General Data Protection Regulation
Requirements
Who is subject to GDPR?
The General Data Protection Regulation (GDPR) applies to:
- Any organization operating within the EU.
- Any organization outside of the EU that offers goods or services to customers or businesses in the EU.
Does GDPR have data residency requirements?
Under the General Data Protection Regulation (GDPR), there are no specific data residency requirements that mandate data must reside within the European Union (EU).
However, the GDPR does impose restrictions on the transfer of personal data outside of the European Economic Area (EEA), which includes all EU countries plus Norway, Iceland, and Liechtenstein. Personal data can only be transferred outside of the EEA if the destination country provides an adequate level of data protection.
What data is covered by GDPR?
The General Data Protection Regulation (GDPR) covers "personal data," which is any information relating to an identified or identifiable natural person (known as a "data subject"). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Examples of personal data under the GDPR can include, but are not limited to:
- Name and surname
- Home address
- Email address such as name.surname@company.com
- Identification card number
- Location data (for example, the location data function on a mobile phone)
- Internet Protocol (IP) address
- Cookie ID
- Advertising identifier of your phone
- Data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
- It's important to note that even personal data that has been pseudonymized can be considered covered by the GDPR if the pseudonym can be linked to any particular individual.
The GDPR also identifies "special categories of personal data" which have additional protections. These categories include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation.
What rights does the user (data subject) have under GDPR?
Under the General Data Protection Regulation (GDPR), the data subject, who is the person whose personal data is being collected, held, or processed, has a number of important rights. These include:
- The Right to Be Informed: This covers the right to be informed about the data controller's identity, how and why they are processing your personal data, the categories of data involved, the legal basis for processing the data, and any third parties with whom the data may be shared.
- The Right of Access: This entitles the data subject to know exactly what information is held about them and how it is processed.
- The Right of Rectification: This provides the data subject with the opportunity to have personal data rectified if it is inaccurate or incomplete.
- The Right to Erasure (or the 'right to be forgotten'): In certain circumstances, data subjects can request the deletion or removal of personal data where there's no compelling reason for its continued processing.
- The Right to Restrict Processing: Under certain circumstances, data subjects have the right to 'block' or suppress processing of their personal data.
- The Right to Data Portability: This allows individuals to retain and reuse their personal data for their own purpose.
This means they can move, copy, or transfer personal data easily from one IT environment to another in a safe and secure manner, without hindrance to usability.
- The Right to Object: In certain circumstances, data subjects have the right to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
- Rights Related to Automated Decision Making and Profiling: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
How should data be stored according to GDPR?
The General Data Protection Regulation (GDPR) does not explicitly prescribe methods for storing data. Instead, it sets out principles that organizations should follow when processing (which includes storing) personal data. Here are some of these principles that impact how data should be stored:
Lawfulness, Fairness, and Transparency: Personal data should be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
Purpose Limitation: Personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data Minimization: Personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy: Personal data should be accurate and, where necessary, kept up to date.
Storage Limitation: Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and Confidentiality (Security): Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
In terms of data storage, security is a critical consideration. While the GDPR does not mandate specific security measures, it requires the controller and the processor to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This might include measures such as:
- Pseudonymization and/or encryption of personal data.
- Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
- The ability to restore availability and access to personal data quickly in the event of a physical or technical incident.
- Regular testing and evaluation of the effectiveness of technical and organizational measures for ensuring the security of the processing.
Additionally, GDPR introduces the concept of "Data Protection by Design and by Default," which means that service providers need to incorporate data protection measures in the design of new systems and processes.
How does SlashID help with GDPR?
SlashID's data residency and encryption posture help companies comply with:
- The Right to Access
- The Right to Erasure
- The Right to Object
- Integrity and Confidentiality (Security) Principles
- The data residency requirements requirements with countries that don't satisfy the EU mandated privacy guarantees.