GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.


  1. Tomi Engdahl says:

    Mark Scott / Politico:
    Activists and some legislators say that a GDPR-like bill to give Washington state some of the toughest privacy standards in the US was diluted by tech lobbyists

    How lobbyists rewrote Washington state’s privacy law

    Washington state was writing European-style legislation. Then corporate lobbyists got involved.

  2. Tomi Engdahl says:

    GDPR Conformance Does Not Excuse Companies from Vicarious Liability

    The UK supermarket chain Morrisons’ legal battle with 5,500 of its own employees over vicarious liability introduces a new threat element to the already complex and confusing demands of the EU’s General Data Protection Regulation (GDPR).

  3. Tomi Engdahl says:

    Steve Ranger / ZDNet:
    UK’s tax authority to delete records of ~5M people from its Voice ID biometric voice security system because it did not have clear user consent, violating GDPR

    HMRC to delete five million biometric voice records

    ‘Biggest ever’ deletion of biometric data by government comes after HMRC obtained data “unlawfully” according to privacy regulator.
    Steve Ranger

  4. Tomi Engdahl says:

    UK taxman falls foul of GDPR, agrees to wipe 5 million voice recordings used to make biometric IDs
    Yes, yes, yes, we’ve told the ICO we are doing so, says HMRC

  5. Tomi Engdahl says:

    Pitääkö data poistaa nauhaltakin, jos joku pyytää? – näin gdpr vaikuttaa varmistusnauhoihin

    EU on säätänyt kansalaisille mahdollisuuden vaatia verkkopalveluilta omien tietojensa poistamista.

    Tallennuslaitteita myyvän MultiComin toimitusjohtajan Timo Danilotschkin mukaan tietojen poistamiseen liittyy dilemma: tietojen säilyttämisvelvollisuudet voivat olla ristiriidassa EU:n suoman oikeuden tulla unohdetuksi kanssa.

    ”Jos datanpoistopyyntö on oikeutettu ja niin tehdään, voidaan samalla loukata tiedon historiallista eheyttä koskevia tai muita säädöksiä, kuten esimerkiksi kirjanpidon talleaikoihin liittyviä säädöksiä. Myöhemmin voisi olla oikeustapaus, jossa tarvitsisi todistaa, että mitä tallennettu tieto oli aiemmin, niin silloin jouduttaisiin ongelmiin, jos tietoa on jälkikäteen käpälöity”, Danilotchkin selittää.

    Ainoa käytännöllinen tapa noudattaa molempia säädöksiä samaan aikaan olisi pitää operatiivinen ja varmistuskäytössä oleva data erillään.


Leave a Comment

Your email address will not be published. Required fields are marked *