EU General Data Protection Regulation (GDPR)

Extract from Oracle white paper:

Introduction to the General Data Protection Regulation (GDPR) The European Union (EU) introduced its data protection standard 20 years ago through the Data Protection Directive 95/46/EC. Because a Directive allows Member States a certain margin of maneuverability when implementing it into national law, Europe ended up with a patchwork of different privacy laws. In addition, increasing security breaches, rapid technological developments, and globalization over the last 20 years has brought new challenges for the protection of personal data. In an effort to address this situation, EU developed the General Data Protection Regulation (GDPR).

Key Security Objectives of GDPR The following are key GDPR security objectives. Objective - Establish data privacy as a fundamental right The GDPR considers data privacy as a fundamental right of an individual,  which includes a “right to the protection” of their personal data.  Anyone based in the EU, or anyone handling or targeting the personal data of an EU-based individual must have processes, technology, and automation to effectively protect personal data.

Clarify the responsibilities for EU data protection The GDPR applies to anyone based in the EU, or anyone handling the personal data of an EU-based individual or targeting him/her by offering goods or services from outside the EU borders , Define a baseline for data protection To avoid fragmentation and ambiguity, GDPR has set a baseline for data protection by requiring anyone handling the personal data of an EU individual to follow the GDPR guidelines. Elaborate on the data protection principles The GDPR considers encryption as only one of the components of a broad security strategy, and mandates that organizations need to consider assessment, preventive, and detective controls based upon the sensitivity of the data they have. Increase enforcement powers EU aims to ensure the compliance with the GDPR by enforcing huge fines up to 4% of global annual revenue upon non-compliance.

Core Actors of the GDPR The GDPR defines various actors to explain the data protection concepts and their associated roles: Actor Description

-- Data Subject A person who can be identified directly or indirectly by means of an identifier. For example, an identifier can be a national identifier, credit card number, username, or web cookie.

Personal Data Any information, including sensitive information, relating to a Data Subject. For example, address, date of birth, name, and nationality.

Controller A natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. For example, a controller can be an organization or CIO.

Data Protection Officer An individual within the Controller with extensive knowledge on the data privacy laws and standards. Data Protection Officer (DPO) shall advice the controller or the processor of their obligations according to the GDPR and monitors its implementation. DPO acts as a liaison between the controller and the supervisory authority. A DPO for example can be a Chief Security Officer (CSO) or a Security Administrator.

Processor A natural or legal person, agency or any other body which processes Personal Data on behalf of the Controller. For example, a developer, a tester, or an analyst. A Processor can also be an automated entity such as a server or a website, or a cloud service provider.

Recipient A natural or legal person, agency or any other body to whom the personal data is disclosed. For example, a tax consultant, insurance agent, or agency. Unlike a Processor, a Recipient cannot process but can only see or read the information.

Enterprise Any natural or legal person engaged in an economic activity. This essentially includes all organizations whether in public or private sector, whether in EU or outside of EU.

Third party Any natural or legal person, agency or any other body other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorized to process the data. For example, partners.

Supervisory Authority An independent public authority established by a Member State such as court or auditing agency.