General Data Protection Regulation (GDPR)

Summary

This article is an introduction of Europe's General Data Protection Regulation for individuals in the states interested in compliance laws and data rights. Additional links are available for students or staff curious about the University of Oregon's data classifications and standards.

Body

Overview

This article is an introduction of Europe's General Data Protection Regulation for individuals in the states interested in compliance laws and data rights.

What is the General Data Protection Regulation?

In May of 2018, Europe's Information Commissioners Office created the General Data Protection Regulation (GDPR) law as a set of rules about personal data collection and the legal rights of data subjects, data controllers, and data processors.  The purpose of the GDPR is to ensure that personal data is fair, transparent, and secure while offering more rights to European individuals about what data is being collected, stored, and shared. Organizations or data controllers that refuse to comply with the GDPR standards face a fine of 20 million euros or a 4% annual turnover (whichever is greatest). Failing to comply can also lead to disciplinary or criminal action. 

Questions and facts about the GDPR

Roles under the GDPR

The following roles are important to understand and are defined by the GDPR:

  • Data Subject: The individual whose data will be processed
  • Data Controller: A legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.
  • Data Processor: A legal or a natural person, agency, public authority, or any other body who processes personal data on behalf of a data controller
  • Data Protection Officer: The Data Protection Officer (DPO) is a leadership role required by the GDPR  responsible for overseeing GDPR compliance with in an organization.

When Does GDPR Apply?

Article 3 of the GDPR states:

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

What data is does GDPR apply to?

Personal and sensitive data are two types of data that the GDPR is committed to protecting. Personal data is any data that can be used to identify a living individual. Common collected personal data includes names, addresses, locations, cookies, and IP addresses. Sensitive data is any data that can be used to identify sexual orientation, political opinions, religious practices, racial or ethnic backgrounds, and any other information which describes the data subjects' mental or physical condition. \

What is necessary for processing data protected by GDPR?

Under GDPR, you must have a legal basis to process a subject's data. Article 6 part 1:

  1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(b) processing is necessary for compliance with a legal obligation to which the controller is subject;

(c) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(d) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(e) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

What does consent mean under GDPR?

Consent under the GDPR requires freely given written or documented consent from European citizens above the age of 12. Personal data collected and processed must be transparent and explained to the data subject. A privacy policy will be written to include information about collected personal data and its purpose. All data subjects have the right to ask why their data is being collected and what will happen to it. A data subject can request a Subject Access Request (SAR) from the data controllers to find out how their personal data is being used, why it is being used, and where it is being used. 

If consent is used as the legal basis, how does a data subject withdraw it?

Individuals can request that their personal data be deleted if they withdraw consent at any moment or if any data has been processed in an unlawful way. Data subjects have the authority to request their collected data in order to use for individual use. GDPR creates protections against profiling. If the data subject objects, data processing must stop immediately. Data subjects can refuse that their personal data be used for certain reasons, such as for marketing purposes. Any inaccurate information must be erased or amended within the first two months of the data subjects rectification request. This information must be updated to any extended third party utilizing the personal data.

The individual rights of the data subject include:

  • The right to be informed 
  • The right to access
  • The right to be forgotten
  • The right of portability
  • The right of automated decision making and profiling
  • The right to object
  • The right to restrict processing
  • The right to rectification

Compliance as a Data Controller or Data Processor

Data controllers are in charge of collecting data are key decision-makers. They have the overall say and control over the reason and purposes behind data collection and the means and method of any data processing. They are required to verify that legal protections under GDPR are in place. According to Article 24 of the GDPR, data controllers must:

  •     Take into account the purpose, nature, context, and scope of any data processing activities.
  •     Consider the likelihood of any severe risk to the freedoms and rights of any natural persons.
  •     Implement appropriate organizational and technical measures and security measures that demonstrate that the data processing activities have been performed in accordance with GDPR regulation.
  •     Review and update these measures where necessary.

The data processor is the third party member that processes personal data on behalf of a data controller. The data processor obtains and manipulates the data collected. According to Article 29 of the GDPR, a data processor must only process personal data according to the data controller’s instructions unless required to do so by law.

Compliance requires that data controllers and data processors follow data protection and information security policies.

Key principles listed in the GDPR

  • Personal data collection must be fair, lawful, and transparent
  • Collecting personal data requires legal compliance, vital interests, public interests, or legitimate interest
  • Data Minimization requires data controllers to collect data only deemed relevant and necessary to the signed contract
  • Data retention requires unnecessary personal data to be erased or destroyed to reduce the impacts of a data breach.
  • Purpose limitation, accuracy, and data security require personal data to be essential, accurate, and strongly protected from being damaged or stolen. 

Some examples of security policies include taking technical and organizational measures. Technical measures, such as requiring two-factor authentication when signing into servers, are strong ways to protect data. Organizational measures, such as required staff training, help eliminate data breaches. Data breaches are when collected data is accidentally or unlawfully lost or altered. Breaches can happen as a form of a cyber-attack or lack of employee awareness and MUST be reported within 72 hours. 

Other tips to protect data include

  • Treat data as your own - respect and protect others personal information 
  • Enter data into secure systems 
  • Do not leave devices unattended in or outside the office
  • Limit the amount of data sources you take out of the office
  • Use a virtual private network (VPN)
  • Never share credentials with family, friends, or co-workers
  • Check your forwarding when sending emails or documents
  • Use strong, individual passwords for each account

How does the University of Oregon comply?

Personally Identifiable Information (PII) is classified as high risk, red data at the University of Oregon. PII is any information that can be used to identify a singular individual. The university's regulatory compliance is similar to the guidelines established in Europe's General Data Protection Regulation (GDPR).

Our Data Processing Officer (DPO) is our Chief Information Security Officer (CISO).

Additional Information

 

Details

Details

Article ID: 127175
Created
Wed 2/3/21 1:58 PM
Modified
Thu 4/4/24 6:11 PM