Topic 1 Introduction to the European General Data Protection Regulation (G.D.P.R.)

What is General Data Protections Regulation (GDPR)?

The General Data Protections Regulation (GDPR) is a ruling intended to protect the data of citizens within the European Union. The GDPR is a move by The Council of the European Union, European Parliament, and European Commission to provide citizens with a greater level of control over their personal data.

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

The right to privacy is part of the 1950 European Convention on Human Rights, which states, “Everyone has the right to respect for his private and family life, his home and his correspondence.” From this basis, the European Union has sought to ensure the protection of this right through legislation.

As technology progressed and the Internet was invented, the EU recognized the need for modern protections. So in 1995 it passed the European Data Protection Directive, establishing minimum data privacy and security standards, upon which each member state based its own implementing law. But already the Internet was morphing into the data Hoover it is today. In 1994, the first banner ad appeared online. In 2000, a majority of financial institutions offered online banking. In 2006, Facebook opened to the public. In 2011, a Google user sued the company for scanning her emails. Two months after that, Europe’s data protection authority declared the EU needed “a comprehensive approach on personal data protection” and work began to update the 1995 directive.

The GDPR defines an array of legal terms at length. Below are some of the most important ones:

  • Personal data
  • Data processing
  • Data subject
  • Data controller
  • Data processor

Personal data

Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.

Data processing

Data processing — Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing… so basically anything.

Data subject

Data subject — The person whose data is processed. These are your customers or site visitors.

Data controller

Data controller — The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.

Data processor

Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations.

Data protection principles

If you process data, you have to do so according to seven protection and accountability principles:

1.Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.

2.Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.

3.Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.

4.Accuracy — You must keep personal data accurate and up to date.

5.Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.

6.Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).

7.Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

ETUCE ⃰ Director Susan Flocken said:

“Online security in schools is fundamental. The new GDPR can help implement better security measures to protect teachers and students from cybercrime. Schools should regard the introduction of the GDPR regulation as a way of further enhancing the way they deal with personal data.”

⃰  European Trade Union Committee for Education

We investigated the European GDPR which is the worlds toughest privacy and security law and it helps all citizens against misuse of data about them. As a teacher we also are obligated to fellow the GDPR when handling data on learners. We examined 7 protection principles.