The General Data Protection Regulation, or the GDPR, is a European Union legal instrument ensuring the protection of individuals regarding the processing of personal data and on the free movement of such data.
After entering into force on 24 May 2016, it will become binding and directly applicable in its entirety in all Members States of the European Union on 25 May 2018.
The GDPR requires that those who engage in the processing of personal data comply with its provisions and confers important rights on individuals whose personal data are being processed.
Both natural persons and legal persons, including companies and governments, that are involved in the processing are required to act in accordance with the regulation.
Possible non-compliance could cost those involved significant amounts of money and lead to court proceedings and reputational damage.
Who does it impact ?
Companies and others who deal with personal data can be based outside the EU but, when they process personal data of EU citizens or residents, they are expected to organise their activities in line with the GDPR.
The regulation is also applicable to those who have an establishment in the EU and are involved in the processing of personal data.
It means that many individuals, corporations, public authorities and others are significantly affected by the GDPR and need to be aware of its complexities and requirements.
In May 2018, those existing Data Protection Laws are being enhanced to further protect individuals regarding the processing of personal data.
This enhanced protection is called ‘The General Data Protection Regulation’ or ‘GDPR’.
The GDPR will repeal Data Protection Directive 95/46/EC.
What is GDPR?
Let’s first deal with some of the basics of the GDPR, for example, Who is this regulation about? When does it apply and when doesn’t it? Who does it apply to?
How did it come about?
In January 2012, the European Commission set out plans for data protection reform across the European Union to make Europe ‘fit for the digital age’. Almost four years later, agreement was reached on what that involved and how it will be enforced.
One of the key components of the reforms is the introduction of the General Data Protection Regulation (GDPR). This new EU framework applies to organisations in all Member States and has implications for businesses and individuals across Europe, and beyond.
“The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information”
Andrus Ansip – Vice-President for the Digital Single Market
So what is GDPR actually?
GDPR is a new set of rules designed to give citizens more control over their data. It aims to simplify the regulatory environment for business so both citizens and businesses can fully benefit from the digital economy.
The reforms are designed to reflect the world we’re living in now, and bring laws and obligations across Europe up-to-speed for the internet-connected age.
Fundamentally, almost every aspect of our lives revolves around data. From social media companies, to banks, retailers, and government, the vast majority of services we use involves the collection, analysis and perhaps most importantly of all, storage by organisations, of our personal data – including our name, address and credit card number.
What is GDPR Compliance?
Data breaches inevitably happen. Information gets lost, stolen or otherwise released into the hands of people who were never intended to see it – and those people often have malicious intent.
Under the terms of GDPR, not only will organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.
Who does GDPR apply to?
GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU.
That ultimately means that almost every major corporation in the world will need to be ready when GDPR comes into effect, and must start working on their GDPR compliance strategy.
There are two different types of data-handlers the legislation applies to: ‘Controllers‘ and ‘Processors‘.
Controllers
A controller is “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”.
Processors
The processor is the “person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of processing personal data on behalf of the controller”.
If you are currently subject to the Data Protection Act, for example, it’s likely you will have to look at GDPR compliance too.
You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
GDPR ultimately places legal obligations on a processor to maintain records of personal data and how they are processed, providing a much higher level of legal liability should the organisation be held in breach.
Controllers will also be forced to ensure that all contracts with processors are in compliance with GDPR.
What is personal data under the GDPR?
The types of data considered personal under the existing legislation include name, address, and even photos.
GDPR extends the definition of personal data so that something like an IP address can be considered as such. It also includes sensitive personal data such as genetic data, and biometric data which could be processed to uniquely identify an individual.
Key Concepts of the GDPR
There are many concepts and definitions laid down in the GDPR that should be explained.
In accordance with Article 4 of the GDPR, the notion of “personal data” refers to any information relating to an identified or identifiable natural person called “a data subject”.
EU Data Commission
“Any information”
In the definition provided above, “any information” means any information, such as names, genders, occupations and other types of data, that is available in different forms, including alphabetical, numerical and graphical, and is kept on paper or stored in computers or in any other manner.
“Relating to”
“Relating to” means that certain information must relate to: in other words, it must be about that individual.
The Article 29 Data Protection Working Party stressed that the information relates to an individual….
…if it refers to the identity, characteristics or behaviour of an individual or if such information is used to determine or influence the way in which that person is treated or evaluated.
