What is GDPR?
The new EU General Data Protection Regulation (GDPR) went into effect on May 25, 2018. It will replace the EU’s patchwork of 28 different sets of national privacy laws under the current Data Protection Act (DPA).
The GDPR is a new set of rules designed to give all residents in the European Union more control over their personal data, bringing a uniform code of laws and obligations around the collection and management of personal data, as well as how privacy and consent is practiced across Europe.
GDPR applies to any organization operating within the EU, as well as any organization outside of the EU which offers goods or services to customers or businesses in the EU. GDPR will impact any organization which holds, controls, or processes European residents’ personal data and will introduce new responsibilities, including the need to demonstrate compliance with data protection laws and regulations.
Major changes under GDPR include that firms will often need clear and unambiguous consent from users to process their personal data. Data breaches must be reported to authorities within 72 hours. Customers also will have the right to see what data companies hold on them and can request some of it to be deleted. Companies that violate the rules risk fines as high as 4% of their global revenue.
What are GDPR’s data protection principles?
Personal data must be processed according to the six data protection principles:
- Processed lawfully, fairly and transparently.
- Collected only for specific legitimate purposes.
- Adequate, relevant and limited to what is necessary.
- Must be accurate and kept up to date.
- Stored only as long as is necessary.
- Ensure appropriate security, integrity and confidentiality.
What is considered ‘personal data’ under GDPR?
Personal data is at the heart of the GDPR. To determine what is personal data it is important to properly interpret GDPR’s definition:
Article 4(1) defines “personal data” as follows:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Essentially, any information that can be used to identify a particular person. The question then becomes how broadly can that be interpreted? Whether information is considered personal data often comes down to the context in which data is collected. Organizations usually collect many different types of information on people, and even if one piece of data doesn’t identify someone, it could become relevant alongside other data.
How does GDPR change the privacy rights of individuals?
GDPR creates and extends Individuals’ rights in a number of important areas:
- The right of access to personal data through subject access requests.
- The right to correct inaccurate personal data.
- The right in certain cases to have personal data erased.
- The right to object.
- The right to move personal data from one service provider to another (data portability).
Redmorph is pleased to see the actions taken by the EU to ensure greater protection of consumers’ personal information. Redmorph was founded on this very principle and supports the spirit and law of GDPR.
Our view is that GDPR and other privacy regulations protecting personal data are beneficial, but that it may unintentionally persuade users to place trust in a regulatory framework that is enforced ex post facto. We believe a far superior approach to online privacy (and cybersecurity!) is to deploy technology that proactively allows users to detect and control how devices, apps or websites are allowing 3rd parties to collect data and where the data is being sent.
Redmorph has the best endpoint solution for privacy and security across your mobile, desktop or iOT devices. Our products not only provide intelligent protection but provide unmatched visibility on tracker activity, phishing attempts, excessive permission sets, and risky apps.
While we applaud GDPR, we encourage people and organizations to take a proactive and comprehensive approach to online privacy and cybersecurity. That’s what we are all about.