Have you heard the term “GDPR” a lot in recent months? You probably have. GDPR is the new data privacy regulation for the European Union. It takes effect on May 25, 2018, and it aims to give EU data subjects more control over their personal data and to simplify the regulatory environment for companies doing business in the EU.
GDPR is being taken very seriously by companies both inside and outside of the EU, not least because it calls for potential fines “as high as 4 percent of a company’s global revenue for violations.”1 So, organizations around the world have been preparing by modifying their data practices, upgrading their systems and even revising the terms and conditions of user agreements to meet GDPR requirements for “clear and plain language.”
For any of us who have an interest in personal data—which is to say, all of us—GDPR is worth getting to know, at least a little.
The regulation itself runs to many thousands of words. (The introductory “Whereas” section alone is 173 paragraphs!) But fortunately, IBM offers extensive transformation support on GDPR. And to give you a head start here in the Business Analytics blog, we’d like to offer you a quick introduction to seven key terms.
Let’s begin with its proper name. The initials “GDPR” stand for “General Data Protection Regulation.” The regulation will apply from May 25, 2018 and it replaces an earlier regulation that had been on the books since 1995. The text of the GDPR says that the regulation “protects fundamental rights and freedoms” and “lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.”2
- Personal data
Personal data is any information relating to a person, “who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data [or] factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”3
- Data subject
A “data subject” refers to any identified or identifiable living natural person on EU soil, and that person need not be a citizen or a resident of the EU. GDPR protects “natural persons,” which means a human being, and not a corporation or other entity that might have legal status as a “person.”4
- Data controller
This is a party that determines the purposes and means of the processing of personal data. For example, if Company A collects personal data about its customers in order to offer them more products or services, Company A would be a data controller.
- Data processor
This is a party or entity that processes personal data on behalf of and based on instructions of the data controller. For example, if Company A above hires Company B to store its customer information in the cloud, then Company B would be a data processor.
- Data Subject Access Request (DSAR)
Any individual whose data is being held by an organization can make a Data Subject Access Request (DSAR), which is a request in writing for any information held by the organization that relates to the data subject.
This one is a mouthful to pronounce, but its meaning is pretty straightforward. Pseudonymisation (su-do-nim-i-zay’-shun) refers to the “processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information…”5
We hope these seven terms give you a useful introduction to who’s who in the world of GDPR. If it proves to be a workable framework for the protection of personal data in the EU, GDPR may well become the template for similar laws and regulations around the world. One thing’s for sure—every company that deals with personal data will be watching the evolution and the enforcement of this regulation very carefully in the years to come.
If you’d like a deeper dive into the regulation, read the white paper, IBM Pathways for GDPR readiness.
1 Nate Lanxon, “Lost in Translation from Legalese,” Bloomberg Businessweek, April 23 2018
2 Regulation (EU) 2016/679 of the European Parliament and of the Council, 27 April 2016 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.
The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings here: https://ibm.com/gdpr.