GDPR Primer — General Concepts

The European Union’s new General Data Protection Regulation (GDPR) is coming into effect on May 25, 2018 and it’s going to affect every business and institution that captures the personal information (like payment card data or government identification numbers) of individual EU citizens. In a digital age in which customer data is considered a core asset, businesses will be forced to review their procedures and technology infrastructure to ensure that data is processed and managed to comply with these new regulations or face stiff financial penalties.

From its position as an industry-leading vendor in data protection, disaster recovery and storage, Acronis has some unique perspectives on the implications of GDPR on end-users, businesses and service providers. These will be covered in a series of blogs, webinars, and whitepapers that Acronis will publish in the coming weeks. For now, let’s review some of GDPR’s general terminology. It will help you understand challenges and identify opportunities presented by the new regulations:  

• Data subject — “an identified or identifiable natural person… who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”  These are your customers, partners, consumers, or just website visitors if they are citizens of the EU. (Have you noticed that many websites have started to ask for permission to collect personal data about your visit and store it in a cookie?)  
• Personal data — any information that can be used to identify the data subject. This goes well beyond the historical definition of personally-identifiable information to include the person’s name, email address, social media posts, physical, physiological, or genetic information, medical information, location, bank details, IP address, cookies, cultural identity, etc.  
• Controller — “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” If you have customers or website visitors who are citizens of the EU, this is you.  
• Processor — “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” If you are a service provider, storage vendor, or other company that manages and/or stores the personal data of EU data subjects on behalf of a company that is a controller (as defined above), you are a processor. Note that companies can be both controllers and processors. Acronis, for example, provides infrastructure to some service providers as the basis of their cloud backup services, but also has a backup product that it sells online to consumers; thus we are both a controller and a processor in EU GDPR terms.  
• Right to be forgotten — The right of data subject “to have his or her personal data erased and no longer processed.” Individuals may request the deletion of all of their personal data stored on a controller’s servers. There is some ambiguity between data backup (for disaster recovery) and data archiving (for legal data retention compliance), which we hope will be clarified in the coming months. There are hefty penalties for failing to remove the personal data within a specified timeframe.  
• Personal data breach — “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”  An example of this is a ransomware attack that takes down your database server, encrypting all of your customer data. Businesses must report every data breach incident to the appropriate EU regulatory authority within 72 hours of becoming aware of it.  

Of course, there are many more terms and definitions that you need to become familiar with if your business falls under the GDPR regulatory umbrella. These can be found at the official European Union Law website or another, more user-friendly site.

What’s next? Whether you’re a service provider offering data protection services to European businesses or a business serving EU citizens, Acronis wants to empower you to store and operate on regulated personal data in a fully GDPR-compliant manner. Acronis offers products and services to make your data protection and storage GDPR-compliant; in the coming weeks, we will explain how.