General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is an European Union (EU) regulation that details requirements for companies and organizations on collecting, storing and managing personal data. It applies to European organizations that process personal data of individuals in the EU, and to organizations outside the EU that target people living in the EU. It also addresses the export of personal data outside the EU and European Economic Area (EEA) areas. GDPR became enforceable on 25 May 2018. Because GDPR is a regulation, and not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.
GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The regulation contains provisions and requirements pertaining to the processing of personally identifiable information of individuals (also referred to as data subjects) inside the European Union, and applies to all enterprises, regardless of location, that are doing business with the European Economic Area.
Personal data must be protected by design and by default, to ensure it is not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation or unless the data controller or processor has received an unambiguous and individualized affirmation of consent from the data subject. The data subject has the right to revoke this consent at any time.
A processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state how long data is being retained and if it is being shared with any third parties or outside of the EU. Data subjects have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Public authorities, and businesses whose core activities center around regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy.
The purpose of GDPR is to give control to EU citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Personal data is any information about an identifiable person, also known as the data subject. Personal data includes information such as their name, address, ID card/passport number, income, cultural profile, Internet Protocol (IP) address, mobile device ID, data held by a hospital or doctor (which uniquely identifies a person for health purposes), etc.
The regulation applies to all enterprises, business and individuals, regardless of location, that are doing business with the European Economic Area.
GDPR generally requires security measures to protect against unauthorized access to the IT system used for the processing of personal data. The European Union Agency For Network and Information Security (ENISA) issued guidelines that interpret GDPR and help companies become compliant. In its guideline, it states that “Two-factor authentication should preferably be used for accessing systems that process personal data. The authentication factors could be passwords, security tokens, USB sticks with a secret token, biometrics etc.”
GDPR requires processors of personal data to take appropriate measures to protect it. Multi-factor authentication is not mandatory. It is recommended by the likes of ENISA for high-risk access to personally identifiable information.
GDPR frequently refers to “appropriate safeguards”, “appropriate security”, and “appropriate measures”, but makes no specific requirements regarding passwords. That said, according to ENISA and others, an appropriate password policy, including enforcement of password complexity rules, should be part of a GDPR assessment.