Podcast: Play in new window | Download
Podcast Episode 001: What is GDPR?
Full Episode Transcript
You probably heard about the acronym back in May when the new regulation took effect. This buzz, some of the buzz has died down, but you’re seeing lots of marketing, lots of noise on how complex it is, how it’s going to change how business operates. I just want to do a quick session here so that we can just cut through the noise and help you have a better understanding of okay, what is GDPR.
With that we’re going to get started. Why don’t we go over some quick facts first? One, what does it stand for? GDPR, it stands for General Data Protection Regulation. Like I said, it took effect back in May of 2018. Basically it’s a data protection law, a data privacy law, that was passed by the EU, the European Union. It impacts all organizations that hold data about EU citizens.
You might be wondering, all right, did this regulation just pass out of the blue? Was there something that it replaced? You should know that it actually replaced the Data Protection Act of 1998.
I’m based here in the US and historically, our friends in Europe have been the leaders as it relates to data privacy matters. GDPR actually builds on a previous regulation that they had. This previous regulation, it was called the Data Protection Act of 1998. With the passing of GDPR, it actually builds on what used to be in place.
10 years later, there have been a number of changes that I would say triggered our friends in Europe to pass GDPR. Let’s cover a few of those.
One, since the passing of the Data Protection Act, there has been heavier reliance on technology. I don’t know about you, but I actually use technology more and more. Whenever there is a power outage, whenever there is an internet outage, it actually impacts my day. It introduces a level of inconvenience. Of course, this is first world problems, but it just goes to show yes, if power goes down, if the internet goes down, it impacts how we carry out our day and it starts to introduce, for the most part, inconveniences. That’s one of the reasons that GDPR was passed.
Another reason that GDPR was passed was this heavier use of mobile devices. I can remember just even a year ago I wouldn’t, I wasn’t relying so much on my phone like I do today. For example, yesterday I had to make a trip over there to downtown. I’m based here in Chicago. I use my phone to one, figure you what’s the fastest route to get to my destination. I pulled up my phone to make a reservation for my parking spot so that I don’t have to be driving blocks and blocks to find a decently priced spot. I prepaid that through my phone and as I was driving, I downloaded a podcast. That just goes to show I wasn’t relying on my phone this much even a year ago. The same way that I’m relying more on mobile technology, others have as well.
Another reason that GDPR was passed, so there has been this increased collection of data about people, about our lifestyle, our preferences, our behavior, our habits, and with that there has been lots of investment by organizations to collect this information, make sense of the information, and try to make better decisions as it relates to what they’re selling or what service or product they may be providing.
These are just some of the reasons, some of the things that have triggered for GDPR to have passed and to build on the Data Protection Act of 1998. At the end of the day, it’s looking to provide you, me, everyone with more control over the use of personal information about us.
This particular law applies to protecting the security and the privacy of personal information for EU residents and citizens, but I have a feeling that the other countries, the other geographies will follow suit and we will probably be passing similar legislation in the future. It’s only a matter of time.
Just thinking about it from a consumer perspective, this is what that actually means. GDPR is looking to allow a person to determine “All right, how can an organization use data about me.” It also provides the person with transparency, more transparency around how organizations are gathering information about you, where they’re receiving it from, and how they are using it.
With that transparency also comes this choice. GDPR provides individuals with choice as to how you want organizations to use your personal information. In future sessions we’ll talk more about the consents that are available. We’ll talk more about the individual rights that GDPR affords, but at the end of the day it’s looking to just provide more transparency to the consumers as to how companies, how organizations are using information about us and it’s providing that transparency so that as a consumer we can choose if we want to continue to do business with another organization. We have the choice to decide if we fill out any type of form that collects any information about us.
If you’re listening, you might be at an organization that knows that GDPR applies to them. You might be at an organization where you have heard about the acronym but you’re not quite sure if it applies to you and, if it does, to what extent and what does that actually mean. As part of this episode and future episodes we’re going to be talking a little bit more about what does GDPR actually mean, how do we go through the process of educating ourselves so that we can help implement this correctly at our organizations, and provide you with just step by step process, step by step provide you with a roadmap so that you understand all right, what are the steps that I have to follow. What’s my first step? How do I carry that out? Then once I complete that, what is my next step and my next step and my next step?
Over the last year I’ve seen lots of articles, lots of blog posts, just repeating information that I’ve already heard. I think that as individuals that are looking help our organizations to become GDPR compliant, we need more resources around “okay, what does that actually mean?” and “how do I get started?”
Just a little bit about myself. I am based here in Chicago. I have been in the IT tech space for the last, I don’t know, 10 to 15 years. I am a data security consultant and GDPR has been something that my clients have been asking about and needing help with over the last year. I’ve been involved in similar data security and data privacy initiatives in the past, so think HIPAA, think PCI, think GLBA, FERPA. My goal here with GDPR Stand Up is to provide you with practical information. I’ve gone through this process with other laws and regulations. I’m looking to share that with others.
