PART 1: Definitions, Principles, and Rights
With 99 articles to review and comprehend, navigating the GDPR can be a challenge. Organized and broken down into sections - including a complete checklist- the first three chapters of the regulation covers Articles 1-23. The breakdown of those chapters and articles follows below.
Chapter 1: Define, Define, Define
The GDPR welcomes you by defining the regulatory objectives and additionally defines territorial scope and terminology specific to the GDPR.
With a focus on fundamental rights and freedoms for individuals, the processing of personal data is introduced and reviewed. Special attention should be paid to article 4, as this article defines 26 different terms. Defined by the GDPR, terms include; personal data, processing, restriction of processing, profiling, pseudonymization, filing system, controller, processor, recipient, third-party, consent, personal data breach, genetic data, biometric data, data concerning health, main establishment, representative, enterprise, group of undertakings, binding corporate rules, supervisory authority, supervisory authority concerned, cross-border processing, relevant and reasoned objection, information society service, international organization.
Article 4 itself is hard to summarize, as the specifications regarding the data, businesses, people, and the processing of that data are relevant based upon an organization and criteria within the scope.
Key takeaways
Article 2: The material scope of the GDPR is laid out in this Article.Article 4: Definitions within this article should be reviewed and understood, as they are mentioned throughout the regulation.
Chapter 2: Principles
This chapter, covering Articles 5-11, discusses how you should treat data, and how the person who is processing the data has to demonstrate compliance.
This chapter also brings in consent, categories for personal data, and when processing does NOT require identification (Article 11). In general, chapter 2 is lengthy and will take time to review, but is worth the review for consent and conditions.
Key takeaways
Article 5: Principles related to personal data processing.Article 7: Conditions for consent.Article 11: Processing which does not require identification.
With the strengthening of consent requirements, the request for consent must be given in an intelligible and easily accessible form. Most importantly, the purpose for the data processing must be attached to that consent, and withdrawal of the consent must not be complicated as well.
Chapter 3: Data Subject Rights
This chapter covers Articles 12-23 and explains the rights of the person, or “data subject” whose data is handled by the processor, controller, or by someone who receives the data. As with the previous, chapter 3 contains a large amount of information, including the right to be forgotten (Article 17).
Key takeaways
Article 12: Clear, concise, and comprehensible information. No longer can organizations use muddled and complicated language for capturing data.Article 16: Right to rectification. An organization will have to correct/rectify inaccurate information about an individual.Article 17: The right to be forgotten. Essentially, organizations need to be able to show they can trace and delete data on an individual.Article 22: The right to not be profiled.
Keep in mind, the GDPR was not created with the intent to complicate IT processes and procedures for organizations. Ultimately, the overarching goal was to formalize a regulation with a focus on protecting data subject rights. Given the technological advancements of the previous decade, it may be surprising that this regulation has not been put in place sooner.
In Part II of this series, we will cover privacy by design(Article 25) and Security of Processing (Article 32). Additionally, we will cover the role of the DPO and reporting instances. To learn more about the GDPR and compliance for your organization download the complete GDPR checklist today.
