Introducing the OneTrust GDPR Deep Dive Series

The one-year countdown to GDPR started last week.

To mark the occasion, OneTrust is introducing the GDPR Deep Dive Series, in which we delve into each chapter of the GDPR and summarize key takeaways of the new governance in an easy-to-digest format.

The GDPR Deep Dive Series is intended to help privacy executives with implementation and operationalization of GDPR regulations, and will be published bi-weekly on our blog.

GDPR will come into effect on May 25, 2018, and OneTrust believes that every global organization should start considering how to best implement efficient and effective data-handling practices that are replicable and consistent.

OneTrust GDPR Deep Dive Series

Chapter 1: General Provisions

Taking good care of your customers’ data is simply a necessary business practice in a competitive world, and, more importantly, it’s the right thing to do.

Chapter 1 outlines the basics of what the GDPR seeks to accomplish, and provides the legislative equivalent of a glossary of terms. Its rules are intended to protect peoples’ personal data with regard to the processing and free movement of said data.

The GDPR applies to the processing of personal data by organisations with establishments located in the EU.

The GDPR also applies to the processing of personal data of individuals who are located in the EU (regardless of the organisation’s geographical location), where the processing is related to:

  • The offering of goods or services, irrespective of payment; or
  • The monitoring of their behavior that takes place within the EU.

Lastly, the GDPR will apply to the processing of personal data by controllers who are established in a country where a particular EU Member State law applies by virtue of public international law. For example, in the context of a diplomatic mission or consular position.

The GDPR will not apply to the following means of personal data processing:

  • For an activity that falls outside the scope of Union law
  • By the Union institutions, bodies, offices and agencies (instead, Regulation (EC) No 45/2001 applies);
  • By Member States for activities that fall within the scope of Chapter 2 of Title V of the Treaty of the European Union (re: borders/immigration)
  • By a person in the course of a purely personal or household activity;
  • By public authorities for the purposes surrounding criminal offenses, law enforcement and public security; and

Key terms defined in Chapter 1 include:

Personal Data: Any information relating to a natural person or “Data Subject” that can be used to directly or indirectly identify the person.
Processing: Any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
Data Controller: Entity that determines the purposes, conditions and means of the processing of personal data,
Data Processor: Entity that processes data on behalf of a Data Controller.
Data Subject’s Consent: Any freely given, specific, informed, and unambiguous (explicit) indication made by statement or clear affirmative action signifying agreement to the processing of personal data.
Biometric Data: Any personal data relating to the physical, physiological, or behavioral characteristics of an individual which allows their unique identification.
Data Concerning Health: Any personal data related to the physical or mental health of an individual or the provision of health services to them.

The GDPR is intended to apply to the digital age we live in today, and to harmonize data protection law across the EU. However, with the GDPR’s numerous provisions allowing for Member State variation, organisations will need to comply with more than just the GDPR.

With one year to go before enforcement commences, it’s now time to start thinking about what sort of tools your organization can use to assist with meeting the GDPR’s many requirements.