The main aims of the EU’s General Data Protection Regulation (GDPR) is to ensure the personal data of European Union “data subjects” is better protected and to increase the rights of EU data subjects over their personal data. Under GDPR, a data subject is an EU citizen or other national who is physically present in the EU at the time data are collected. GDPR was implemented in 2016 and after a two-year grace period to allow organizations to prepare for the regulation, GDPR became effective on the 25th May 2018. Any business or organization that offers services to EU data subjects that collects, processes or stores the data of EU data subjects has to comply with GDPR regardless of the location of that business or organization.
Personal data (also termed personally identifiable information) is considered to be any piece of information that contains an “identifier” that can be used to identify a specific individual or group of individuals. Personal data pertains to a person, rather than a business or other organization, which have their own set of data protection laws.
For example, the following data elements are considered personal data under GDPR:
Anonymous data – Information that cannot easily be tied to a data subject – is not covered by GDPR. For example, if participants in a survey are grouped by county instead of town, it makes them harder to identify as there may be several people with the same name in a county, but potentially only one in any particular town.
Under GDPR, personal data must only be stored for the time taken to achieve the purpose for which the data have been collected. Personal data cannot be stored indefinitely. Entities storing data must carefully consider how long data must be kept and also how to dispose of that information securely once the purpose for which the information was collected has been achieved (subject to retention regulations for compliance purposes).
There are particular pieces of information that are particularly sensitive and could result in individuals coming to harm or being vulnerable in the event of a data breach. These types of data are treated as ‘special categories’ of data under GDPR. if these special categories of data are collected or processed by an entity, greater levels of protection are required and extra levels of checks and justification for collecting and using those types of data are required, as detailed in GDPR Article 9.
Examples include the following:
Broadly speaking, there are three categories of entities and individual covered by GDPR. The first, the controller, is a government agency or organization (public or private) that initiates the collection and processing of personal data. The controller is the entity that collects and uses personal data or shares that information.
The second, processors, are those contracted by the controller to process personal data. These are usually IT companies or third-party marketing companies, but the term “data processor” can also relate to any software used to process data. Therefore, apps used to collect or process personal data are also subject to GDPR compliance. In many circumstances, the same organization can be both a data controller and a data processor.
Finally, there are the data subjects. These are the people whose personal information is being collected, used and processed by the controllers and processors. These individuals retain the right to access their personal data, correct errors, and request the removal of information collected about them. In all cases, such requests must be processed within thirty days. GDPR also gives data subjects the right to portability, meaning the information must be provided in a structured, electronic format.
Essentially, when GDPR refers to the processing of data, it means the handling, use, storage and destruction of information. Processors and controllers are responsible for ensuring data security at every stage of its lifecycle.
In certain situations, individuals may request that their data is not processed, or that its processing is “restricted”. This is also known as “the right to object”. It may be that the individual considers their information particularly sensitive, or has concerns about how their information will be used by an organization.
There are three instances when an individual has the right to object:
If such requests are upheld, it means that any collected data cannot be used. In some instances, processing may be restricted for a certain period, after which the data can be used.
As can be expected, not every organization that operates within the EU must comply with GDPR. Such exemptions are outlined in Articles 85 and 91, although member states may apply for specific exemptions (see Article 23).
GDPR sets out to protect personal data, although doing so may mean contravening other GDPR rules. If an individual poses a threat to the rights and freedoms of others, it is often the case their data is no longer protected under GDPR in the same way as data of other citizens.
Examples of when personal data may no longer be treated as such include:
Conversely, member states may wish to apply extra safeguards to citizens’ data. Regardless of these extra measures, all GDPR requirements must be met.
The protection of personal data is a value that is shared around the globe. 109 of the world’s 195 countries have implemented some form of data protection law into their national legislation. Privacy is considered to be a fundamental aspect of the right to human dignity. Though organizations also have some right to privacy, it does not prevail over an individual’s right.
Privacy laws are highly variable. What is legal in one country may not be legal in another. The closest equivalent in the United States are the HIPAA laws related to healthcare information. Additionally, data can be transmitted all around the world, which raises issues about how information can – and should be – protected. Does it depend on the country where data are currently being held, or the individual’s home country? When it comes to GDPR, data must be protected in line with EU standards for all of its citizens, regardless of where the data are located.
The United Kingdom’s impending departure from the EU will, undoubtedly, have many unforeseen and unpredictable consequences. However, with regards to data protection, it is very likely that the UK’s new Data Protection Laws will take the same form as GDPR. This is, in part, to facilitate the fact that many UK organizations will work with the data of EU data subjects. Regardless of Brexit, All UK companies and individuals that collect or process the personal data of EU data subjects will be required to comply with GDPR Rules. Any changes to UK data protection laws will only apply to UK citizens.
There is an existing agreement between the US and the EU regarding the protection of shared data. Adopted in 2016, the EU-US Privacy Shield Framework allows private data to be transferred outside of the EU if the recipient organization is certified by the US Department of Commerce or the EU Supervisory Authority. This is necessary as the EU has ruled that the US privacy laws are inadequate. Thus, organizations wishing to use EU data must go through extra steps to certify they have “adequate safeguards” to protect data.