Before we close out this session, I want to cover what I think is something that it is very important. It may not be clear if GDPR applies to your organization or not. There’s two ways that you can overcome that. One, you can reach out to your legal counsel and just ask them. “Hey, does GDPR apply to us?” Depending on your organization, you might have access to a legal team. You might not. If that is not an option for you at this time, there are three questions that I came up with that should help you determine that.
These are the three questions. If you answer yes to any of these three questions it means that GDPR very likely applies to you and it makes sense for you to continue doing your due diligence.
Let’s start off with the first question. Are you located in the EU? Now, taking a step back here, GDPR applies to organizations. This could be a company. This can be a for profit company, a not for profit organization. The question is: is your organization located in the EU?
The second question. Do you service the EU market? I work with lots of organizations that are based here, in the US, but they have an international presence. If your organization is servicing the EU market, the European Union, then it problem means that GDPR applies to your organization.
Number three. Do you hold information about a living person that is from or living in the EU? What would be a good example? There are lots of organizations that they may not collect information directly. An organization may be receiving and collecting data about EU residents of citizens. They may not be receiving that directly from the individuals, but they may be receiving that through a third party partner. If your organization receives personal data about EU citizens or residents, and you may be obtaining that through a third party partner, then GDPR is very likely to also apply to you.
Again, the three questions are one, are you located in the EU, your organization? Two, do you service the EU market? Three, do you hold information about a living person that is from or living in the EU? If you nodded yes about any of these three questions, continue with your due diligence because it’s very likely that GDPR does apply to your organization.
If and when you have access to legal counsel engage them in that conversation so that you have the most correct information and so that you can make the informed decisions about what you do next as it relates to GDPR.
Let’s assume that you answered yes to one or more of those three questions. You might be wondering all right, what kind of data does GDPR apply to. Does it apply to all data I’m collecting? Data about people? Data about my products? My services? My employees? Where do I need to focus?
GDPR extends or applies to two types of data. The first type would be personal data. The second type would be special categories of personal data. For the first one, what would that include? Think of any piece of information that can be tied to a person. Some examples of data that would be classified as personal data under GDPR are things like a person’s name, some type of account number, some type of identifiers such as your email address, where the person lives, so anything that can be tied to a person. That would be classified as personal data.
For special categories of personal data, this goes beyond that. Think of any piece of information that would reveal things like political opinions, religious affiliations, memberships to specific trade unions, information about your sex life or preferences, things like that. If you answered yes to one of the three questions and then, as I read aloud the examples of what would classify as personal data or special categories of personal data, I hope that gives you a better idea as to okay, GDPR is not going to impact every piece of data that you collect as an organization, but very specific ones.
All right, so to wrap up, you might be finding that this was beneficial. I hope that it was. You might be wondering all right, what do I do next. All right, so I have two steps for you. The first one is we have great resources on our website. Just check us out, GDPRStandup.com.
There are two resources that I would point you to. The first one is 10 GDPR Components. What’s that? That’s just a visual. It’s something that I prepared as I was starting to learn this myself. It’s basically GDPR broken down into 10 chunks. That will give you a good idea as to what are all the chunks that make up GDPR so that you can start to have an idea of the different things that might apply to your organization.
Next, you can check out our free course, our FREE GDPR Data Inventory course. If you go to our website and you just scroll to find the button that says free data inventory course, you can sign up for free. What is this? Think of the data inventory as that first step. Before any organization starts to implement GDPR in house, I strongly recommend that you don’t overlook this initial step. It’s important to put together a data inventory because what’s inside your data inventory is what will ultimately control which of the 10 GDPR components applies to your organization.
Now, it’s a common misconception that all organizations will have to do all things that are written in GDPR. That is not correct. GDPR has a number of requirements, but not all of the requirements are required for all organizations and the only way that you can start to determine what applies to me and what does not is by putting together a data inventory.
If you go to our website, you can sign up for that free course and we can get you started with your GDPR compliance journey. All right, so that is it for today’s session and just so you know, at the end here, I’m going to add a link in the comments section in case you have any question and you want to submit that. We’re going to be having future episodes with Q&A from our listeners and if there’s a question that you want me to tackle, just click on that link. That’ll direct you to a Google form. Enter in your question and we’d be happy to cover that in a future recording.
Thank you very much for your time and I’ll see you next time. Goodbye.
Links and resources mentioned in this episode:
- GDPR Stand Up Website: gdprstandup.com
- The 10 GDPR Components
- The GDPR Implementation Blueprint
- Join the GDPR Stand Up Virtual Community
- Free GDPR Data Inventory Course: http://gdprstandup.com/free-course/