|
GDPR
Learn about GDPR (General Data Protection Regulation).
GDPR (General Data Protection Regulation) is legislation designed to protect the privacy rights of EU citizens in regards to the collection and processing of their personal data. It was adopted by the EU (European Union) in 2015 and will come into enforcement on May 25, 2018. GDPR is a complex law with 99 articles. Its principle goal is to ensure that organizations with access to the personal data of EU citizens provide protection from privacy intrusion and data breaches.
GDPR purposefully does not list all the types of information it considers to be personal data, but it does define the term:
Personal data: Any information relating to an identified or identifiable natural person ("data subject") who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. See Article 4.
In addition to the types of information that directly identify a person such as a user name, photo, and email address, other types of information can indirectly identify someone. These can include the MAC address and IP address (even when dynamically assigned) of a user's client device. Such indirect identifiers might be combined with other types of data to compose a profile of a person and eventually identify him or her.
The following are some of the key elements of GDPR (source https://gdpr.eu/):
Territorial Scope
GDPR applies to all companies collecting and processing the personal data of EU citizens (also referred to as data subjects) in the EU regardless of where the companies are located and where the data is stored and processed. In other words, it applies to the data of EU citizens collected in the EU by companies either inside and outside the EU and data stored and processed on servers located either inside or outside the EU. See Article 3.
Penalties
Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements, such as not having sufficient customer consent to process data or violating the core Privacy by Design concepts. There is a tiered approach to fines. For example, a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach, or not conducting impact assessment. See Article 83.
Consent
Requests for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. See Article 7.
Breach Notification
Breach notification must be done within 72 hours of first having become aware of the breach. Data processors are required to notify their customers, the data controllers, “without undue delay” after first becoming aware of a data breach. See Article 33.
Right to Access
EU data subjects have the right to obtain from the data controller confirmation as to whether or not their personal data is being processed, where, and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. See Article 15.
Right to Be Forgotten
Also known as data erasure, the right to be forgotten entitles EU data subjects to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties stop processing the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or data subjects withdrawing their consent. Note that when considering such requests, this right requires controllers to compare subjects' rights to "the public interest in the availability of the data". See Article 17.
Data Portability
Data portability is the right for EU data subjects to receive their personal data, which they have previously provided, in a "structured, commonly used and machine-readable format". Data subjects have the right to transmit that data to other controllers. See Article 20.
Privacy by Design and by Default
Controllers should hold and process only the data absolutely necessary for the completion of their duties (data minimization). It also calls for controllers to limit access to personal data only to those needing to carry out its processing. See Article 25.
To help you comply with GDPR requirements, Extreme Networks incorporated several new capabilities into ExtremeCloud IQ and will introduce more in forthcoming releases. The following are GDPR-related tasks and links to relevant Help topics:
Note
Because the current network use policy in the default captive web portal does not include statements about data collection, it fails to satisfy GDPR requirements as is and must be customized. Extreme Networks intends to provide revised text in another release before GDPR enforcement goes into effect on May 25, 2018.For more information, see the following websites:
http://www.privacy-regulation.eu/en/index.htm: A table of contents linking to the 99 articles that constitute the GDPR
https://gdpr.eu/: A portal to various resources about GDPR such as FAQs, article summaries, and links to related articles and sites
https://ec.europa.eu/info/law/law-topic/data-protection_en: The section about data protection on the European Commission website
https://gdpr.algolia.com/: The official text of the GDPR chapters, articles, and recitals searchable through the Algolia search engine
Copyright © 2020 Extreme Networks. All rights reserved. Published March 2020.