How Does Blancco Help Organizations Comply with the EU General Data Protection Regulation?

On May 25, 2018, the EU General Data Protection Regulation (GDPR) came into effect throughout Europe, and any global business that handles information from EU citizens and residents must prove compliance.

One significant update in this regulation is the expanded definition of personal data. Understanding what constitutes personal data is key to defining the scope of the data being handled by an organization.

Personal Data is defined information that relates to a natural person; the person is identified or made identifiable, directly or indirectly, by reference to an entity such as a name, ID number, location data or other unique identifier.

Once you understand what personal data is, it’s important to then recognize what is meant by data processing and who oversees this responsibility.

GDPR Terminology:

Controller – the entity (person or organization) that determines the purposes and means of the processing of personal data.

Processor – the entity that processes personal data on behalf of the controller.

Processing – any operation performed on any piece of personal data, automated or not, including (but not limited to) collection, recording, organization, structuring, storage, retrieval, transmission, dissemination and erasure or destruction.

It should be noted that when a controller selects a processor to process data, he/she must agree to a binding contract ensuring that the same level of data protection is offered as stipulated by the regulation. This in effect means that the controller will not bear the full brunt of sanctions (previously the case), should a processor be liable for breaking the law.

The Right to Data Erasure

The right to erasure (also referred to as the ‘right to be forgotten’) extends the long-standing requirement that the Data Protection Directive contains—the right consumers have to request that their data or physical information be disposed of effectively and responsibly. The GDPR expands this right (and supersedes the Directive) to include data that lives on the internet. Consumers can request that they can “be forgotten” from the public view in specific circumstances.

The Right to Erasure Applies When:

Under the existing Data Protection Directive, the right to erasure is limited to processing that causes substantial and unwarranted distress or damage. This is not true under the GDPR; however, if such distress or damage is in place, the case for erasure will likely be that much stronger. There are some specific instances in which the right to erasure does not apply, and organizations can refuse to deal with a request.

Organizations Can Refuse to Comply with a Request for Erasure When Personal Data is Processed for the Following Reasons:

Download the Solution Brief.