GDPR for Dummies

What is GDPR?

The main aims of the EU’s General Data Protection Regulation (GDPR) is to ensure the personal data of European Union “data subjects” is better protected and to increase the rights of EU data subjects over their personal data. Under GDPR, a data subject is an EU citizen or other national who is physically present in the EU at the time data are collected. GDPR was implemented in 2016 and after a two-year grace period to allow organizations to prepare for the regulation, GDPR became effective on the 25th May 2018. Any business or organization that offers services to EU data subjects that collects, processes or stores the data of EU data subjects has to comply with GDPR regardless of the location of that business or organization.

What is Personal Data under GDPR?

Personal data (also termed personally identifiable information) is considered to be any piece of information that contains an “identifier” that can be used to identify a specific individual or group of individuals. Personal data pertains to a person, rather than a business or other organization, which have their own set of data protection laws.

For example, the following data elements are considered personal data under GDPR:

  • Names (first, last, middle, maiden, etc.)
  • Dates of birth
  • Telephone numbers
  • Addresses
  • Photographs
  • Audio/visual recordings of an individual
  • Bank details
  • Opinions
  • Passport numbers
  • Location data

Anonymous data – Information that cannot easily be tied to a data subject – is not covered by GDPR. For example, if participants in a survey are grouped by county instead of town, it makes them harder to identify as there may be several people with the same name in a county, but potentially only one in any particular town.

Under GDPR, personal data must only be stored for the time taken to achieve the purpose for which the data have been collected. Personal data cannot be stored indefinitely. Entities storing data must carefully consider how long data must be kept and also how to dispose of that information securely once the purpose for which the information was collected has been achieved (subject to retention regulations for compliance purposes).

Are there any Special Types of Personal Data Defined under GDPR?

There are particular pieces of information that are particularly sensitive and could result in individuals coming to harm or being vulnerable in the event of a data breach. These types of data are treated as ‘special categories’ of data under GDPR. if these special categories of data are collected or processed by an entity, greater levels of protection are required and extra levels of checks and justification for collecting and using those types of data are required, as detailed in GDPR Article 9.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

Examples include the following:

  • Race or ethnicity
  • Religious or spiritual beliefs
  • Political or philosophical leanings
  • Trade union alliances
  • Biological/genetic data
  • Medical data
  • Sexuality/gender identity

Who is Covered by GDPR?

GDPR ComplianceBroadly speaking, there are three categories of entities and individual covered by GDPR. The first, the controller, is a government agency or organization (public or private) that initiates the collection and processing of personal data. The controller is the entity that collects and uses personal data or shares that information.

The second, processors, are those contracted by the controller to process personal data. These are usually IT companies or third-party marketing companies, but the term “data processor” can also relate to any software used to process data. Therefore, apps used to collect or process personal data are also subject to GDPR compliance. In many circumstances, the same organization can be both a data controller and a data processor.

Finally, there are the data subjects. These are the people whose personal information is being collected, used and processed by the controllers and processors. These individuals retain the right to access their personal data, correct errors, and request the removal of information collected about them. In all cases, such requests must be processed within thirty days. GDPR also gives data subjects the right to portability, meaning the information must be provided in a structured, electronic format.

What is GDPR Data Processing?

Essentially, when GDPR refers to the processing of data, it means the handling, use, storage and destruction of information. Processors and controllers are responsible for ensuring data security at every stage of its lifecycle.

In certain situations, individuals may request that their data is not processed, or that its processing is “restricted”. This is also known as “the right to object”. It may be that the individual considers their information particularly sensitive, or has concerns about how their information will be used by an organization.

There are three instances when an individual has the right to object:

  • Processing of data for scientific/historical research
  • Processing of data for direct marketing
  • Processing that is based on profiling

If such requests are upheld, it means that any collected data cannot be used. In some instances, processing may be restricted for a certain period, after which the data can be used.

Are There any Exceptions to GDPR?

As can be expected, not every organization that operates within the EU must comply with GDPR. Such exemptions are outlined in Articles 85 and 91, although member states may apply for specific exemptions (see Article 23).

GDPR sets out to protect personal data, although doing so may mean contravening other GDPR rules. If an individual poses a threat to the rights and freedoms of others, it is often the case their data is no longer protected under GDPR in the same way as data of other citizens.

Examples of when personal data may no longer be treated as such include:

  • Defense concerns
  • Crime prevention
  • Financial security
  • Prosecution of a crime
  • Suspected tax evasion
  • Public health concerns
  • Freedom of information

Conversely, member states may wish to apply extra safeguards to citizens’ data. Regardless of these extra measures, all GDPR requirements must be met.

Where Does GDPR Apply?

