What is GDPR? - Overview of General Data Protection Regulation's key requirements

What is the General Data Protection Regulation (GDPR) - an overview

The GDPR is a comprehensive regulation that unifies data protection in all EU countries. It will directly apply in all EU member states from 25 May 2018; businesses have less than 6 months to prepare. It’s time to act now. The GDPR has a very broad territorial scope and will apply to any organization that manages the personal data of individuals who are based in the EU, regardless where the organization is registered. Non-compliance leads to severe consequences. Fines may amount to a maximum of EUR 20 million, or 4% of global annual turnover. The GDPR requires organizations to implement reasonable data protection measures to protect the personal data of consumers and employees against data loss or exposure. To achieve that goal, the law regulates all areas related to data management and processing, from obtaining user consent to setting up company-wide data protection practices and handling data breach incidents. This overview helps you to explore why the GDPR highlights encryption as an important technology measure to safeguard data. It also details how encryption, especially end-to-end encryption, helps your business manage data in the cloud in a GDPR compliant way.

“There’s a lot in the GDPR you’ll recognise from the current law, but make no mistake, this one’s a game changer for everyone.”

– Elizabeth Denham, the UK Information Commissioner at the ICO

Overview: why the GDPR matters for your business

Which companies does the GDPR affect?

The GDPR has a broad territorial scope. It applies not only to all organizations established in the EU that process personal data, but also to any non-EU established organization that process personal data of individuals who are in the EU in order to: a. offer them goods or services, irrespective of whether a payment is required; b. monitor their behavior within the EU. The GDPR’s aim is to protect personal data at all stages of data processing. The GDPR identifies two different entities that both have obligations: data controllers and data processors.

What are data controllers and data processors?

A data controller is the entity that determines the purposes, conditions and means of the processing of personal data. For example, educational and research private and public institutions, healthcare services, or any business that manages the personal data of their employees and customers. A data processor is an entity which processes personal data on behalf of the controller, such as a cloud provider (for example a Software-as-a-Service like CRM software). It is important, that a company can act both as a controller and processor, depending on the exact type and usage of data.

When is the GDPR coming to effect?

The GDPR entered into force on 24 May 2016 and it will directly apply in all EU Member States from 25 May 2018. Organizations have less than a year to prepare for compliance.

What are the sanctions and liabilities if a company doesn’t comply?

Data controllers and data processors face severe consequences if they do not comply with the European rules. Depending on the infringed provision of the GDPR, fines may amount to a maximum of EUR 20 million, or, 4% of global annual turnover of the controller, whichever is bigger. Moreover, both controller and processors are subject to joint liability for damages.

GDPR Compliance free eBook

GDPR Cloud Security Guide: 5 Key Things to Consider when Choosing Cloud Storage for your Business

Interested in learning more about getting your cloud-based file storage & sync ready for the GDPR? This free eBook from the cloud encryption company, Tresorit, helps you explore what the General Data Protection Regulation (GDPR) is, what are its requirements for processing personal data in the cloud and what key aspects businesses should to look into when choosing cloud storage services.

In this free GDPR Compliance Guide, you'll learn:

  • What is the GDPR (General Data Protection Regulation) and what are its requirements for managing personal data in the cloud?
  • What are the main challenges of using cloud-based services?
  • What are the 5 key technology and legal requirements cloud storage services should meet to help you ensure GPDR compliance?
  • How do major cloud storage services Box, Dropbox, OneDrive, and Tresorit compare in terms of GDPR compliance?
Get the free GDPR eBook

What is considered as personal data under the GDPR?

What is personal data?

Personal data is any information relating to an identified or identifiable natural person (‘data subject’); such as a name, an identification number, location data, an online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Organizations should take measures to minimize the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.

What is sensitive data?

Sensitive data is a special sub-category of personal data which enjoys extra consideration and protection in GDPR as they may give rise to strong stigmatization or discrimination in a society. Sensitive data are personal data that reveal any racial or ethnic origin, financial status, political opinion, philosophical belief, religion, trade-union membership, sexual orientation, or concerns health and sex life, genetic data, or biometric data.

Are data controllers responsible for the personal data managed by data processors?

Yes, data controllers are responsible to protect personal data whenever they use third-party services (data processors) to manage data in the cloud, and therefore should use services that provide the highest protection. With the GDPR, all data processing must have a lawful basis, such as explicit consent from the persons (“data subject”). Data controllers must further process data with third-party processors by protecting data in a compatible way with the original legal basis and applying safeguards like encryption.

“The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of personal data”

– GDPR Article 32. Security of Processing

Requirements of the GDPR regarding the protection of personal data

The GDPR requires companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against data loss or exposure. Article 5. of the GDPR summarises the most important principles and requirements regarding the management of personal data:

  • Lawfulness, fairness and transparency: personal data should be processed lawfully, fairly and in a transparent manner
  • Limited purpose: personal data should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • Data minimisation: personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are collected
  • Accuracy: personal data stored and managed should be accurate and, where necessary, kept up to date
  • Storage limitation: personal data should be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • Confidentiality and integrity: personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

What can your business do for GDPR compliance?

