Day 2 of Gartner Security & Risk Management Summit 2018 is underway, and the Terranova Team is engaging in thought-provoking dialogues regarding the GDPR.
At present, an important debate is stirring in the EU community at large, including corporations and governmental organizations: Who are data subjects?
Answers vary. Some argue that data subjects consist of persons who reside in the EU. Others emphasize that the concept solely involves EU citizens. Another party stresses that data subjects undeniably involve both EU residents and citizens.
The GDPR has been in effect for a little more than a week now, since May 25, and your business has the responsibility and obligation to secure the information of EU data subjects – whoever they may be.
Article 4.1 of the GDPR provides the following definition:
“Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, [via] a name, an identification number, location, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Interestingly, the above description struggles to demonstrate what constitutes data subjects, providing ample room for multiple interpretations. Arguably, the single element that is somewhat clear is the concept of “natural persons,” implying that organizations or companies cannot be considered data subjects under the GDPR. However, any further effort to define the notion remains obscure.
Are we talking about EU citizens or residents?
Although the GDPR does mention EU citizens, albeit on a single occasion – as it was originally intended to replace of the EU’s Data Protection Directive – it provides neither a supplementary explanation nor a context. Therefore, if the answer is indeed citizens, then we might ask: what is the scope of applicability? If EU citizens are temporarily residing in a non-EU country, are they still covered by the GDPR?
In contrast, if the GDPR involves EU residents, we might ask: what constitutes residents? Are we talking about legal residents or all residents, including temporary residents, such as travelers and international students? Finally, if non-EU residents have their personal data processed within the EU – by purchasing goods and services – are they to be considered data subjects? The degree of interpretation is troublesome.
It is our understanding that this particular debate will continue to stir conflicting arguments across the spectrum of interpretations. Behind closed doors, legal departments, appointed counsels, and Data Protection Officers (DPO) have the responsibility to make sense of the EU legislation and find a common ground.
It is expected that, in the next six months, legislative authorities will decide to modify the original GDPR document with an addendum as to provide supplementary clarifications to the actual definition of ‘data subjects.’
A Question Remains
Why haven’t authorities anticipated this conversation? The GDPR has been in the works for the past two years. Yet, notions like ‘data subjects’ remain obscure. Considering the severity of consequences for non-compliance, the GDPR presents many gray areas that can lead to misinterpretation and misunderstanding – such is the case with ‘data subjects.’ Food for thought!
White Paper: Learn How to Achieve Top Results in Cybersecurity Awareness
A successful Information Security Awareness (ISA) program achieves behavior change within your workforce. Rely on our 5-Step Awareness Framework to effectively implement an ISA program within your organization and transform end users into security champions.