An Introduction To The General Data Protection Regulation
This article aims to give you a very brief introduction to General Data Protection Regulation (GDPR), approved and adopted by the EU Parliament in April 2016. The subject is not covered in-depth, but it can be a good starting point, especially if you are aiming to apply it to a student’s group.
What is the GDPR for?
The GDPR establishes the rules that are applied to data treatment, by a person or by an organization. It does not apply to the treatment of collective entities’ data. It applies to activities of commercial and social-cultural natures.
Where is it applicable?
The GDPR applies to all activities which evolve citizens of the EU (European Union) or for companies which are settled in an EU country. In other words, it not only applies to organizations located within the EU but it may also apply to organizations located outside of the EU. Note that this only applies if the person is in EU territory, at the time the data is collected. Once the data is collected, companies will then have to protect it under the GDPR’s rules.
What constitutes personal data?
Any information that directly or indirectly identifies the person. It could be, for instance:
Name
- Email address
- Phone number
- Gender and nationality
- Areas of scientific interest
- Recruitment information (e.g. CV, certificates, date of birth, performance assessments, reference letters etc.)
- Connection information(IP address, approximate host location, pages visited, services used)
What if my server is hosted out of the EU?
If the country in which the server is is considered to have regulations that enforce data protection, no extra guarantee has to be given to the user. Otherwise, special conditions should be applied.
Some principles
Data protection by design
GDPR states that products and services need to be designed with data protection in mind from the outset.
The user controls data
Imagine your company is collecting e-mail addresses to start a newsletter service. It will need to obtain explicit permission for each type of processing done on the personal data (i.e., email promotions or sharing with third-party affiliates will require different authorizations). Also, individuals will be entitled to more extensive information about the data being processed about them, including the period of data storage, information about access and other rights over the data. When asking for data, keep it mind that the request must be clear and distinguishable from other matters. You should provide an intelligible and accessible mean of doing so, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Right to be forgotten
Where certain conditions apply (for example the data is no longer necessary for the purpose for which it was collected), individuals will be able to demand that their data be permanently deleted.
The right of receiving personal data
Portability of data is the right of the data subject that empowers the subject to receive a subset of his or her data. This data can be stored and used for personal purposes.
72-hour breach notification
When there’s a breach involving unauthorized disclosure or of stored data then companies will need to analyze whether the exposed or affected EU personal data identifiers can cause “risk to the rights and freedoms” of EU data subjects and, in all cases, notify the breach to the local data protection authority.
When there is “high risk” to the users’ privacy, i.e. account passwords — the users themselves will also have to be notified.
Penalties for non-compliance
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data.
Data controllers (an entity that determines the purposes of processing personal data) and data processors (like cloud services) will be jointly liable for any damage caused by a breach of the GDPR.
Our situation
An example: given the courses of a student, we recommend her or him a master thesis topic. According to the regulation, we can also do statistical analysis.
In Grupo de Contacto com Empresas, as a non-profit student’s organization, we deal with student’s data. You can check our WIP privacy policy.
If you wish to write a Privacy Policy and don’t know where to start, this may be a good starting point. If you are looking for a fast, temporary solution, you might want to check this.
A very good guideline for companies (in Portuguese).
Useful articles.
Bottom Line
If you haven’t started implementing measures to make sure your organization complies with the regulation, start now!
Feel free to reach out, I love listening to interesting ideas!
If you like entrepreneurship, feel free to check my experience on European Innovation Academy, a tech startup accelerator program:
If you like traveling, you can check my experience on Barcelona, thanks to BEST Barcelona:
Check my latest open-source project:
