GDPR as Robin Hood: Giving rights back to people?
Updated on January 9, 2018
While the previous part of this series gave and introduction to the GDPR topic, this article leads through the legal logic on which the regulation stands. How does the "people control their own data" manifest into the daily agendas?
The current data protection directive (Directive 95/46/EC) defines personal data in a more narrow sense: it only takes into consideration information which can directly lead to identification of a person (direct identifiers). With GDPR the definition goes broader, understanding personal data as any information which can lead both directly or indirectly to identification of a person. An example for them all - cookies - will now be considered personal data. Wherever they can trace back to a specific person, such as someone who bought a pair of sneakers last week within a given street or district.
The chart above illustrates the overall logic of GDPR. Starting with the objective of “People control their own data” (as found in Recital 17), the regulation then emphasizes two complimentary parts - principles for processing and data subjects' rights. All that framed by data protection by design and by default. Data protection by default gives no space for exceptions when it comes to application of data processing and handling. It needs to be embedded in the system so that no case is omitted. Data protection by design, then, points already towards certain solutions - the principles of minimization, anonymization or pseudonymization should be backed by proper process mapping and documentation. Only then can be the processing flow overseen and inspected at each of its stages.