GDPR KeyboardThe protection of personal data is a value that is shared around the globe. 109 of the world’s 195 countries have implemented some form of data protection law into their national legislation. Privacy is considered to be a fundamental aspect of the right to human dignity. Though organizations also have some right to privacy, it does not prevail over an individual’s right.

Privacy laws are highly variable. What is legal in one country may not be legal in another. The closest equivalent in the United States are the HIPAA laws related to healthcare information. Additionally, data can be transmitted all around the world, which raises issues about how information can – and should be – protected. Does it depend on the country where data are currently being held, or the individual’s home country? When it comes to GDPR, data must be protected in line with EU standards for all of its citizens, regardless of where the data are located.

But what about Brexit and GDPR?

The United Kingdom’s impending departure from the EU will, undoubtedly, have many unforeseen and unpredictable consequences. However, with regards to data protection, it is very likely that the UK’s new Data Protection Laws will take the same form as GDPR. This is, in part, to facilitate the fact that many UK organizations will work with the data of EU data subjects. Regardless of Brexit, All UK companies and individuals that collect or process the personal data of EU data subjects will be required to comply with GDPR Rules. Any changes to UK data protection laws will only apply to UK citizens.

GDPR Compliance and the United States

GDPR FlagThere is an existing agreement between the US and the EU regarding the protection of shared data. Adopted in 2016, the EU-US Privacy Shield Framework allows private data to be transferred outside of the EU if the recipient organization is certified by the US Department of Commerce or the EU Supervisory Authority. This is necessary as the EU has ruled that the US privacy laws are inadequate. Thus, organizations wishing to use EU data must go through extra steps to certify they have “adequate safeguards” to protect data.

These organizations must process and use the data in accordance with the guidelines set out by the Framework. The US Federal Trade Commission or Department for Transportation are responsible for enforcing these rules, depending on the nature of the data. To meet the criteria, organizations must conduct an annual review to self-certify that they are compliant.

Whilst being Privacy Shield-certified does not guarantee GDPR compliance, it certainly gives organizations a head-start over non-certified ones when it comes to complying with GDPR. Additionally, there are plans to conduct an annual review of GDPR, so organizations must make sure they stay updated on the latest requirements.

What are the “GDPR Right to be Forgotten” and the “GDPR Right to be Informed”?

When it came into force, GDPR established the right to erasure, commonly called the “right to be forgotten”. Those who hold an individual’s personal data must delete that infomration upon request if the following conditions are met:

  • The data has lost its relevance
  • The subject withdraws consent to process their data
  • The subject objects to the processing of the their data
  • The data was unlawfully processed

Data subjects also have the “right to be informed”. This means that they must receive information from the controller about what information is collected, how it is stored, and how it is being used. If any of these things change whilst the data are still in the controller’s possession, the data subject must be informed.

What are the GDPR Penalties for Non-Compliance?

As part of the original Directive on privacy, each member state can establish its own regime for penalties. For example, breaches in the UK can attract fines of up to £500,000, but in France the maximum penalty is €150,000.

GDPR standardizes the penalties for non-compliance. Since GDPR came into effect on May 25, 2018, the maximum penalty is €20 million, or 4% of a company’s annual turnover, whichever amount is higher. Data subjects are also permitted to file lawsuits against companies/individuals who have violated their privacy and GDPR rules.

What are the GDPR Privacy Principles?

There are eight core GDPR privacy principles.

  • Notification – Organizations must provide clear information to their customers about when and how their data are being used and if personal data are being transferred to a third party.
  • Lawfulness – Consent is usually needed to share private data, although when consent is not necessary there must be a clear legal basis for sharing data.
  • Limits – Personal data must only be disclosed when there is need for a disclosure. There are, however, exceptions that allow data to be used for purposes other than the reasons for which the information was originally collected.
  • Security – Those who collect, use, and store personal information must employ reasonable measures to protect data.
  • Accountability – Those who collect, use, and store personal data must comply with GDPR and its principles.
  • Downstream protection – As well as the initial collector of data, any party with whom the information is shared must also adhere to GDPR requirements.
  • Access and Rights – Individuals should be able to access and use their own personal data, as well as withhold permission for certain uses of their data.
  • Breach Notification – If an individual’s data is breached, the individual must be notified as soon as possible and the supervisory authority notified within 72 hours of the breach’s discovery.

Essentially, this means that data must only be used for a pre-defined purpose and must be held securely within the EU and only accessed by those with adequate authorization. The data collected must also be accurate.

Best Practices to Protect Data

There are a number of practices that can be implemented to ensure data remains secure. These can help guard against both malicious breaches of information and breaches that result from human error.

