A Guide to the General Data Protection Regulation
Privacy and data protection have come back into the spotlight in the past year in an increasingly complex technological context. There have been talks in the EU about the need for a “GDPR 2.0” as the cloud and AI bring their own set of privacy challenges from shared responsibility models to the processing of biometric data and the use of facial recognition.
So what is the GDPR or the General Data Protection Regulation, what does it cover, and can it provide answers to today’s challenges 12 years after it was first drafted? Let’s look at the purpose and requirements of this legislation and how you can ensure compliance through your data protection strategy.
What Is GDPR?
The General Data Protection Regulation (GDPR) is a data protection law that regulates how organizations collect, store, process, and share the personal data of EU citizens. The GDPR came into effect on May 25, 2018. It is based on Article 8 of the EU Charter of Fundamental Rights about the protection of personal data and relies on “freely given consent” as a legal basis for handling personal data.
This regulation aims to harmonize data privacy regulations throughout the European Union and safeguard the privacy rights of EU citizens regardless of the geographical location of the organization handling personal data.
The Main Principles of GDPR
The General Data Protection Regulation is built around 7 key principles that govern the lawful handling of personal data. These principles are not just guidelines but are legally binding and central to compliance with GDPR. They require organizations to consider privacy at every stage of data processing, from the initial collection of data to its final deletion or destruction.
- Lawfulness, fairness, and transparency. The processing of personal data must have a legal basis, must not be misleading or detrimental to the individuals concerned, and must be clear and open with individuals about how their data is being used and processed.
- Purpose limitation. Data must be collected for specific, clear, explicit, and lawful reasons and its use cannot be inconsistent with the original purpose.
- Data minimization. The data collected and processed must be restricted to what is essential for the intended purpose.
- Accuracy. Personal data must be accurate and, where necessary, kept up to date. Inaccurate data should be corrected or deleted without delay.
- Storage limitation. Personal data must only be retained in a format that allows identifying data subjects for the duration required to fulfill the intended purpose.
- Integrity and confidentiality (security). Personal data processing should incorporate suitable security measures to safeguard against unauthorized or unlawful processing and damage.
- Accountability. Organizations must be able to apply the necessary policies and procedures to comply with GDPR and demonstrate that they have effectively done so when asked to do so.
GDPR Definitions and Terminology
Below is a short glossary with the key terms and GDPR definitions:
Personal data refers to any information relating to an individual, that is, data subject, who can be identified directly or indirectly, for example, by name, an identification number, location, or other identifiers relating to the physical, physiological, genetic, mental, economic, cultural, or social identity.
Consent is any “freely given, specific, informed and unambiguous” indication by the data subject that they agree to their personal data being processed for the stated purpose.
Data controller is an individual or organization responsible for compliance with the GDPR principles and determines the purposes and means of the processing of personal data. This is the party to be contacted by data subjects wishing to exercise their rights. However, the actual data processing can be delegated to a different individual or organization, that is, the data processor.
Data processor is an individual or organization that processes personal data on behalf of the data controller. This party is subject to the instructions of the data controller.
Data subject is an individual who consents to their personal data being processed by a data controller or data processor.
Processing is any operation performed on personal data, such as collection, recording, structuring, storage, alteration, disclosure, dissemination, erasure, and destruction, among other options covered by the GDPR.
Right of access is the right of a data subject to obtain information from the data controller about their personal data, how it is processed, the purpose of processing, etc., free of charge within 1 month from the receipt of such a request.
GDPR Compliance Requirements and Challenges
The GDPR has laid the foundation for robust data protection standards. However, the dynamic nature of technology introduces complexities and increasingly tests the basic principles underpinning the EU’s privacy regulation.
Who must comply with GDPR?
Within the EU. Any organization that processes the personal data of individuals in the EU is subject to GDPR. This includes public and private companies, governments, charities, and other non-profit organizations.
Outside the EU. GDPR extends beyond the EU’s borders to any organization that provides goods or services to EU citizens or observes their behavior within the EU. This means a company based anywhere in the world has to comply with GDPR if it processes data of EU residents.
Global internet and tech companies, including social media platforms, that have users in the EU are required to comply with GDPR.
Technology vendors and shared responsibility
With the proliferation of SaaS, IaaS, PaaS, and other platforms delivering IT resources and services over the internet, the role of technology vendors and subcontractors handling personal data comes into play in GDPR compliance. If an organization uses third-party services/platforms to process or store personal data, the vendors also need to comply with GDPR.
Note that most of these services rely on a shared responsibility model whereby:
- Organizations are responsible for their data as the data owners and depending on the type of service can be responsible for the applications and/or operating systems
- Vendors are responsible for servers, storage, networks, physical locations, etc.
Under the GDPR, organizations are responsible for obtaining consent and ensuring that the data is used for the intended purpose. They also need to ensure that the vendors they entrust with handling personal data are doing so in compliance with the regulation.
