a data processor and a data controller?

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity, which processes personal data on behalf of the controller.

  • Obligations for Data Processors
    • As a data processor, you are able to process data only according to the controller's requirements, specified in the controller/processor contract. As a consequence, data processors need to comply with many of the data controllers' obligations
    • The processor is obliged to inform the controller about any new sub-contractors (sub-processors), and to reflect the obligations he has with the controller in his contract to the sub-contractor.
    • He is obliged to inform the controller if any of the instructions in the contract breach GDPR.
    • Processors must keep track of all the categories of the processing activities.
    • Data processors are obliged to inform the controllers in the event of a data breach, in the shortest time after becoming aware of it.
    • Both data processors and controllers are obliged to appoint a Data Protection Officer (DPO) in situations such as when their activities require regular monitoring of data subjects on a large scale, or when they involve large amounts of sensitive data (e.g., criminal offences).
  • Obligations for Data Controllers
    • As a data controller, you can only select data processors, which provide proof that they can perform their processing duties in compliance with the GDPR.
    • Data controllers, as well as processors must implement security measures appropriate to the GDPR, depending on the data.
    • Data controllers are obliged to inform data subjects in the event of a breach in the case the breach is "likely to affect" them (e.g., name, e-mail address), and to inform both data subjects and the Data Protection Authority (DPA) if the breached data contains also monetizable data (e.g., bank account number) in maximum 72 hours.
    • All in all, per article 24 of the GDPR, data controllers are responsible for ensuring that any processing activities they perform follow the GDPR.

Do data processors need 'explicit' or 'unambiguous' data subject consent - and what is the difference?

Consent has always been important for data processing. Under the GDPR consent becomes harder to get and easier to revoke. The conditions for consent have been strengthened, as companies will no longer be able to utilize long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.

What about Data Subjects under the age of 16?

Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent, but this will not be below the age of 13.

What is the difference between a regulation and a directive?

A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. However it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation, in contrast to the previous legislation, which is a directive.

Does my business need to appoint a Data Protection Officer (DPO)?

DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn't fall into one of these categories, then you do not need to appoint a DPO.

What are the tasks of the Data Protection Officer?

One of the first tasks of the Data Protection Officer is to inform and advise the organization of their obligations as per the Regulation and any other local privacy provisions. Also, the DPO will be responsible with monitoring compliance with the GDPR – including assigning responsibilities, raising awareness and training the staff. Another responsibility for the DPO will be to cooperate with the supervisory authority and act as the organization’s contact point on any issues related to the processing of personal data. Furthermore, they will respond to the individuals whose data is being processed on all issues related to the processing and allow them to exercise their rights under the GDPR.

Will the GDPR set up a one-stop-shop for data privacy regulation?

The discussions surrounding the one-stop-shop principle are among the most highly debated and are still unclear as the standing positions are highly varied. The Commission text has a fairly simple and concise ruling in favor of the principle, the Parliament also promotes a lead DPA and adds more involvement from other concerned DPAs, the Council’s view waters down the ability of the lead DPA even further.

How can encryption help you?

The EU GDPR puts a strong emphasis on data protection, encouraging security ‘by design and by default’. This said, how exactly to implement security and data protection is for each organization to decide. Expectations are that companies will follow current best practices. For instance, encryption and pseudonymisation are specifically listed as good methods to ensure adequate levels of protection.

How does the GDPR affect policy surrounding data breaches, and what to do in case of a data breach?

A data breach means the security of personal data has been compromised and it usually leads either to its loss, alteration or unauthorized disclosure. In case of such a breach you will need to notify the relevant supervisory authority if there’s a risk of compromising the rights and freedom of the individuals.

Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. If the data breach presents a risk to the rights and freedom of the individual, you must also notify those directly affected, not just the supervisory authority. Data processors should notify the controllers “without undue delay” after becoming aware of the breach. Data controllers should notify the supervisory authority within 72 hours of becoming aware of the breach. However, you might be saved by the security methods you use. If the data stolen is encrypted for example and therefore impossible to access by those who stole it, the obligation to inform the affected individuals is no longer valid.

When you do notify a breach, there are certain informations you must include. To begin, you need to include the nature of the breach such as the number of individuals affected and the numbers of personal data records affected. You also need to include the contact details of the data protection officer (if your organization has one). Also, you should include a description of the possible consequences of the data breach and a description of the measures that will be taken. Failure to notify a breach in a timely manner will subject you to the standard fines of the GDPR, that is, up to 10 million Euros or 2% of your global turnover.

Is security mandatory under GDPR?

Security is not mandatory under the GDPR , but it is recommended. That is, you are responsible for your client’s data, so taking precautions to make sure the data cannot be accessed by unauthorized people is advisable. Also, if you choose not to implement any protection measures, you will need to explain the reasoning behind your choice. The saying “security by design and by default”. This supports the idea that it should be a part of the core of your organization. Expectations are businesses will implement current best practices, but no specific security methods are recommended. Each company will need to decide what is the best method for their needs. Methods suggested by the GDPR include encryption and pseudonymisation, tokenization, frequent testing to verify the effectiveness of the security methods, measures that allow the restoration of personal data in case of a data breach and measures that ensure the resilience of systems and services that process data. Failures are susceptible to fines.

Encryption vs Tokenization: Which is better and when to use them?

Encryption has almost become a standard under the GDPR, as it is a widely known security method and its use helps organizations comply to the regulation. Another GDPR approved method is tokenization. The idea behind it is to simply replace any personal identifiers with random codes. The method brings the need for a master table that maps the codes to the identifiers.

So, encryption vs. tokenization? Is one better than the other? The question is similar to those aiming to compare one or more security algorithms to find which one is better. While some might stand out more often, the best solution has take into consideration the context and not just the performance of the standalone method. What data are you securing, how often will your employees need to access it in its raw form, how likely do you think a data breach is and of course, what technical resources do you have?

Contact

For questions, e-mail the Iowa State GDPR Working Group.