  • Clear desk policy: Before any employee leaves his or her workstation, care should be taken to ensure that no materials containing private data are left on the desk in plain view. Computers should be locked or logged off, and any other electronic devices should be stored securely or taken with the individual.
  • Password security: It is imperative no passwords are written down, and if they are, they should be kept well away from the computer that they unlock. Passwords themselves should be long, containing a mix of lower- and upper-case letters, numbers and special characters. Ideally, they should not be words that can be found in dictionaries or include personal information, as that makes them susceptible to brute force attacks by hackers.
  • Practice secure storage: This goes hand-in-hand with the clear desk policy. Any material that contains a person’s personal private information must be stored in a secure manner. If it is maintained digitally, it must be encrypted.
  • Ensure that mobile devices are secured: Many companies now implemented Bring Your Own Device (BYOD) policies. While these policies cave companies money have the potential to increase the risk of information theft. Devices should be adequately secured and, of course, be password-protected or locked by some other method that prevents unauthorized access in the event of device loss or theft.
  • Ensure secure transmission of data: Private information should not be sent via insecure channels, free email services, or via fax or text message. Additionally, senders of information should double-check to see if recipients are authorized to receive the information.
  • Secure workplaces from unauthorized personnel: Workstations should be set up to prevent unauthorized visitors from seeing computer monitors, accidentally or otherwise. This includes ensuring that any files open on a desk are also not readable by unauthorized passersby.
  • Secure disposal of data: DVDs, USBs, mobile devices etc. that contain private data should not be disposed of without first ensuring that all protected data has been securely removed from the devices. Additionally, hard copies of such data must be finely shredded before disposal.
  • Reporting breaches: In most instances, if a breach occurs, an organization has 72 hours to report the breach to their EU Supervisory Authority. Reports should also be made if there has been a suspected, but unconfirmed, breach of data.

It is, of course, essential to ensure that all employees are HIPAA trained on their responsibilities under GDPR and strictly adhere to these practices to minimize the risk of GDPR non-compliance.

How to Become GDPR-Compliant

  1. Ensure privacy is a top priority for the organization.
    1. Have you developed and implemented comprehensive data protection guidelines?
    2. Have you clear outcomes assigned to these guidelines?
    3. Has the responsibility to ensure privacy protection been adequately delegated to staff members?
    4. Are staff across the organization aware of privacy-related issues?
    5. Is there a transparent code of conduct relating to GDPR compliance between departments?
  2. Ensure accountability within the organization.
    1. Is there a data protection officer tasked with ensuring GDPR compliance?
    2. Is it clear to staff members when to approach the data protection officer?
    3. Has the protection officer’s contact details been communicated to employees (an explicit requirement of Article 37 (7) of GDPR)?
  3. Ensure that data are properly processed.
    1. Is there a record of processing activities (as per Article 30 of GDPR)?
    2. When changing organizational policies, how are data protection principles incorporated into the new policies?
  4. Ensure third parties also adhere to GDPR.
    1. Is a third party involved in data processing?
    2. Is there a clear record of who was involved from the third party?
    3. Is there an agreement in place with all third parties, as per Article 28 (3) GDPR?
  5. Ensure the rights of the data subject are met.
    1. Has the organization’s own documents and policies been updated to ensure data is protected as described in Articles 13 and 14 of GDPR?
    2. Do they contain the following pieces of information (where relevant):
      1. Contact details of the data protection officer
      2. Legal reasons for processing data
      3. If data are being processed because of a legitimate interest (including the interest of third parties), has the basis of those interests been stated
      4. The safeguards in place to protect data when transferred to a different country
      5. The period of time for which data will be stored
      6. A statement giving the data subject the right to access, correct, and have personal data erased
      7. A statement giving the data subject the right to portability
      8. A statement giving the data subject the right to lodge a complaint with a supervisor/higher authority
      9. A statement giving the data subject the right to withdraw their consent to process data
      10. Details regarding the automated profiling of data and automated decision making
      11. The source of the data
    3. What is the process for dealing with an individual’s request for access? Will this be done in a timely manner?
    4. What is the process for dealing with an individual’s request for data portability?
  6. Ensure to account for all possible risks.
    1. Are there adequate records to prove the lawfulness of each instance of data processing?
    2. When appropriate, are consent forms in use (as per Articles 7 and 8)?
    3. Is it possible to show that data subjects have given their explicit consent to data processing?
    4. Is there a management system in place to ensure that data is protected and data processing complies with GDPR regulations?
    5. Have all processes been reviewed and refined in accordance with Article 24 GDPR? For example, have checklists been rewritten with a risk-oriented approach regarding the nature, extent, context and purpose of processing data?
    6. Are there adequate procedures to test security measures?
    7. Have protective measures, such as anonymization, pseudonymization, and encryption, been used to protect private data from cyberattacks?
    8. Is there a management system in place to ensure that a data protection impact assessment can be conducted, and does it state when it should be conducted?
  7. Ensure there are procedures in place for dealing with data breaches.
    1. Are there measures in place to detect data breaches?
    2. As per Article 33 of GDPR, are there adequate measures in place to ensure that a Supervisory Authority is notified of data breaches within 72 hours of its discovery?
    3. How will these breaches be dealt with internally?