Some of the challenges posed by cloud computing for private data relate to:
- potential leakages of sensitive information
- controlling data flows between jurisdictions
- ensuring that third-party vendors apply the same privacy commitments made to data subjects
- implementing retention policies effectively
- handling breaches of private data
- risk management in general
GDPR and AI
The EU’s Artificial Intelligence Act, the world’s first law regulating AI, is set to come into effect in 2025 to address some of the new challenges for the privacy rights of EU citizens. However, it’s important to understand today some of the challenges faced by organizations relying on AI to process personal data:
- Data minimization and purpose limitation. AI poses a challenge to data controllers limiting the data collection to what is strictly necessary and for a specific purpose.
- Cross-border data transfers. AI and data-driven technologies often operate across borders. This may require stricter controls in place to ensure GDPR compliance.
- Automated decision-making and profiling. AI introduces the risk of decisions made without human intervention based on processing personal data, which includes profiling. This use of personal data is very restricted under the GDPR.
Key GDPR compliance requirements
For organizations that need to comply with GDPR, here are the general requirements to consider:
- Data protection measures. Organizations must implement robust data protection solutions and measures, including data encryption, secure data storage, and regular security audits. This also involves considering GDPR implications when adopting new technologies like AI, cloud computing, and big data analytics.
- Consent management. Organizations must have a clear policy in place to obtain clear, informed, and freely given consent before processing personal data. This also involves having clear mechanisms in place for the lifecycle management of personal data.
- Data processing records. Keeping detailed records of data processing activities is mandatory, demonstrating what data is collected, for what purpose, and how it’s processed and protected.
- Data protection officer. Some types of organizations may need to appoint a data protection officer to oversee GDPR compliance, especially if they work with sensitive data processed on a large scale.
How to Meet GDPR Requirements
Meeting GDPR requirements is not a one-time effort but a continuous process of assessment and monitoring. Organizations must implement a comprehensive set of measures that encompasses personal data handling, data protection and recovery, and security:
- Understand and map data. Conduct a thorough audit to understand what personal data is collected, why it’s collected, how it is processed, where the data is stored, and how it’s shared. Create a data flow map to track the journey of personal data through the organization. This helps identify areas of risk.
- Ensure a lawful basis for processing. Determine the legal basis for processing personal data, such as consent, contract, legal obligation, vital interests, public task, or legitimate interests. If relying on consent, ensure it is “freely given, specific, informed, and unambiguous”. Consent mechanisms should be easy to understand and include the option to withdraw consent easily.
- Implement data protection policies. Develop or update internal data protection policies and procedures to ensure GDPR compliance. Integrate data protection by default and by design into all business processes, systems, and services that involve personal data.
- Minimize data processing. Ensure that only the data necessary for each specific purpose is processed and access to personal data is restricted to those who need it.
- Data retention. GDPR requires organizations to critically assess and manage how long they retain personal data, ensuring that data is not kept longer than necessary. This necessitates a proactive approach to data management, with clear policies, regular reviews and effective processes for data deletion or anonymization, all while balancing GDPR compliance with other legal retention requirements.
- Facilitate data subject rights. Establish procedures to accommodate the rights of data subjects, including requests for data access, rectification, erasure, data portability, and objection to processing.
- Plan data breach response and reporting measures. Create and implement a robust incident response plan with a data breach response plan. Be prepared to notify the relevant supervisory authority within 72 hours of becoming aware of a data breach, and in certain cases, notify the affected individuals.
- Check vendor management and data processor compliance. Ensure that any third-party vendors or data processors that handle the personal data of your organization are also in compliance with GDPR.
- Perform continuous assessment. Regularly conduct audits of activities in terms of data processing and review policies to ensure ongoing compliance with GDPR.
- Pay attention to international transfers. If transferring data outside the EEA, ensure adequate protection measures are in place, including Standard Contractual Clauses (SCCs), or adherence to an adequacy decision by the European Commission.
- Keep records and documentation. Maintain comprehensive records of data processing activities, including the purpose of processing, data categories, and data recipients.
GDPR and data protection
In terms of data backup and disaster recovery, organizations must implement secure backup processes to safeguard personal data and ensure GDPR compliance. This includes deploying data protection and disaster recovery solutions that include the following features:
- Encryption of backup data in the storage repository (at rest) and when transferred (in transit). Choose solutions that allow you to implement strong encryption standards to make backup data unreadable to unauthorized parties even in the event of a security breach.
- Access controls and authentication. Configure role-based access control (RBAC) to limit access to personal data and multi-factor authentication (MFA) to enhance security before granting access.
- Data minimization and storage limitation. One of the core principles of the General Data Protection Regulation is the limitation of storage, which directly impacts backup retention policies. Ensure that backup solutions offer enough flexibility to create different schedules and retention policies for different tiers of data.
- Location of backup data in cloud storage. Know where the backup data is stored and choose regions based on the type of personal data processed.
- Regular backup data integrity checks. Maintain regular backups to ensure personal data integrity and Implement measures to test recoveries.
- Vendor and third-party management/compliance. Ensure that third-party storage and other platforms integrated with your backup solution offer the right range of features to ensure you control how and where the data is stored.
Data Protection with NAKIVO
NAKIVO Backup & Replication is a data protection solution offering the right mix of backup, disaster recovery, and security features to be implemented by organizations processing personal data. You can protect applications and systems in virtual, physical, cloud, and SaaS environments and maintain compliance with GDPR requirements using features like encryption at rest and in flight, backup scheduling and automation, flexible retention settings, backup verification, etc.
