15th Feb 2018 –
SO WHY DID THEY GIVE US 200 PAGES OF BRAIN MELTING JARGON TO READ?
It’s a lot.
Data Protection Authority: The scary folks who are going to make sure you follow the rules. These are national authorities who are in charge of protecting data and privacy–and monitoring the enforcement of GDPR within the EU.
CONSENT: This is a big one. GETTING CONSENT TO USE SOMEONE’S PERSONAL DATA IS COMPLICATED NOW.
Filing System: GDPR applies in two places: to automated systems (storing stuff on the computer and in databases), or, for hard copies, in “relevant filing systems.” A filing system is “relevant” if it can be searched, or accessed by specific criteria—like name, ID number, telephone number, etc.)
BCRs: Binding Corporate Rules (see above)
Definitions
DPO: Data Protection Officer
Data Processor: Whatever you (the data controller) use to collect and process data. A lot of your marketing tools are data processors (think, analytics tools, A/B testing tools, plugins, and the like).
Personal Data Breach: A big “oops.” This is anytime someone can accidentally, or unlawfully, access, destroy, or misuse the personal data you have stored. Under GDPR, you’re required to let all your data-subjects know about one of these within in 72 hours.
But there are some fancy, GDPR incentives for pseudonymizing your personal data. You can find those in Recital 29.
- freely given
- specific
- affirmative
- explicit
And a group of undertakings is a group of those.
Example: a parent has a majority shareholding in a subsidiary. It’s assumed they can exercise control. That’s an undertaking.
Main Establishment: This more or less has to do with where supervision is applied. It’s the place within the union where the decisions surrounding data processing are made. Meaning—if you process your data in Germany, even if you’re based elsewhere, your “main establishment” is in Germany.
It’s gotta be:
Genetic Data: The EU official site defines this but, come on. You know what genetics are.
Processing: ANYTHING you do with personal data—manually, or automatically. Collecting it, recording it, using it. Personal data so much as flashes across your screen, and it’s processed.
+
Encrypted Data: More or less: you protect personal data by muddling it all up. Data encryption ensures that only people with specified access can access or read the data you’ve stored. As far as security measures go, it’s a very good idea.
EEA: European Economic Area (the 28 EU member states, plus Iceland, Liechtenstein, and Norway)
Data Erasure: AKA: “Right to be Forgotten.” This just means a data subject (human person) can choose to have any data you have on them erased. They say the word, and you’ve got to clear their data, stop using it, and stop disseminating (gross), in any way.
This is different than PII (personally identifiable information). And it’s a stricter definition than we’ve really seen before.
Data Subject: Human—who has data, that you have, see, or use.
People have understand how you’re using their data. They have to give you the OK to use it that way.
You have ask for people’s consent independently. You can’t lump it together with the same checkbox as your privacy policy.
Binding Corporate Rules (BCRs): Have personal data in the EU? Want to transfer it to folks in your multinational org. outside the EU? BCRs are your rules to follow.
You can’t write your old-fashioned “This site uses cookies, by being here, you’re cool with that” disclaimer and expect it to fly.
Right to Access / Subject Access Right: If you have someone’s personal data, they can ask for access to it. You have to be able to give it to them.
Supervisory Authority: Every EU member state will appoint a public authority to oversee GDPR compliance. That’s a supervisory authority (but you might also know of this as a DPA, or a Data Protection Authority).
This is different than actually anonymized data: in which the identifiable piece of information is totally destroyed.
Privacy Impact Assessment: A thing you (along with your Data Protection Officer) should do! Basically, this is just auditing for potential privacy risks. It means taking a look at your personal data, how it’s processed, and what you’re doing right now to protect it.
CFR: The Charter of Fundamental Rights of the European Union
But it’s as fun as watching a golf tournament played back in slow motion.
EDPB: European Data Protection Board
And you can’t pre-check the “I consent to ____” box. They’ve gotta do that themselves.
Right to be Forgotten: See Data Erasure, above.
So…if you’re going to email someone, you have to have their consent to be emailed. Going to use a cookie? You need specific consent for that too.
Profiling: If you automate personal data, and analyze it to predict someone (specific)’s behavior—that counts as profiling.
