GDPR for Dummies

What is GDPR?

Agreed in 2016, the motive of the General Data Protection Regulation (GDPR) is to better protect the personal data of European Union “data subjects” – EU citizens and other nationals physically present in the EU at the time data are collected. After a two-year grace period to allow organizations to prepare for the regulation, GDPR came into effect on the 25th May 2018. Any business or organization that offers services to EU data subjects, or that collects, processes or stores the data of EU data subjects has to comply with GDPR regardless of the location of the business or organization.

What is Personal Data under GDPR?

Personal data (also termed “personally identifiable information) is considered to be any piece of information that contains an “identifier”, i.e. that can be used to identify a specific individual or group of individuals. It must pertain to a person, rather than a business or other organization (which have their own set of data protection laws).

The following can be considered as GDPR personal data:

  • Names (first, last, middle, maiden, etc.)
  • Dates of birth
  • Telephone numbers
  • Addresses
  • Photographs
  • Audio/visual recordings of the individual
  • Bank details
  • Opinions
  • Passport numbers
  • Location data

However, so-called “anonymous” data does not need protection by data security laws. For example, if participants in a survey are grouped by county instead of town, it makes them harder to identify as there may be ten people named “Jane Smith” in a county, but only one in any particular town.

Most data protection laws consider maintaining data longer than necessary a breach of privacy, so those storing data must also carefully consider how to safely dispose of it once it has served the purpose it was collected for (subject to retention regulations for compliance purposes).

Are there any Special Types of Personal Data Defined under GDPR?

There are particular pieces of information that, when leaked, make individuals especially vulnerable. Thus, the data is considered “sensitive” and falls under a special category of data. It requires even greater levels of protection and its use requires extra levels of checks and justification, outlined in Article 9 of GDPR.

Examples include the following:

  • Race or ethnicity
  • Religious or spiritual beliefs
  • Political or philosophical leanings
  • Trade union alliances
  • Biological/genetic data
  • Medical data
  • Sexuality/gender identity

Who’s Involved in GDPR Policy?

GDPR ComplianceBroadly, there are three parties one should keep in mind when reading about GDPR. The first, the controller, is the government agency or organization (public or private) that initiates the collection and processing of personal data. They are also the ones who use it and, if necessary, share it.

The second, the processors, are those contracted by the controller to process the private data. These are usually IT companies or third-party marketing companies, but the term “data processor” can also relate to any software used to process data. Therefore, apps used to collect or process personal data are also subject to GDPR compliance. In many circumstances, the same organization can be both a data controller and a data processor.

Finally, there are the data subjects. These are the people whose personal information is being used and processed by the controllers and processors. These individuals retain the right to access, correct or request the removal of information collected about them and such requests must be processed within thirty days. GDPR also gives the data subject the right to portability, meaning the information must be provided in a structured, electronic format.

What is GDPR Data Processing?

Essentially, when GDPR refers to the processing of data, they mean the collection, handling, use, storage and destruction of information. The processors and controllers are responsible for ensuring data security at every stage of its lifecycle.

In certain situations, individuals may request that their data is not processed, or that its processing is “restricted”. This is also known as “the right to object”. It may be that the individual considers their information particularly sensitive, or have concerns about how it will be used by the organization.

There are three instances when an individual has the right to object:

  • Processing of data for scientific/historical research
  • Processing of data for direct marketing
  • Processing that is based on profiling

If such requests are upheld, it means that any collected data cannot be used. In some instances, processing may be restricted for a certain period, after which the data can be used.

Are there any Exceptions to GDPR?

As can be expected, not every organization that operates within the EU must comply with GDPR. Such exemptions are outlined in Articles 85 and 91, though member states may apply for specific exemptions (see Article 23).

GDPR sets out to protect personal data, though doing so may mean contravening other GDPR rules. If an individual poses a threat to the rights and freedoms of others, it is often the case their data is no longer protected under GDPR in the same way as data of other citizens.

