Data Protection under the GDPR
For past few months, I’ve been helping to organize small CxO Roundtables in New York and San Francisco sponsored by Intel, IBM, HyTrust & ReedSmith — with the goal of understanding and creating thought leadership around the General Data Protection Regulation (GDPR). For a larger audience to better understand the GDPR, I am going to write a short series of posts in layman’s terms on various aspects of the GDPR and how it effects privacy, law and security: “the GDPR Series”.
In summary, The GDPR will replace the Data Protection Directive of 1995 and provide uniform protections to EU residents. While the regulation takes effect in May 2018, there seems to be a lack of understanding about numerous issues surrounding the GDPR. The most salient of which is the EU regulation is either not known by many U.S. companies or U.S. companies believe they will not be affected by the GDPR. Unfortunately, this is a misguided belief.
Regulation around data privacy has been in the UK since 1984 and in the EU since 1998 in the form of the Data Protection Act (DPA), so protecting personal data is nothing new for Europe. However, with the implementation of the GDPR, data will be even further classified. The general lack of awareness is more concerning regarding the GDPR than most other security-related regulations, because the GDPR is not just about security and the prevention of breaches; it’s just as much about how personally identifiable data is handled. This first post provides a basic understanding of the difference between “Personal Data” and “Sensitive Personal Data.”
Execution vs. Persecution
The GDPR protects against the collection and use of Personal Data, which is not a huge departure from the DPA. Similar to the DPA, Personal Data is essentially anything that can identify a person. However, the GDPR modernizes the definition to include cookies and other online identifiers (such as an IP address) and location data. You can look at Personal Data as something a company (i.e. online marketers) can use to execute on and generate revenue.
Alternatively, Personal Sensitive Data includes racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union memberships, genetic information, health details, or information about someone’s sex life or sexual orientation. Personal Sensitive Data are those identifiers people have historically been persecuted for. You treat this data with more care, because it’s a higher grade. The GDPR covers the protection of Personal Sensitive Data.
Why Does This Matter?
The reason for this distinction is the GDPR processes Personal Data differently than Personal Sensitive Data. The existing DPA is a clear guide to how these two types of data are controlled and processed. However, the GDPR adds a few layers of complexity that has narrowed the guidelines for processing Personal Sensitive Data so it is a good time for organizations to ensure that no sensitive personal data is processed, unless prior consent was obtained or other exceptions are applicable.
Stay tuned for more random thoughts on the GDPR.