As of late, one of the biggest fears amongst the American and European public was that of data privacy. This exploded onto the scene when some high-profile attacks occurred, such as the ones with the Marriott Group, the British Airways website, Target, etc. In these, thousands of Personal Identifiable Information (PII) datasets were stolen. But with the recent COVID19 pandemic, this fear has even increased to levels never seen before, triggered by the use of contracting tracing based mobile apps.
In response to all of this, there have been some stringent legislations that have been passed, most notably that of the GDPR. This is the focal point of this article.
Important Background Information Into The GDPR
The GDPR is an acronym that stands for the “General Data Protection Regulation.” This piece of legislation was passed and enacted into law on May 25th, 2018. But prior to this, there was another piece of legislation which was known as the “European Data Protection Directive,” also known as the “EDPR.”
This was passed in 1995, just when the Internet bubble started to reach its peak. At this time, the European Union (EU) saw the need to provide some minimal safeguards so that the data of EU citizens could be protected.
Of course, back then, nobody ever dreamt that cybersecurity would be the way it is today. Because of that, the GPPR in many ways can be viewed as an extension of the EDPR, with the primary difference being that with the former, much stricter guidelines and enforcement standards have now implemented in an effort to protect the data privacy rights of EU citizens to the maximum amount possible.
The Scope Of The GDPR
It is important to note that the GDPR goes far more than just protect the PII datasets. For example, its reach is far impacting, which include the following:
- Personal Data:
This also includes such items as names, email addresses, the geographic location of individuals, gender, ethnicity, other pertinent healthcare information/data religious affiliations, cookies stored on any web browser and wireless device, and even political affiliations.
- The Processing of Data:
This includes any kind or type of processing or manipulation that is done on the data just previously described. This consists of the processing of PII from either a manual or automatic process. This is an all-encompassing term, but the following are examples of this:
- The collection of data;
- The recording of data;
- The organization of data in specific ways and formats;
- The structuring of data by any methodology;
- The using of PII in any format, way, or method;
- The deletion of data by any means that has been used.
- The Subject of the Data:
This includes any EU citizen and any other individual around the world in which the business reaches out to, provided that they have an office presence in the EU.
- The Controller of the Data:
This is the person or group of people that actually carries out the processing of the data.
- The Processor of the Data:
If a business decides to outsource the storage, or handling of the PII to an external, third party, then to are also bound by the statutes of the GDPR.
Our next article will continue with the theme of the GDPR, and its other major components.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He is also studying for his Certificate In Cybersecurity through the ISC2.