General Data Protection Regulation 2016/679 (GDPR)
The 25 May 2018 deadline for GDPR compliance passed over and the penalties for non-compliance are significant, but every business, institution and service provider that serves EU citizens can take steps now to prepare for it. Start by recognizing how GDPR strengthens and broadens the definition of individual privacy rights versus previous privacy regimes like the 195 Data Protection Directive. Get comfortable with the new terminology created by GDPR to understand your place in the framework. And start attacking the compliance challenge in ways that are significant to personal data privacy protection and well within your span of control, like moving to improve your data protection and storage infrastructure and services to accommodate its new requirements.
A citizen of the EU who is identifiable by their personal data. This may include a consumer making an on-line purchase, a patient of a health care system, a citizen accessing on-line government services, a user of social media applications: any individual providing personal information to use some service
A business operating within the EU — or outside of the EU but dealing with EU residents — that captures sensitive data about EU residents in the course of its operations. Examples include: a business accepting on-line orders, addressees, and payment card information from consumers; a health care provider that maintains patient records. (See below for help in determining whether your business functions as a processor or a controller.)
A commercial business like a cloud service provider that acts as a contractor to a controller, i.e., another business serving EU citizens that captures sensitive data on individuals. Examples include application hosters, storage providers, and providers of cloud services like backup
“Any information relating to an identified or identifiable natural person”. This is more broadly defined by the EU than other governments, and includes the EU citizen’s name, email address, social media posts, physical, physiological, or genetic information, medical information, location, bank details, IP address, cookies, cultural identity, etc.
any act or series of operations carried out with or without the use of automated means, personal data or sets of personal data, such as collection, registration, organization, structure, storage, adaptation or alteration, retrieval, search for information, use, disclosure by transmission, dissemination or any other form of disposal, correlation or combination , restriction, deletion, or destruction.
Any form of automated processing of personal data consisting in the use of personal data to assess certain personal aspects of a natural person, in particular for the analysis or provision of aspects relating to performance at work, financial situation, health, personal preferences, interests, reliability, behavior, location or movements of that natural person.
The processing of personal data in such a way that the data can no longer be attributed to a particular data subject without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that it cannot be attributed to an identified or identifiable natural person.
Any structured set of personal data which is accessible on the basis of specific criteria, whether that set is concentrated, decentralized or distributed on a functional or geographical basis.
An independent public authority set up by a Member State in accordance with Article 51 (in Greece the Data Protection Authority).
Right to Deletion (Right to Be Forgotten)
The right of every EU citizen “to request the deletion of his/her personal data and their non-further processing”. Individuals may request the deletion of all personal data stored on the Controller’s servers, subject to the terms and conditions set out in Article 17(1) of the Agreement. 1, line a-f of the General Regulation, namely:
(a)personal data are no longer necessary in relation to the
purposes for which they were collected or otherwise submitted under
(b)the data subject withdraws the consent on which it is based on the
processing in accordance with Article 6(1)(a) or Article 9
paragraph 2(a) and there is no other legal basis for the processing,
(c)the data subject is opposed to the processing in accordance with Article
21(1) and there are no compelling and legitimate reasons for the
processing or the data subject is opposed to the processing of
accordance with Article 21(2) thereof,
(d)personal data have been unlawfully processed;
(e)personal data must be deleted in order to be kept
legal obligation under Union law or the law of a Member State;
to which the controller is subject;
(f)personal data have been collected in connection with the supply of
information society services referred to in Article 8(1) of
except for the exceptions provided for in Article 17(1) of The United States of 3 line. Α-F, ήτοι:
(a)the exercise of the right to freedom of expression and the right to freedom of expression
(b)to comply with a legal obligation requiring the processing under article
Union law or the law of a Member State to which the person responsible for
processing or for the performance of a task performed to the public service
interest or in the exercise of official authority conferred on the person responsible for
(c)for reasons of public interest in the field of public health in accordance with
article 9(2)(h) and (i), as well as Article 9(3) thereof,
(d)for archiving purposes in the public interest, for the purposes of scientific
or historical research or for statistical purposes in accordance with Article 89(1) of
paragraph 1, provided that the right referred to in paragraph 1 is
may make it impossible or to a large extent hinder the achievement of the
purposes of such processing, or
(e) to establish, pursue or support legal claims..
There remains some ambiguity in this particular issue. Does a request to be forgotten also require the removal of data from backups (problematic in serial backup media such as tape)? What happens when the right to forget the application conflicts with a business’s data retention policies for archiving and legal purposes?
Personal data breach
“Security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed. Businesses must report any incident of a data breach to the “supervisory authority” within 72 hours of their knowledge.
