GDPR in a nutstell

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy. It applies to all organizations catering products or services, paid or unpaid, to citizens of the EU and the European Economic Area (EEA). It builds builds on the EU’s previous privacy standards of 1995 – The Data Protection Directive.

GDPR divides data companies into conceptually two types: Data controllers are entities that determine the purposes, conditions, and means of the processing of personal data. Data processors are entities that process personal data on behalf of the controller. Depending on the business model and direct or indirect customer contact, companies can be part of either of these two groups or both.

GDPR expands and clarifies the existing requirements. The 4 main points are:

• Territorial Scope: privacy laws apply to all organizations with access to personal information of EU residents. This includes ALL goods and services regardless of payment required that are directed to EU citizens. 

• Penalties: The maximum fine for an organization can be 4% of annual global turnover or 20M EUR (whichever is greater). The approach to fines is tiered. A company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment.

• Consent: Consent notifications must be clear and succinct. Consent must be distinguishable from other matters. It must be easy to withdraw. Opt-out is no longer allowed.

• Rights of Individuals:

▪         Breach notification within 72 hours of discovery

▪         Right to Access private data

▪         Right to be forgotten

▪         Privacy by Design. A data controller shall…implement appropriate and effective technical organizational measures to protect the rights of data subjects. Also, only the data that is absolutely necessary for the completion of an organization’s business can be requested from the user.

▪         The right to port the data to another entity

• Organizations dealing with private data must appoint a Data Protection Officer

further reading: https://eugdpr.org/the-regulation/

We support the data protection efforts. GDPR is a step into the right direction towards users being in control of their own data. It is difficult to enforce national law online. Thus we particularly welcome the European approach. A number of sanctions against corporations operating in Europe shows that GDPR can be used as an effective tool for data protection.

We also believe that GDPR can only be the beginning and it needs to be accompanied by the ethical and algorithmic eduction of data sciencists. The necessity of storing personal data must be questioned with regard to all frequent analyses performed in your company. Often data can be stored in aggregated form without loosing its value to analytics, thereby reducing the privacy risk for the individual and at the same time creating opportunities to look at long-term trends.