GDPR for Dummies: Conclusion

It is important to note this GDPR Guide for Dummies is a very basic guide and should not be considered a basis for GDPR compliance. The General Data Protection Regulation contains 11 Chapters and 99 Articles of regulations relating to the protection of data and how data can be collected, processed and stored. Naturally not every line of text will apply to every GDPR-covered entity, so the GDPR text must be carefully studied. Businesses and organizations outside the EU should also be aware that each EU member state has its own data protection legislation that also has to be complied with.

A further consideration for businesses and organizations operating outside the European Economic Area (EEA) is data subject to GDPR can only be shared with businesses and organizations in non-EU countries that have an adequacy agreement in place. This will affect all businesses and organizations that operate in the cloud and who archive data in jurisdictions (regions and availability zones) that have not met the standards of GDPR adequacy. In this case, it will be necessary to re-migrate the data to a GDPR-compliant region.

The requirements for GDPR compliance are long and complex, and businesses subject to GDPR not only have to ensure their operations are compliant, but also the operations of third parties with whom data are shared. Although it is not an automatic requirement of GDPR for businesses to appoint a Data Protection Officer to address compliance issues (this requirement only applies in certain circumstances), it is recommended businesses conduct a compliance audit and discuss their current level of data security with a GDPR compliance consultant.

Additional Articles about GDPR

  • Does GDPR Apply to US Companies?
  • GDPR Data Breach Notification Rules
  • What Does the GDPR Right to Object Mean?
  • What is GDPR Special Category Data?
  • What is GDPR’s Definition of Personal Data?

GDPR for Dummies FAQ

Can an organization be both a data controller and a data processor under GDPR?

Under GDPR, a data controller determines the reasons for collecting data and how it will be processed. A data processor processes data according to the controller´s instructions. If the processing of personal data is done “in-house”, the organization is both a data controller and data processor and subject to the regulations for both entities.

What are the circumstances under which I have to appoint a Data Protection Officer?

Regardless of whether your organization is a data controller or a data processor (or both), you have to appoint a Data Protection Officer if you are a public authority, if your core activities require large-scale, regular, and systematic monitoring of individuals, or if your core activities consist of large scale processing of special categories of data.

If my organization is based in the U.S., and I do not need to appoint a Data Protection Officer, do I still need to appoint a European representative?

The language of GDPR relating to European representatives is quite complex. According to Article 3 (2), a U.S. based organization offering goods or services to data subjects in the EU would need to appoint a European representative unless - according to Article 27 (2) - the collection, processing, and storing of data is occasional, does not include large scale processing of special categories of data, and is unlikely to result in a risk to the rights and freedoms of EU data subjects.

Unfortunately there is no one-size-fits-all answer to this question, and the decision to appoint a European representative (or not) should be decided after an audit has been carried out to determine the extent to which EU subject data is collected, processed, or stored by the organization. The audit will reveal whether or not data collection, processing, or storing is occasional, the nature of data being collected, processed, or stored, and what threats exist to the security of data.

What happens - as a U.S. based organization - if I don´t appoint a Data Protection Officer nor a European representative, and I should have done?

This issue can exist due to GDPR failing to quantify what constitutes “occasional” data collection, processing, and storage. If, because of this vague area, you don´t appoint a Data Protection Officer or a European representative, you should document why the decision was made because the fines for non-compliance are substantial. It is because of this vagueness, some U.S. based organization have made the decision to block access to their websites for “occasional” EU visitors to avoid being in breach of GDPR.

Are there circumstances in which organizations do not have to report data breaches?

When an incident occurs that leads to the “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data”, it should be reported to the Data Protection Authority in which the organization is based within 72 hours - or, if the organization is based outside the EU, to the Data Protection Authority in which the organization´s European representative is located.

The exception to this rule is when the loss, alteration, unauthorized disclosure, etc., of the personal data does not “pose a risk to the rights and freedoms of natural living persons” - a risk being defined as the possibility that data subjects may suffer economic or social damage, reputational damage, or financial loss. There are very few circumstances in which this exception would apply; so, if any doubt exists about whether a data breach should be reported or not, it is always better to report it.