These organizations must process and use the data in accordance with the guidelines set out by the Framework. The US Federal Trade Commission or Department for Transportation are responsible for enforcing these rules, depending on the nature of the data. To meet the criteria, organizations must conduct an annual review to self-certify that they are compliant.
Whilst being Privacy Shield-certified does not guarantee GDPR compliance, it certainly gives organizations a head-start over non-certified ones when it comes to complying with GDPR. Additionally, there are plans to conduct an annual review of GDPR, so organizations must make sure they stay updated on the latest requirements.
When it came into force, GDPR established the right to erasure, commonly called the “right to be forgotten”. Those who hold an individual’s personal data must delete that infomration upon request if the following conditions are met:
Data subjects also have the “right to be informed”. This means that they must receive information from the controller about what information is collected, how it is stored, and how it is being used. If any of these things change whilst the data are still in the controller’s possession, the data subject must be informed.
As part of the original Directive on privacy, each member state can establish its own regime for penalties. For example, breaches in the UK can attract fines of up to £500,000, but in France the maximum penalty is €150,000.
GDPR standardizes the penalties for non-compliance. Since GDPR came into effect on May 25, 2018, the maximum penalty is €20 million, or 4% of a company’s annual turnover, whichever amount is higher. Data subjects are also permitted to file lawsuits against companies/individuals who have violated their privacy and GDPR rules.
There are eight core GDPR privacy principles.
Essentially, this means that data must only be used for a pre-defined purpose and must be held securely within the EU and only accessed by those with adequate authorization. The data collected must also be accurate.
There are a number of practices that can be implemented to ensure data remains secure. These can help guard against both malicious breaches of information and breaches that result from human error.
It is, of course, essential to ensure that all employees are trained on their responsibilities under GDPR and strictly adhere to these practices to minimize the risk of GDPR non-compliance.
It is important to note this GDPR Guide for Dummies is a very basic guide and should not be considered a basis for GDPR compliance. The General Data Protection Regulation contains 11 Chapters and 99 Articles of regulations relating to the protection of data and how data can be collected, processed and stored. Naturally not every line of text will apply to every GDPR-covered entity, so the GDPR text must be carefully studied. Businesses and organizations outside the EU should also be aware that each EU member state has its own data protection legislation that also has to be complied with.
A further consideration for businesses and organizations operating outside the European Economic Area (EEA) is data subject to GDPR can only be shared with businesses and organizations in non-EU countries that have an adequacy agreement in place. This will affect all businesses and organizations that operate in the cloud and who archive data in jurisdictions (regions and availability zones) that have not met the standards of GDPR adequacy. In this case, it will be necessary to re-migrate the data to a GDPR-compliant region.
The requirements for GDPR compliance are long and complex, and businesses subject to GDPR not only have to ensure their operations are compliant, but also the operations of third parties with whom data are shared. Although it is not an automatic requirement of GDPR for businesses to appoint a Data Protection Officer to address compliance issues (this requirement only applies in certain circumstances), it is recommended businesses conduct a compliance audit and discuss their current level of data security with a GDPR compliance consultant.
Under GDPR, a data controller determines the reasons for collecting data and how it will be processed. A data processor processes data according to the controller´s instructions. If the processing of personal data is done “in-house”, the organization is both a data controller and data processor and subject to the regulations for both entities.
Regardless of whether your organization is a data controller or a data processor (or both), you have to appoint a Data Protection Officer if you are a public authority, if your core activities require large-scale, regular, and systematic monitoring of individuals, or if your core activities consist of large scale processing of special categories of data.
The language of GDPR relating to European representatives is quite complex. According to Article 3 (2), a U.S. based organization offering goods or services to data subjects in the EU would need to appoint a European representative unless – according to Article 27 (2) – the collection, processing, and storing of data is occasional, does not include large scale processing of special categories of data, and is unlikely to result in a risk to the rights and freedoms of EU data subjects.
Unfortunately there is no one-size-fits-all answer to this question, and the decision to appoint a European representative (or not) should be decided after an audit has been carried out to determine the extent to which EU subject data is collected, processed, or stored by the organization. The audit will reveal whether or not data collection, processing, or storing is occasional, the nature of data being collected, processed, or stored, and what threats exist to the security of data.
This issue can exist due to GDPR failing to quantify what constitutes “occasional” data collection, processing, and storage. If, because of this vague area, you don´t appoint a Data Protection Officer or a European representative, you should document why the decision was made because the fines for non-compliance are substantial. It is because of this vagueness, some U.S. based organization have made the decision to block access to their websites for “occasional” EU visitors to avoid being in breach of GDPR.
When an incident occurs that leads to the “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data”, it should be reported to the Data Protection Authority in which the organization is based within 72 hours – or, if the organization is based outside the EU, to the Data Protection Authority in which the organization´s European representative is located.
The exception to this rule is when the loss, alteration, unauthorized disclosure, etc., of the personal data does not “pose a risk to the rights and freedoms of natural living persons” – a risk being defined as the possibility that data subjects may suffer economic or social damage, reputational damage, or financial loss. There are very few circumstances in which this exception would apply; so, if any doubt exists about whether a data breach should be reported or not, it is always better to report it.