In Part 1 of
our GDPR series, we alerted SMBs to the likelihood of being
subject to GDPR’s strict regulatory provisions. We answered basic questions
about its operational and financial impact, including potential penalties,
which, in case you missed them, can go as high as $24 million US dollars or 4%
of global revenue, whichever is higher.
Here in Part 2, you will learn some essential vocabulary
from the GDPR lexicon, including terms that seem familiar in a US business
setting but whose meaning, according to European regulators, may differ greatly
from your own. We also point out GDPR Articles
that reveal just how radical European privacy principles may feel to American
business owners, especially in smaller organizations.
Chapters, Articles, Terms
The General Data Protection Regulation consists of
11 chapters, each containing a number of sections, Articles and essential
terminology. We believe that all 11 chapters (and all 99 Articles) deserve US business
leaders’ scrutiny. But given GDPR’s 200-plus pages of regulations, these three chapters
may be a good place to get your feet wet:
- Chapter 3–Rights of the Data Subject. Key concepts
include: rectification of inaccurate data, right to erasure (aka right to be
forgotten), and right to data portability.
- Chapter 4–Obligations and Responsibilities of Data
Controllers and Processors. Key concepts include: maintaining data security, controller/processor
codes of conduct and record keeping, and role of the Data
Protection Officer (DPO)–a new position that many US firms may soon establish.
- Chapter 8–Remedies, Liabilities and Penalties. Key
concepts include consumers’ rights to: lodge a complaint, seek judicial
remedies against supervisory authorities; and the imposition of administrative
fines and penalties.
Conveniently, Article 4, from the General Provisions chapter, contains 26 essential terms, including those
provided for you below.
As a prelude, know that European regulators refer to
people as ‘identifiable natural persons’ and ‘data subjects,’ whose information
is collected and/or handled by ‘controllers’ or ‘processors.’ So, given that,
what’s considered ‘personal data’ and what isn’t?
Data: any information related to a natural person or ‘data
subject’ that can be used to directly or indirectly identify the individual,
such as: name, an identification number, location data, an online identifier,
or factors specific to the person’s physical, physiological, genetic, mental,
economic, cultural or social identity.
Subject: a natural person whose personal data is handled by a
controller or processor.
controller: the entity that determines the purposes,
conditions and means of the processing of personal data. Example: Company A
commissions Company B to conduct research on A’s behalf;
B decides whom to target, which data to collect, and methods of processing,
using and storing the data. This makes Company B the controller.
processor: the entity that processes data on behalf of the data
controller. Example: Company A supplies data to Company B, a payroll management
firm, for processing, providing explicit instructions and data-handling
requirements. Under GDPR, the processor is Company B.
Consent: freely given, specific, informed and explicit consent by statement or
action signifying agreement to the processing of their personal data.
to be Forgotten (data erasure) entitles the data
subject to have the data controller erase his/her personal data, cease further
dissemination of the data, and potentially have third parties cease processing
of the data.
Pseudonymisation: the processing of personal data so that it can no longer be attributed
to a single data subject without the use of additional data, so long as the
additional data stays separate to ensure
Profiling: any form of automated processing to evaluate certain personal aspects relating
to a natural person, in particular, to analyze or predict aspects regarding the
person’s performance at work, economic situation, health, personal preferences,
interests, reliability, behavior, location or movements.
it’s true that the GDPR won’t immediately affect all U.S. businesses, those who
must comply may find themselves in the 11th hour–possibly in need of
Managed Services Provider (IT MSP) to provide last minute guidance,
security solutions or infrastructure upgrades. If that’s you, contact TeamLogic