Companies that collect data on citizens in European Union (EU) countries need to comply with strict new rules around protecting customer data. The General Data Protection Regulation (GDPR) sets a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to maintain compliance.
Compliance will cause some concerns and new expectations of security teams. For example, the GDPR takes a wide view of what constitutes personal identification information. Companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and Social Security number.
The difference between the "Directive" and the "Regulation" is that the Regulations are binding, enforceable, fine-tuning laws. By decision of the Cypriot Parliament GDPR 679/2016 was officially enacted and institutionalized by the Republic of Cyprus. The Law 125(Ι) 2018, in Cyprus, was adopted for the purpose of effective implementation of certain provisions of the European Union Act entitled "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on free movement of such data and for the repeal of Directive 95/46 / EC (General Data Protection Regulation) ".
The regulation 679/2016 and the Cyprus Law 125(I) 2018, applies to any organization that collects, processes and stores personal data from EU citizens or a natural person residing in the EU or completing transactions within EU agencies.
Some of the types that GDPR protects are the following:
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
The GDPR covers any information that can be classified as personal details or that can be used to determine your identity. Parental consent will be required to process any data relating to children ages 16 and under.
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies.
Essentially, when GDPR refers to the processing of data, it means the handling, use, storage and destruction of information. Processors and controllers are responsible for ensuring data security at every stage of its lifecycle.
In certain situations, individuals may request that their data is not processed, or that its processing is “restricted”. This is also known as “the right to object”. It may be that the individual considers their information particularly sensitive, or has concerns about how their information will be used by an organization.
There are three instances when an individual has the right to object:
- Processing of data for scientific/historical research
- Processing of data for direct marketing
- Processing that is based on profiling
If such requests are upheld, it means that any collected data cannot be used. In some instances, processing may be restricted for a certain period, after which the data can be used.
As can be expected, not every organization that operates within the EU must comply with GDPR. Such exemptions are outlined in Articles 85 and 91, although member states may apply for specific exemptions (see Article 23).
GDPR sets out to protect personal data, although doing so may mean contravening other GDPR rules. If an individual poses a threat to the rights and freedoms of others, it is often the case their data is no longer protected under GDPR in the same way as data of other citizens.
Examples of when personal data may no longer be treated as such include:
- Defence concerns
- Crime prevention
- Financial security
- Prosecution of a crime
- Suspected tax evasion
- Public health concerns
- Freedom of information
Conversely, member states may wish to apply extra safeguards to citizens’ data. Regardless of these extra measures, all GDPR requirements must be met.
It is important to note this information is a very basic guide and should not be considered a basis for GDPR compliance. The General Data Protection Regulation contains 11 Chapters and 99 Articles of regulations relating to the protection of data and how data can be collected, processed and stored. Businesses and organizations outside the EU should also be aware that each EU member state has its own data protection legislation (see 125(I) 2018 CY Law) that also has to be complied with.
The requirements for GDPR compliance are long and complex, and businesses subject to GDPR not only have to ensure their operations are compliant, but also the operations of third parties with whom data are shared. Although it is not an automatic requirement of GDPR for businesses to appoint a Data Protection Officer to address compliance issues (this requirement only applies in certain circumstances), it is recommended businesses conduct a compliance audit and discuss their current level of data security with a GDPR consultant.