Article 29 Data Protection Working Party
“An identified or identifiable natural person”
“An identified or identifiable natural person” or a data subject is a natural person that is regarded as “identified” within a certain group of people if he or she is distinguished from all the other group members.
GDPR states that a natural person is identifiable when it is possible to identify him or her, directly or indirectly, by reference to certain identifiers, such as:
A name, an identification number or location data, or one or more factors that are specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing of Data”
The “processing” of personal data refers to an operation or operations performed on personal data or on sets of personal data, whether by automated means or not, such as collection, recording and structuring.
In the category of special or sensitive personal data addressed in Article 9 GDPR, the following types of information are all listed…
Racial or Ethnic origin
Political opinions
Religious or Philosophical beliefs
Trade Union Membership
Genetic Data
Bio-metric Data used to uniquely identify natural persons
Health Data
Data concerning individuals’ sex life
Sensitive Data
Special categories of information relating to an identified or identifiable Natural Person are:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- bio-metric data;
- sex life or sexual orientation;
- health data;
data concerning individuals’ sex life
Key definitions
The following definitions are crucial to understanding the General Data Protection Regulation.
This list is not exhaustive, but it covers the key definitions you need to be aware of.
Essentially a living person who is an EU Citizen, or, a non-EU Citizen living in the EU.
A Natural Person may also be referred to as a Data Subject.
Child
For the purposes of GDPR a Child is a Natural person who requires parental consent, usually if they are below 16.
EU Member States can however reduce the requirement for consent to those no younger than 13 (i.e. if the Natural Person is over 13 parental consent would not be required).
Any information relating to an identified or identifiable Natural Person (or ‘Data Subject’).
An identifiable Natural Person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number or location data.
Processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, etc.
Profiling
Any automated processing of personal data intended to evaluate, analyse, or predict data subject behaviour.
Consent
Freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data.
Consent must relate to specific processing operations.
Consequently, a general broad consent to unspecified processing operations as they might arise will be invalid.
Data Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
If your organisation controls and is responsible for the personal data which it holds, then your organisation is a Data Controller.
As a Data Controller you must comply with GDPR, be able to demonstrate compliance, and keep records of personal data and processing activities.
You will have legal liability if you are responsible for a breach.
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities.
If held responsible for a breach, organisations will be subject to legal liability.
EU Member State
Any country party to the founding treaties of the European Union (EU) and thereby subject to the privileges and obligations of membership.
Member States are subject to binding laws in exchange for representation within the common legislative and judicial institutions.
Any country which is not an EU Member State (e.g. USA, India, or China).
Supervisory Authority
The regulator within a European country who will provide regulatory oversight for GDPR, provide guidance and advice and, where necessary, impose corrective actions or administrative fines.
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, and availability.
Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
An assessment of the impact of the envisaged processing operations on the protection of personal data and the rights and freedoms of natural persons.
Subject Access Request (SAR)
A request, made by a natural person, to access personal data held by a controller or processor.
An individual is entitled to obtain a copy of personal data held relating to them, within one month of the initial request.
Data Protection Officer
A person with expert knowledge of data protection law and practices who assists the controller or processor to monitor internal compliance with GDPR.
Data Protection Officers, whether they are an employee of the controller or not, should perform their duties and tasks in an independent manner.
Privacy by Design
A principle that calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition to that system.
This means that appropriate technical and organisational measures should be taken to ensure all six data protection principles are built into the design of any new system or initiative – not just tagged on at the end.
This includes internal projects, product development, software development, IT systems, and much more.
It’s important from the outset to only include the minimum data required.
Six data protection principles form the basis of the processing of personal data and are of crucial importance. This processing must be based on these principles.
Lawfulness, fairness and transparency
The first principle concerns lawfulness, fairness and transparency. It requires that Personal Data is processed in a lawful, fair and transparent manner in relation to Data Subjects.
Transparency implies that any information and communication concerning the processing of personal data must be easily accessible and easy to understand.
Also, clear and plain language needs to be used in this regard. More specifically, this principle ensures data subjects receive information on the identity of controllers and purposes of the processing of personal data.
Purpose Limitation
The second principle is that of purpose limitation. It means that personal data can be collected only for specified, explicit and legitimate purposes and it is not allowed to process them further in a way that is not compatible with those purposes.
One should bear in mind, however, that further processing for the purposes of the public interest, scientific or historical research or statistical purposes is not considered as incompatible with the initial purposes and is therefore allowed.