Privacy Protection Failure
Your ability to assert privacy, integrity, accessibility, and deletion of personal data is partly based on your ability to protect against and restore data storage, backup, and retrieval failures. These failures fall into three separate categories:
- Device failures: The physical failure of any storage hardware component, including drives, storage controllers, and data centers. Examples include: a hard drive that is accidentally exposed to a magnetic field, resulting in its partial shutdown.
- Logical or soft failures: Faults caused by human errors, Examples include: accidentally deleting or replacing files during a backup process, accidental corruption of file data due to a script or business application error or error, accidental deletion of the hard disk boot master file.
- Security breaches: failures due to powerful, malicious attacks on it infrastructure, including networks, servers, applications, and endpoints, including those from malicious connoisseurs, internet criminals, and hostile government agencies. Examples include: a ransomware attack that applies unbreakable encryption to the contents of a hard drive and requires an electronic payment in exchange for the decryption key.
Control of their personal data
In addition to protecting against various types of data protection failures and reporting to EU authorities when breaches occur, controllers have certain obligations to users whose personal data they store. Controllers should support users’ ability to:
- They have access to, read and process their personal data
- Easily delete their personal data, either directly or by simple request to you
- They export their personal data in a legible form.
GDPR requirements for data protection and storage
Undertakings operating as processors have additional obligations to meet. Included
- The provision of sufficient guarantees that their services meet the technical and organizational requirements of the GDPR
- The avoidance of the use of subcontractors to support service contracts between the processor and their clients (Controllers) without the express consent of the controller
- At the end of the service contract, the removal of all data from the cloud infrastructure and/or the internal data center structure and the provision of sufficient evidence that they have done so
- The data breach event report to the regulatory body.
The EU is serious about enforcing compliance, by making the threat of painful financial penalties for companies that cannot prove their compliance or who are caught clearly violating GDPR rules that protect users’ privacy. For example, non-keeping written records, the application of various technical and organisational measures and/or the appointment of a data protection officer can cost the offending undertaking a penalty of EUR 10 million or 2 of annual global income (whichever is greater). A data breach or a violation of the rights of data subjects, e.g. loss or deletion of their data without permission, may result in even stricter fines of EUR 20 million or 4 of the annual global alert (whichever is greater). In general, in order to achieve compliance with GDPR standards in the areas of data storage and data protection (backup), processors and controllers must seek infrastructure and service solutions that meet the following technical requirements:
- Checking the data subject on the location of personal data storage: You must be able to respond to the wishes of people whose data you control or process as to where their personal data is stored: on premises and/ or in a specific EU data center.
- Data encryption: You need to provide strong encryption of all personal data in your endpoints, as well as in transit through your local and wide network area and into the cloud. The encryption process must be entirely automated, with the data subject being the sole owner of the decryption key.
- Search data within backups: You should be able to search for backups at a granular level, making it easy for data subjects to find the required information.
- Ability to modify personal data: You should be able to easily copy, modify, and delete personal data at the request of the data subjects.
- Export data in common format: You should be able to export personal data in a common and easily usable format (e.g. ZIP files)
- Quick data recovery: You should be able to quickly restore personal data from backup in case of storage device failure, software error or operator or security breach (e.g. a ransomware attack)
Similarly, processors and controllers should take into account the following GDPR rules when selecting data storage and data protection infrastructures and services:
- Cross-border data transfers:Any transfer outside EU borders must be transparent and secure. Service providers should be able to determine the locations where personal data are stored at the specific request of the data subjects.
- Breach notice: In the event of a data breach, the processor must be able to notify controllers and customers of any risks within 72 hours
- Right of access : Backup and storage must support the rights of data subjects to receive information from controllers about whether their personal data is being processed. The controller must be able to provide a copy of the data free of charge. Backup files must be available to data subjects 24 hours a day, seven days a week. Personal data in a backup or storage account must be deleted from or at the request of the data subject.
- Right to deletion (right to be forgotten): Where the data are no longer relevant to its original purpose, data subjects should be able to request the controller to delete their personal data upon request
- Data portability: Data subjects must be able to obtain and reuse their personal data for their own purposes by transferring it to different IT environments. This requires the ability to download personal data in easily portable format.
- Data Protection Officers: An employee who has ultimate responsibility for compliance with the GDPR, known as the Data Protection Officer, must be designated to any public authority or large organizations (250 or more employees).
- Privacy from design: Controllers and processors must implement appropriate technical and organizational measures, such as pseudonymisation, designed to implement data protection principles.
Links to other websites
Our website may contain links to other sites of interest. However, once you use these links to leave our site, you should note that we have no control over this other site. Therefore, we cannot be responsible for the protection and confidentiality of the information you provide when you visit such websites and such websites are not governed by this privacy statement. You should be careful and review the privacy statement that applies to this website.