Derogation: Exceptions to laws!
Pseudonymisation – You have personal data. You process it in a way where you can’t attribute it to a data subject anymore—at least, not without some other, separately held piece of information. The classic example is substituting identifiable data with a reversible, consistent value—like a string of random numbers—which can be later “unlocked,” and reattributed.
Here’s a full breakdown:
Personal Identifiable Data (PII) |
Personal Data |
|
Enterprise: Anything engaged in an economic activity—regardless of its “legal form.” So people, organizations, associations you name it. Anyone who makes or messes with money.
|
PERSONAL DATA: ANOTHER BIG ONE. Personal data is any information that relates to a person and can be used to identify them. This includes data that can indirectly identify them, or identify them when combined with other incoming data.
Feel free to CTRL+F your way out of a headache.
So if you dump all your HR data into unmarked, unorganized boxes—you probably don’t have to worry about those for GDPR. You just should worry about them, for you know, every other reason.
Data Protection Officer: Someone you should appoint to handle all this regulation madness if you’re a company bigger than 250 people (but to be honest, GDPR can’t really make up its mind on what that number should be). This is an expert on data privacy who will work with you independently and keep you in line with GDPR.
DPA: Data Protection Authority (See Supervisory Authority)
Privacy by Design: Stop procrastinating. When you build out a system that deals with data—an interface, a website, anything—you should be thinking about data protection BEFORE you even get started. It should be designed with data rights in mind. They should not be a last minute edition.
Directive: This is the law that sets a “goal” for all the EU countries. Then each countries makes its own national laws to meet that goal.
Regulation – Law, that is binding and applies across the entire EU.
Recipient – A person that personal data is disclosed to.
Data Concerning Health: What it sounds like (thank god).
We wrote more about it here.
TFEU: Treaty on the Functioning of the European Union.
WP29: Working Party Article 29. It was an EU-level advisory board, made up of national DPAs. But the EDPB has more or less replaced it under GDPR.
DEPS: European Data Protection Supervisor
Which techniques “count” as pseudonymization under GDPR hasn’t quite been determined yet, and there’s a lot of gray area as to what sort of data counts as “likely to be identified,” or “reasonably likely” to be identified.
ECHR: European Convention on Human Rights.
Going through the new General Data Protection Regulation is super important.
Acronyms:
Biometric Data: “Body data.” If it can identify you and has to do with physical, physiological, or behavioral traits—it’s this.
Trilogues – After everyone’s read the first draft of proposed legislation, the European Commission, European Parliament, and Council of the EU meet informally to negotiate. Those meetings are called trilogues and are held so a compromise text can be adopted quickly.
Group of Undertakings: There’s a lot of case law to sift through to understand what an “undertaking” is—but it more or less comes down to this: an undertaking is when one company has control over another company. And control, in this case, means the ability to exercise “decisive influence.”
Data Controller: If you’re a marketer, that’s probably you. It’s the anyone who asks for, collects, and uses personal data, in any way. If you process it, if you store it, if you determines how people’s data is going to be used—you’re a data controller. Congrats!
A key principle of GDPR: Present your data policies to users free of “legalese.”
Delegated Acts: Fun “bonus laws” that supplement existing ones, in order to provide more clarity or criteria. Expect a bunch of these from independent EU nations moving forward.
For example, when you collect your standard, regular ole personal data, you can only use it for reasons explicitly “okayed” by the data subject. But with pseudonymization, you have a bit more leeway on how you can process data—even if it’s for a different purposes than the one it was collected for originally.
Representative – If the folks overlooking GDPR compliance need to call on data controllers (ie. your company) to address concerns, they address your representatives. Representatives need to be in the Union and explicitly designated for the task.
Data Portability: If someone comes to you and says “HEY, I want a copy of all the data you have on me”—you’ve gotta say “sure, here yah go.” And you’ve got to pass them a copy of that data in a format that they can easily pass on to someone else. (More info on that lives here)
CJEU: the Court of Justice of the European Union.
So here’s a breakdown of what all these legal terms mean—written in sentences you won’t fall asleep halfway through.