Examples of when personal data may no longer be treated as such include:

  • Defense concerns
  • Crime prevention
  • Financial security
  • Prosecution of a crime
  • Suspected tax evasion
  • Public health concerns
  • Freedom of information

Conversely, member states may wish to apply extra safeguards to citizens’ data. Regardless of these extra measures, all GDPR requirements must be met.

Where will the GDPR Apply?

GDPR KeyboardThe protection of personal data is a value that is shared across the globe, with 109 of the world’s 195 countries incorporating some form of data protection law into their national legislation. Privacy is considered to be a fundamental aspect of the right to human dignity. Though organizations also have some right to privacy, it does not prevail over an individual’s right.

Yet these laws are highly variable. What is legal in one country may not be in another. Additionally, data is transmitted all across the world – how should it be protected? Does it depend on the country where it is currently being held, or the individual’s home country? When it comes to GDPR, data must be protected in line with EU standards for all if its citizens, regardless of where the data itself is.

But what about BREXIT and GDPR?

The United Kingdom’s impending departure from the EU will, undoubtedly, have many unforeseen and unpredictable consequences. However, with regard data protection, it is very likely that the UK’s new Data Protection Laws will take the same shape as GDPR. This is, in part, to facilitate the fact that many UK organizations will work with the data of EU data subjects.

What about GDPR in the United States?

GDPR FlagThere is an existing agreement between the US and the EU regarding the protection of shared data. Adopted in 2016, the EU-US Privacy Shield Framework allows private data to be transferred outside of the EU if the recipient organization is certified by the US Department of Commerce or the EU Supervisory Authority. This is necessary as the EU has ruled that the US privacy laws are inadequate. Thus, organizations wishing to use EU data must go through extra steps to certify they have “adequate safeguards” to protect data.

These organizations must process and use the data in accordance with the guidelines set out by the Framework. The US Federal Trade Commission or Department for Transportation are responsible for enforcing these rules, depending on the nature of the data. To meet the criteria, organizations must conduct an annual review to self-certify that they are compliant.

Whilst being Privacy Shield-certified does not guarantee GDPR compliance, it certainly gives such organizations a head-start over uncertified ones. Additionally, there are plans to conduct an annual review of GDPR, so organizations must be sure to keep updated on the latest requirements.

What is the “GDPR right to be forgotten” or the “GDPR right to be informed”?

When it came into force, GDPR established the right to erasure, commonly called the “right to be forgotten”. Those who hold an individual’s personal data must delete it upon request if the following conditions are met:

  • The data has lost its relevance
  • The subject withdraws consent and the organization cannot process the data without consent
  • The subject objects to the processing of the data
  • The data was unlawfully processed

Data subjects also have the “right to be informed”. This means that they must receive information from the controller about what information is collected, what and how it is stored, and how it is being used. If any of these things change whilst the data is still in the controller’s possession, the data subject must be informed.

What are the GDPR Penalties for Non-Compliance?

As part of the original Directive on privacy, each member state can establish its own regime for penalties. For example, breaches in the UK can attract fines of up to £500,000, but in France the maximum penalty is €150,000.

GDPR will standardise the penalty scheme. Now, the maximum penalty will be €20 million, or 4% of a company’s annual net worth. Data subjects will also be able to file lawsuits against those that committed the violation.

What are the GDPR Privacy Principles?

There are eight core GDPR privacy principles that underlie GDPR.

  • Notification – Organizations must provide clear information to their customers when and how their data is being used and if it is being transferred to a third party.
  • Lawfulness – Consent is usually needed to share private data, though when consent is not necessary there must be a clear legal basis for sharing data.
  • Limits – Personal data must only be disclosed when there is need for it. There are, however, exceptions that allow data to be used further than it was originally intended.
  • Security – Those who collect, use, and store personal information must employ reasonable measures to protect that data.
  • Accountability – Those who collect, use, and store personal data must comply with GDPR and its principles.
  • Downstream protection – As well as the initial collector of the data, any party with which the information was shared must also adhere to privacy legislation.
  • Access and Rights – Individuals should be able to access and use their own personal data, as well as withhold permission for certain uses of their data.
  • Breach Notification – If an individual’s data is breached, the individual must be notified as soon as possible. This must be done within 72 hours of the breach’s discovery. The breach must be reported to the EU Regulator.

