EU GDPR: Definitions

EU Symbol

It is vital to understand the definitions contained within the European Union General Data Protection Regulation (EU GDPR) in order to comply with the provisions; this is true for any document with legal effect. While it is tempting to assume the meaning of a word or phrase, it would be unwise to guess at it. Therefore, I have created this blog post to identify and define within the meaning of this Reg certain key words and phrases. This posting may prove useful as you read my other blogs related to the EU GDPR.

Consent: explicit agreement by the Data Subject; must be: freely given, specific, informed, and unambiguous (clear and plain language) by a statement or clear affirmative action signifying agreement to the processing of personal data; consent can be withdrawn at any time; however, the withdrawal doesn’t affect the lawfulness of data processing based on consent before its withdrawal; it must be as easy to withdraw as it is to give consent; data collected, stored, and processed strictly for direct marketing purposes must be clearly and separately called-out from other information contained in a request for consent

Data Controller: the natural or legal person, public authority, agency, or other body, which determines the purposes and means of the processing of personal data; the Data Controller remains liable for non-compliance, regardless of whether the Data Processor or other third-party subcontractor actually processes the data; this is done to ensure that the Data Controller remains vigilant in the security of the data from which it benefits and derives business and cannot cavalierly eschew responsibility by outsourcing

Data Minimization: collecting, storing, and using only data that is: adequate, relevant, and limited to what is necessary to the purpose for which it was collected; data cannot be kept for longer than necessary in a form which identifies the Data Subject, UNLESS it is for archiving and research purposes (storage limitation)

Data Processing Considerations: nature, scope, context, purpose, risks, and severity of consequences

Data Processor: the natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the Data Controller; the Data Controller and Data Processor may be employed by the same or different entities; the Data Processor cannot subcontract the data processing to a third-party without the Data Controller’s agreement; the Data Controller and Data Processor both remain liable for non-compliance

Data Subject: identified or identifiable natural person

Jointly & Severally Liable: liability which attaches to more than one entity or individual; each one is liable for the full amount and consequences of a judgment, with the potential for charge-back between those held liable (for example, if a judgment is made against the Data Controller and Data Processor, the EC may collect 100% from one or the other; then the paying entity/individual has a claim against the other non-paying entity/individual for 50% reimbursement)

Personal Data: any data relating to an identified or identifiable natural person (Data Subject); this is a much broader interpretation of what constitutes personal data, compared to that of Directive 95/46/EC Regulation

Profiling: any form of automated processing of personal data to analyze or predict aspects concerning that natural person (Data Subject); this provision can have a profound impact on direct market data gathering, which is a key element in the value proposition of Big Data & Analytics; separate attention must be called to this purpose when explicit consent is being sought from the Data Subject

Pseudonymization: personal data that can no longer be attributed to a specific Data Subject without the use of additional information; the additional information must be stored separately and subject to technical and organizational measures to ensure the continued privacy of the Data Subject

Right of Erasure: Data Subjects have the right to request that their data be erased; exceptions apply, including retaining data required to fulfill contractual obligations with the Data Subject, archiving, research, or if data retention is in the public good; this provision represents an enhanced right for the Data Subject, compared to the prior Directive and the concept of “the Right to be Forgotten”; alternatively, the Data Subject can also request a data restriction, instead of a data erasure

Supervisory Authority (SA): an independent public authority, which is established by a Member State; the SA interacts with the Data Protection Officer (DPO), Data Controller, or Data Processor in order to ensure that proper procedures are followed in securing the personal data of Data Subjects; the SA has the authority to offer opinions and guidance, monitor those entities within its jurisdiction, and to render rulings; it is advisable to begin and maintain an early and close working relationship with the SA

Author: Donna Taylor

Donna Taylor has 20 years’ experience in the IT industry, including 12 years as an analyst & advisor. She has worked at such high-profile companies as IBM, Gartner, IDC, and Ford Motor Company. She has a diverse skill set with extensive global experience in corporate development & strategy, M&A, venture capital, consulting, market research, competitive analysis, marketing, finance, and international tax & transfer pricing. Taylor is expert at developing & implementing strategic initiatives that drive growth and establish significant market presence and brand awareness, as well as identifying trends, disruptive technologies, and emerging business opportunities. She excels at research, writing, presenting, and advising both the vendor community and end-users. Her areas of expertise include: computer storage, data security, privacy, and protection, EU GDPR, GRC, cloud, Big Data & Analytics, archiving, backup, & recovery, business continuity, and data centres. She has a successful track record of managing and leading global teams and projects. Her business development acumen has led to revenue growth, cost containment, and operational improvements for companies with whom she has worked. Taylor has developed ideas which have led to the identification and segmentation of new areas of research and product development with a global focus and a particular affinity for Europe. She provides insightful perspectives on GTM strategies by addressing the unique characteristics of local markets, while maintaining the cohesive initiatives of a company. She has presented her thought-provoking research at worldwide industry events, which has enabled organizations to take advantage of rapidly-changing market conditions in a timely manner. Taylor holds three university degrees…an MBA in International Management, a JD with a concentration in International Corporate Law, and a BS in both Finance and Multinational Business Operations. These degrees, as well as her extensive experience in the international corporate world, have provided her with a unique perspective on the global marketplace. She has lived in Europe for many years (Munich, Paris, & London), traveled to over 20 countries, and has studied seven foreign languages. As a result, she has a deep understanding of the nuances of global markets, particularly in the EMEA region. *If your organization could benefit from insightful consulting and analysis, please contact Donna Taylor. - consultant/advisor - white papers & reports - guest blogging - speaking engagements

Leave a Reply

Your email address will not be published. Required fields are marked *