What is GDPR?

Saumil Pandey

Mar 21, 2019

Subscribe

GDPR De-mystified with an Industry Expert

May 25, 2019, marks the one-year anniversary of the landmark implementation of the European Union (EU) General Data Protection Regulation (GDPR).

The GDPR has made a significant global impact on the collection, use, and processing of personal information. Regardless of where a business is located geographically, GDPR applies to all organizations and businesses involved in selling goods or providing services to citizens in the European Economic Area (EEA).

While we all hear about GDPR in different ways, it’s hard to find what exactly it is and how we should comply.

We reached out to Ken Stineman, Data Protection Officer at Scaled Inference and an expert in Legal and GDPR issues, to get GDPR de-mystified.

What is the GDPR?

The EU GDPR legislation was designed to harmonize data privacy laws across Europe and grant greater data protection rights to citizens. The GDPR framework sets guidelines for the collection, processing, and protection of personal information, and rights of individuals in the EU with respect to their personal data.

The GDPR regulates the processing of “Personal Data” for EU individuals, which includes collection, storage, transfer, and use of information.


What is Personal Data?

Personal data, as defined by GDPR, broadly means information that can be used to identify a person. That information can be a combination of name, email address, home address, phone number, mobile device information, date of birth, registration identifier, location data, IP address, as well as other identifying information.

The GDPR additionally describes sensitive, special category personal data, including race, ethnic origin, religious or philosophical beliefs, genetic data, biometrics for identification, health data and medical records, sexual orientation, and criminal conviction and offense data.

The GDPR legislation protects other personal data as well, including financial information, social media posts, advertising identifiers, and photo images.

What is Pseudonymized Data?

Pseudonymisation is a technique that replaces or removes information in a data set that identifies an individual. Pseudonymisation can involve replacing names or other identifiers with, for example, a reference number or ID.

The use of pseudonymised personal information reduces privacy risks for data subjects by making it more difficult to identify individuals but is still considered personal data under the GDPR.

Scaled Inference encourages its customers to send pseudonymised rather than direct identifiers when using Amp.ai by using a secondary identifier, hash, or other indirect code, such that they are the only entity who has the ability to re-identify any individual.

What are the key GDPR concepts for handling Personal Data?

Lawfulness of Processing

Article 6 of the GDPR requires that companies processing identifiable information must be transparent about the types of personal data which they collect, the purposes for which, the personal data may be used, and entities to whom the information may be disclosed. There are six lawful basis for processing the information of individuals including: consent, contracts, legal obligation, vital interest of the data subject, public interest, and legitimate interest.

Scaled Inference explains in its privacy statement the legal basis it uses for processing, retention periods, and that individuals have a right to complain to the supervisory authority.

Consent

Under the GDPR, processing of personal data may only be performed when allowed by law or where the data subject has explicitly consented to the processing.

Consent must be freely given, unambiguous, and by a clear affirmative act. Where not covered by a written contract, Scaled Inference uses an “opt-in” checkbox or similar acknowledgment for job applications, marketing, webinars, and other data collection so there is no confusion about the information that will be processed.

Data Minimisation and Purpose Limitation

The GDPR requires that personal data can only be collected for specified, explicit, and legitimate purposes. Such data can only be used for those described purposes and no other, without further consent.

Scaled inference only collects personal data that is necessary for the purpose of our business functions, products, and services. Scaled Inference limits the use of the data it collects only to the purposes that are stated, takes steps to prevent improper use and disclosure of information, and explains the period for which the data will be retained.

Data Protection by Design

Article 2 of the GDPR requires Scaled Inference to take a proactive approach to data protection and anticipate privacy issues and risks through the design and development process of a new product, services, and projects.

Security Measures

The GDPR requires the implementation of appropriate technical and organizational measures to ensure confidentiality, integrity, and confidentiality appropriate to the risks of the specific personal information, including pseuodonymisation and encryption of data.

Scaled Inference end-to-end “security-by-design” measures and controls throughout the data lifecycle to ensure the ongoing confidentiality, integrity, and availability of data.

Scaled Inference considers the security of both customer and individual information from start to finish. Both personal information and customer information is secure and protected when it enters the system, is retained safely, and then properly destroyed.

At Scaled Inference, we have strict security processes and controls in place and our infrastructure providers have security certifications including the International Organization for Standardization (ISO) 27001 and the American Institute of CPAs (AICPA) System and Organization Controls (SOC) trust standards. Scaled Inference has entered into Data Protection Agreements that ensure its providers also adhere to GDPR standards and requirements.


Security measures at Scaled Inference include role based access, 2-factor authentication, strong encryption of data-in-transit and at-rest, 24x7 security guards, vulnerability scanning, data backup, network monitoring, and disaster recovery plans.

Breach Notification

If there were ever a breach of confidential personal information, a data controller must notify the relevant data protection authority “without undue delay” and where feasible, within 72 hours of having become aware of the breach.

When the personal data breach is likely to result in a high risk to the rights and freedoms of an individual, the controller must also communicate the personal data breach to the data subject without undue delay.

Scaled Inference has a Security Incident Response process, takes measures to mitigate known risks and vulnerabilities, and written processes for breach notification.

What are Individual Rights Under GDPR?

Under the GDPR, citizens of the EU have the right to consent, reject, erase, and control private information that companies collect for business purposes. Individuals have more control over what information they share with companies and how companies can make use of such information.


Right to be Informed: A key transparency requirement under the GDPR is informing individuals about the collection and use of their data.

Right of Access: Gives individuals the right to obtain a copy of their personal data as well as information about the purposes of processing.

Right of Rectification: Right to have inaccurate personal data corrected and the right to make a complaint.

Right to Restrict Processing: Under certain circumstances, an individual can limit the way that an organisation uses their data. Individuals also have rights in relation to automated decision making and profiling.

Right to Erasure: The right to erasure is also known as ‘the right to be forgotten’. An individual has the right to have their personal data erased, including records in a mailing list, database, or backup copies.

Right to Object: An absolute right to stop their data from being used for direct marketing.


Accountability

The General Data Protection Regulation (GDPR) has codified the accountability principle in Article 24, which requires that organizations implement appropriate technical and organizational measures to be able to demonstrate their compliance with the Regulation.

The accountability requirement includes the implementation of appropriate data protection policies and the periodic review of those policies and procedures.

To that end, Scaled Inference has developed a privacy and security program with written policies and procedures for the protection of customer and personal information.

Scaled Inference has a culture of compliance, training, code of conduct, and processes to meet the goal of privacy by design and by default. We have appointed a data protection officer and have a security incident response team to be able to respond to issues.

Please reach out to privacy@scaledinference.com with additional questions regarding GDPR.