The General Data Protection Regulation (GDPR) is the new European Union (EU) legislation that addresses the handling of personal data. It is a regulation by which the European Commission intends to strengthen and unify data protection for all individuals within the EU privacy regulation. Though it was drafted and passed by the European Union, it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018.
With the GDPR, Europe is signaling its stance on data privacy and security at a time when more people are entrusting their personal data with cloud services, new apps, and breaches are a daily occurrence.
The fines for violating the GDPR can be high. There are two levels of penalties, which max out at €20 million or 4% of global revenue, plus data subjects have the right to seek compensation for damages.
Within a European Project, where many different actors (companies, institutions) are involved, the first crucial step is to identify their key roles. In order to do it correctly, it’s fundamental to start from the definitions.
Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s possible to ID someone from it. Data subject is the person whose data is processed. These can be customers, site visitors, participants in the project and so on.
Data processing means any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing, etc.
The two main actors of the data processing are Data controller and Data processor: the first one is the person who decides why and how personal data will be processed, while the data processor is a third party that processes personal data on behalf of a data controller.
Further fundamental principles of the new regulation for Eu projects are:
Accountability, which requires the controller to put in place appropriate technical and organizational measures to ensure, and be able to demonstrate, that the treatment is carried out in accordance with GDPR. It is the risk assessment approach that rewards the most responsible individuals.
Privacy by default and by design: The terminology by default and by design means that personal data protection is set as the default (by default) and designed from the design of products and services (design): the intent is to prevent and not correct. The careful impact and risk assessment will allow the Company to identify potential risks and take appropriate measures from the first processes of design and implementation of the systems.
It must be added that personal data can also be considered sensitive, and subject to specific processing conditions if they reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person’s sex life or sexual orientation.
In light of all these principles, within EU projects four main steps become crucial:
1) making an assessment of the kinds of data that will be processed by partners of the project;
2) defining roles and responsibilities according to the assignment of data controllers and processors roles;
3) preparing a privacy document where the first two steps and the flow of data are clarified;
4) verifying day-by-day, during the project, the compliance with the legislation.