Cloud security for businesses

5 key steps for SMBs to GDPR compliance

Learn how to locate, identify, and protect personal data in your company before the GDPR deadline. Watch now

It is advisable that businesses already start preparing for the implementation of the new EU General Data Protection Regulation now, in order to avoid unpleasant surprises in May 2018:

  • Getting your processes ready for GDPR will result in (substantial) costs of implementation. Make sure you plan for these in your future budget.
  • The new data protection comes with a comprehensive accountability and documentation obligation. Consider now how and through which means you will be able to adhere to it in the future.
  • A detailed definition by national lawmakers may still be pending – but it is already apparent that the GDPR stipulates for most businesses to provide a data protection officer. Now is the best time to assess your company’s internal situation and get external help if required.
  • Devise a plan. Transforming bigger businesses for the General Data Protection Regulation will be a challenge. Start with it early enough – some work steps can be carried out now.
  • Plan your resources, both regarding personnel and budget. There will be a lot of changes, and a lot of adjustments resulting from these.
  • Carry out a risk assessment. Which risks and threats do your business face?
  • Assess if your current data management processes meet the requirements.
  • Check now which of your company’s systems and software – from your accounting system to your data storage solution – may be affected by the new legislation.

Getting ready for the GDPR with end-to-end encryption

How does encryption help with protecting data and compliance?

Encryption is underlined as an example of “appropriate technical and organisational measures” and an appropriate safeguard to protect data. The GDPR states that if the controller has implemented encryption to its personal data, in case of personal data breach, affected personal data are likely be unintelligible to any person who is not authorised to access it. Hence, such data breach is unlikely to result in a risk to the rights and freedoms of affected natural persons. The result is that the controller may not be required to communicate the data breach to affected data subjects, pursuant to Article 34 GDPR. All in all, encryption reduces the risks of processing data in the cloud, as it reasonably makes re-identification of leaked personal data impossible with reasonable measures. The more the encryption algorithm is strong, the more it may reduce the liability of data controllers.

“The GDPR makes personal data protection a top priority for any organisation. Using robust end-to-end encryption to safeguard personal data is both a responsible choice and a key step towards compliance.”

– Paolo Balboni, Ph.D., Founding Partner of ICT Legal Consulting and President of the European Privacy Association

Does the GDPR differentiate between different methods of encryption?

The GDPR refers to encryption in several provisions; however, it does not specifically indicate which algorithm (e.g., AES 256bit) and its application (e.g., at-rest, in-transit, or end-to-end). While it does not explicitly talks about encryption methods, the way encryption keys are stored is an important to decide whether re-identification of encrypted data is possible with reasonable efforts. With in-transit & at-rest encryption, the cloud provider has access to the encryption keys, while with end-to-end encryption, the keys are stored at the user only. Because of this, in case of a data breach, re-identification of end-to-end encrypted data with reasonable efforts is infeasible. This way, end-to-end encryption with client-side key management represents a stronger protection for the personal data.

What are the advantages of using end-to-end encrypted cloud services?

Securing the cloud

Securing the cloud

Learn the main data protection principles and impacts of the GDPR from legal and technology experts. Register now

If a data controller uses an end-to-end encrypted service as processor, the related personal data ‘stays within their company walls’. Therefore, end-to-end encryption has substantial advantages that helps controllers better protect data, making compliance process easier and cost reducing. The data controller will result in compliance with Article 32 GDPR. Secondly, if a strong encryption mechanism is implemented and the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the data controller will likely be exempted from notifying the data breach to the supervisory authority and communicating it to the affected data subjects pursuant to Articles 33 and 34 GDPR. Moreover, except the duties of assistance to the controller pursuant to Article 28 GDPR, the processor will likely fall out of the audit scope in case the controller is audited, making compliance and audit process simpler for the controller.

  • Protect the personal data of employees, customers, partners, and users. Increase trust for your service and organization by complying with the regulation and using the strongest data protection technology recommended in the text of the law.
  • Keep your personal data within company walls. When using encryption, especially end-to-end encryption for managing data in the cloud, your organization’s personal data stays within company walls. Your encrypted cloud-based processor does not technically process personal data, they only manage the encrypted, unintelligible datasets. Even in case of a data breach, encrypted data is not in danger. This can simplify your compliance processes and save you time for working on other GDPR-related requirements. For example, if you’re audited for compliance, your encrypted cloud service might fall out of your audit’s specific scope.
  • Reduce your liability in case of a data breach. If you apply encryption, especially end-to-end encryption, you are using an appropriate safeguard highlighted by the GDPR. This can reduce your liability when an event it of data exposure.
  • Save costs of data breach notifications and potentially fines. When using encryption, your organization is not obliged to notify your customers or users on data breaches.