Antoni Gobeo - GDPR and Cyber Security for Business Information Systems

It is a great gift to have the opportunity of working with such an inspiring educator as Bill Buchanan, without whom this book would not have been written; thank you Bill!

Thank you to Edinburgh Napier University, whose commitment to helping students achieve their highest potential has been on clear and constant display. A special thanks to the lecturers in the Business School, Faculty of Law, and to Mr Ken Dale-Risk; who patiently listened to many questions over the years.

There are key moments in life where someone else encourages us to believe in ourselves. My college lecturer, Ms Alison Bruce, urged me to have confidence in my abilities and helped me stay the course. Thank you, Alison!

To Anna and Dave: Thank you for your patient, stable, and wise support. Most importantly; Tiberius and Freya, who endured many months of data protection chats and ready meals: you guys are Awesome! Thank you!

Antoni

It has been a great experience diving into the world of data protection, but none of this could have been possible without the people in my life.

I would like to start by thanking the most important people in my life my love Antoni, who joined me on this journey, and the two brightest stars in my life Tibs and Freya.

A special thanks to Bill and Napier University who presented me with this great opportunity and John, the best cheerleader you could ask for, we should do dinner!

And finally, per la mia nonna che ha cucinato sempre con amore, Dio ti benedica.

Connor

DOI: 10.1201/9781003338253-2

At a Glance:

• History of data protection and collection
• Personal data and its worth
• Rights of the natural persons under the GPDR
• Six Principles of the GDRP

Case Study: Cambridge Analytica

Learning Outcomes:Students should be able to

• Understand the six principles underpinning the GDPR and their relevance in legislative compliance.
• Describe the rights of the data subjects and when and how they apply.
• Explain the value and uses of personal data and the potential consequences to the individual of its misuse.

Key Terms

1. Natural Persons
2. Personal Data
3. Data Subject
4. Data Controller
5. Data Processor
6. Rights and Principles
7. Data Minimisation
8. Lawful Basis

Governments and Institutions have been collecting personal data on their citizens since the beginning of recorded history. During the times of the Roman Empire taxation records were kept including the names, addresses, and incomes of Roman citizens. These records were consolidated and used for various purposes, depending on the desires of the emperor at the time. One thousand years later the Domesday Book of 1086 AD was instigated by William the Conqueror, in an attempt to clarify the rights to property and assets after the Norman conquest of England and Wales. It was the greatest survey of a nations people and assets ever undertaken in Europe until that time, and the personal data collected was used for taxation purposes.

The interception of personal correspondence in the national interest has a long and royal pedigree. In 1516, during the reign of Henry VIII of England, the first Master of the Posts was appointed. This early form of postal service delivered royal mail; quite literally the mail for the king and his court. The convenience offered by this new service was offset by the knowledge that the letters would very likely be read by agents of the king. Later, in 1660 the General Post Office was established under the Reformation king Charles II, simultaneously establishing the Secret Office within the GPO, whose sole role was to spy on foreign correspondence entering and leaving England.

In modern times there has been an evolving recognition that individuals need to be protected from the misuse and abuse of their personal data, especially by governments and powerful organisations. In 1950, the European Convention of Human Rights enshrined the Right to Respect for Private and Family life (Article 8). This right includes the home and private correspondence as areas for protection within an individuals family and private life.

Building on this right the Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data 1981 was introduced. This was the first internationally adopted law specific to data protection, with the clear aim of protecting the privacy of personal data. In 1995, the European Union Directive 95/46/EC on the protection of individuals regarding the processing of personal data and on the free movement of such data, was enacted. Known as the Data Protection Directive, it was the central piece of legislation on the protection of personal data in the EU and stipulated the requirement for explicit consent to the collection of personal data from the individual concerned.

The Charter of Fundamental Rights of the European Union included the protection of personal data as a fundamental right. Despite the clear intention to protect personal data, by 2012 it had become clear that the fragmentary nature of data protection legislation needed reform and the Commission of the EU published its suggestions. After three years of negotiations, the European Parliament and the Committee of the EU (made up of ambassadors from the 28-member states) finally agreed to the new regulation, and it became law in 2016.

The General Data Protection Regulation (GDPR) is the latest legislation on data protection arising from the European Union and came into effect in May 2018. It is designed to update the existing legislation to make it relevant to current technological trends and to bring conformity of compliance across the EU. There are three main objectives; to reinforce the protection of personal data for individuals, to assist the free flow of data within the single market (EU), and to reduce administrative burden. The situation within the EU Member states, prior to the introduction of the GDPR, was one of many fragmented and divergent sets of data protection laws relevant to each country. The harmonisation of data protection legislation across the EU allows for greater ease in the flow of data across the Union. It also allows for a specific authority to be nominated in each Member State; which creates a single point of reference for individuals and organisations. Member States may include specific additions to their local data protection laws, to provide further rights to their citizens.

Whilst similar to previous Data Protection legislation, the GDPR enhances the rights of Data Subjects and introduces enforceable new rights. Children are given a specific category of protection which acknowledges their vulnerability to the risks of sharing personal data; especially online. Children are also significantly less likely to know their rights regarding the processing of personal data.