Last year before GDPR took effect the company I work for was going through compliance and GDPR was at the top of our mind. So I decided to familiarise myself with the new set of laws and its implications.
Here is a link to the original paper last edited April 13, 2018
What is GDPR?
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
The Regulation includes provisions that promote accountability, so the DPC (Data Protection Commissioner) advises organisations to make an inventory of all the personal data they hold and examine it under the following questions:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties, and on what basis might you do so?
Personal Privacy Rights/
Data subjects have a number of rights pertaining to the way organisations collect and hold their data. These include:
- The right to be informed
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right to access
Organisations need to prove that they have a legal ground to process data. Most organisations currently use consent by default, but the GDPR toughens the rules for getting and keeping consent.
There are five other lawful grounds for processing data.
These other lawful grounds are:
- A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract.
- Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
- Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
- A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police.
- Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.
However, there will be times when CONSENT is the most appropriate lawful basis, so you need to be aware of your obligations.
GDPR’s definition of consent, which is:
any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
This in itself means that consent must be obtained more explicitly. The addition of the term “clear affirmative action” is key here, as it nullifies opt-out consent, such as pre-ticked boxes. The GDPR makes a number of other changes to the way in which organisations will have to gain consent. The ICO’s guidance explains that consent requests must be:
Unbundled: ensure that consent requests are separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
Granular: give a thorough explanation of options to consent to different types of processing wherever appropriate.
Named: state which organisation and third parties will be relying on consent — even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
Without an imbalance in the relationship: check that there isn’t an imbalance in the relationship between the individual and the controller (such as an employee and employer, or a tenant and a housing association).
Examples of lawful consent requests include:
- Signing a consent statement on a paper form;
- Clicking an opt-in button or link online;
- Selecting from equally prominent yes/no options;
- Choosing technical settings or preference dashboard settings;
- Responding to an email requesting consent;
- Answering yes to a clear oral consent request;
- Volunteering optional information for a specific purpose (such as optional fields in a form); and
- Dropping a business card into a box.
Child Consent Policies
The GDPR states that children cannot give lawful consent because they “may be less aware of the risks, consequences and safeguards” of sharing data. The default age at which someone is no longer considered a child is 16, but the Regulation allows member states to adjust that limit to anywhere between 13 and 16.
For example, the UK, the Republic of Ireland and Spain are expected to set the age at 13, Germany and the Netherlands will stick with 16 and Austria is opting for 14.
Data controllers must know the age of consent in particular countries and avoid seeking consent from anyone under that age.
Plan for data breaches
One of the biggest challenges that the GDPR presents to organisations is its data breach notification requirements. Organisations must report data breaches to their supervisory authority within 72 hours of discovery, and provide them with as much detail as possible.
Why GDPR is important?
Compliance is not a choice and time is short
GDPR compliance is not just a matter of ticking a few boxes; the Regulation demands that you be able to demonstrate compliance with its data processing principles. This involves taking a risk-based approach to data protection, ensuring appropriate policies and procedures are in place to deal with the transparency, accountability and individuals’ rights provisions, as well as building a workplace culture of data privacy and security.
We should prioritise tackling those areas where a lack of action would leave your organisation exposed. Where an infringement occurs, demonstrating you have made a start could help reduce potential penalties.
Is my company/startup/charity going to be impacted?
In short, yes. Individuals, organisations, and companies that are either ‘controllers’ or ‘processors’ of personal data will be covered by the GDPR. “If you are currently subject to the DPA (Data Protection Act), it is likely that you will also be subject to the GDPR,” the ICO (Information Commissioner’s Office) says on its website.
Both personal data and sensitive personal data are covered by GDPR. Personal data, a complex category of information, broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address… you name it. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.
These definitions are largely the same as those within current data protection laws and can relate to information that is collected through automated processes. Where GDPR differentiates from current data protection laws is that pseudonymised personal data can fall under the law — if it’s possible that a person could be identified by a pseudonym.
Fines and Penalties
The GDPR imposes stiff fines on data controllers and processors for non-compliance.
Fines are administered by individual member state supervisory authorities (83.1). The following 10 criteria are to be used to determine the amount of the fine on a non-compliant firm:
Nature of infringement: number of people affected, damaged they suffered, duration of infringement, and purpose of processing
Intention: whether the infringement is intentional or negligent
Mitigation: actions taken to mitigate damage to data subjects
Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance
History: (83.2e) past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines
Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement
Data type: what types of data the infringement impacts; see special categories of personal data
Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party
Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct
Other: other aggravating or mitigating factors may include financial impact on the firm from the infringement
If a firm infringes on multiple provisions of the GDPR, it shall be fined according to the gravest infringement, as opposed to being separately penalized for each provision. (83.3)
However, the above may not offer much relief considering the amount of fines possible:
Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:
Controllers and processors under Articles 8, 11, 25–39, 42, 43
Certification body under Articles 42, 43
Monitoring body under Article 41(4)
Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:
The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9
The data subjects’ rights under Articles 12–22
The transfer of personal data to a recipient in a third country or an international organisation under Articles 44–49
Any obligations pursuant to Member State law adopted under Chapter IX
Any non-compliance with an order by a supervisory authority (83.6)
When will the GDPR take effect?
The GDPR will be directly applicable in all European Union Member States starting from 25 May 2018.