Data Minimisation
As the third principle, we need to refer to data minimisation. According to this principle, personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Essentially, it means that data cannot be processed unless it is needed in order to achieve the above-mentioned purposes.
Accuracy
Accuracy is the fourth principle meaning that it is required to ensure that personal data is accurate and is kept up to date where it is necessary.
Personal data that is inaccurate – considering the purposes for its processing – must be deleted or rectified without any delay.
Storage Limitation
The fifth principle is storage limitation. It entails that personal data must be kept in a form that makes it possible to identify data subjects for no longer than is necessary for the purposes of the processing.
Storing data for longer periods is allowed when the processing of the data will aim at achieving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Nevertheless, also in these cases rights and freedoms of data subjects must be safeguarded.
Integrity & Confidentiality
Finally, the sixth principle of integrity and confidentiality requires that in the processing of personal data, appropriate security of personal data is ensured.
This should include protection against unauthorised or unlawful processing, destruction and damage. Appropriate technical or organisational measures are to be taken in order to comply with this requirement.
Such data security measures can include the use of encryption and authentication and authorisation mechanisms.
Overview of individual rights
The GDPR extends a number of existing individual rights which individuals can exercise against controllers, as well as introducing a number of new rights.
The focus on individual rights, and on the transparency and accountability principles which underpin all of the GDPR, put individuals and their rights at the heart of the GDPR.
Controllers will need to consider all aspects of their processing activities in light of the rights afforded to individuals, so that they will ultimately be in a position to demonstrate compliance not only when individuals seek to exercise those rights, but with their overall obligations under the GDPR.
Right to be Informed
- The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice;
- It emphasises the need for transparency over how you use personal data;
- The GDPR sets out the information that you should supply and when individuals should be informed;
- The information you supply is determined by whether or not you obtained the personal data directly from individuals;
- The information you supply about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child;
- free of charge.
Right of Access
- Individuals have the right to access their personal data and supplementary information;
- The right of access allows individuals to be aware of and verify the lawfulness of the processing;
- Under the GDPR, individuals will have the right to obtain:
- confirmation that their data is being processed;
- right to a copy of personal data held by the data controller – within 30 days of their request;
- access to their personal data, and;
- other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.
Right to Rectification
- The GDPR gives individuals the right to have personal data rectified;
- Personal data can be rectified if it is inaccurate or incomplete;
- Individuals are entitled to have personal data rectified if it is inaccurate or incomplete;
- If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible;
- You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
Right of Erasure
- The right to erasure is also known as ‘the right to be forgotten’;
- The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
The right to erasure does not provide an absolute ‘right to be forgotten’.
Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
- When the individual withdraws consent that was previously supplied;
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
- The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR);
- The personal data has to be erased in order to comply with a legal obligation;
- The personal data is processed in relation to the offer of information society services to a child.
Under the GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress.
However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.
Right to Restrict Processing
- Individuals have a right to ‘block’ or suppress processing of personal data;
- When processing is restricted, you are permitted to store the personal data, but not further process it – without the express consent of the data subject before the processing takes place;
- You can retain just enough information about the individual to ensure that the restriction is respected in future.
Right to Data Portablity
- The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services;
- It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability;
- It enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.
The right to data portability only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract, and;
- when processing is carried out by automated means.
Right to Object
Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling), and;
- processing for purposes of scientific/historical research and statistics.
Individuals must have an objection on “grounds relating to his or her particular situation”.
You must stop processing the personal data unless:
- you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual, or;
- the processing is for the establishment, exercise or defence of legal claims.
You must inform individuals of their right to object “at the point of first communication” and in your privacy notice.
This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
Rights in relation to Automated Decision-making and Profiling
- The GDPR has provisions on:
- automated individual decision-making (making a decision solely by automated means without any human involvement), and;
- profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
- The GDPR applies to all automated individual decision-making and profiling.
- You can only carry out this type of decision-making where the decision is:
- necessary for the entry into or performance of a contract, or;
- authorised by Union or Member state law applicable to the controller, or;
- based on the individual’s explicit consent.
- You must identify whether any of your processing falls under Article 22 – ‘Automated individual decision-making, including profiling’, and, if so, make sure that you:
- give individuals information about the processing;
- introduce simple ways for them to request human intervention or challenge a decision;
- carry out regular checks to make sure that your systems are working as intended.