Essentially, this means that data must only be used for a pre-defined purpose, it must be held securely within the EU and it is only accessed by those with adequate authorization. The data collected must, of course, be accurate.

What are Some Best Practices to Ensure Data Remains Protected?

There are a number of practices that can be put in place to ensure that data remains secure. These can help guard against both malicious breaches of information and breaches that result from simple human error.

  • Clear desk policy: Before any employee leaves his or her workstation, care should be taken to ensure that no materials describing private data are left on the desk in plain view. Computers should be locked or logged off, and any other electronic devices should be stored away or taken with the individual.
  • Password security: It is imperative no passwords are written down, and if they are, they should be kept well away from the computer that they unlock. Passwords themselves should be long, containing a mix of lower- and upper-case letters, numbers and special characters. Ideally, they should not be words that can be easily found in dictionaries or have personal information, as these are both easily guessed by hackers.
  • Practice secure storage: This goes hand-in-hand with the clear desk policy. Any material that contains a person’s personal private information must be stored in a secure manner. If it is maintained digitally, it must be adequately encrypted.
  • Ensure that mobile devices are secure: Many companies now opt to use Bring Your Own Device (BYOD) policies, which whilst saving money have the potential to increase the risk of information theft. Devices should be adequately secured and, of course, be password-protected.
  • Ensure secure transmission of data: Private information should not be sent via insecure, free email services or via fax. Additionally, senders of information should double-check to see if recipients are authorzsed to receive the information.
  • Secure workplaces from unauthorized personnel: Work stations should be set up to prevent unauthorized visitors from seeing computer monitors, accidentally or otherwise. This includes ensuring that any files open on a desk are also not readable by unauthorized passer-by’s.
  • Secure disposal of data: DVDs, USBs, mobile devices etc. that contain private data should not be disposed of without ensuring that all protected data has been securely removed from the devices. Additionally, hard copies of such data must be finely shredded before disposal.
  • Reporting breaches: In most instances, if a breach occurs an organization has 72 hours to report the breach to the EU Regulator. Reports should also be made if there has been a suspected, but unconfirmed, breach of data.

It is, of course, essential to ensure that all employees strictly adhere to these practices to minimize the risk of GDPR non-compliance.

How to be GDPR-Compliant

  1. Ensure privacy is a top priority for the organization.
    1. Have you comprehensive data protection guidelines?
    2. Have you clear outcomes assigned to these guidelines?
    3. Has the responsibility to ensure privacy protection been adequately delegated to staff members?
    4. Are staff across the organization aware of privacy-related issues?
    5. Is there a transparent code of conduct relating to GDPR compliance between departments?
  2. Ensure accountability within the organization.
    1. Is there a data protection officer tasked with ensuring GDPR compliance?
    2. Is it clear to staff members when to approach the data protection officer?
    3. Has the protection officer’s contact details been communicated to employees (an explicit requirement of Article 37 (7) of GDPR)?
  3. Ensure that data is properly processed.
    1. Is there a record of processing activities (as per Article 30 of GDPR)?
    2. When changing organizational policies, how are data protection principles incorporated into the new policies?
  4. Ensure third parties also adhere to GDPR.
    1. Is a third party involved in data processing?
    2. Is there a clear record of who was involved from the third party?
    3. Is there an agreement in place with all third parties, as per Article 28 (3) GDPR?
  5. Ensure the rights of the data subject are met.
    1. Have the organization’s own documents and policies been updated to ensure data protection as described in Articles 13 and 14 GDPR?
    2. Do they contain the following pieces of information (when relevant):
      1. Contact details of the data protection officer
      2. Legal reasons for processing of data
      3. If data is being processed because of a legitimate interest (including the interest of third parties), the basis of those interests
      4. The safeguards in place to protect data when it is being transferred to a different country
      5. The period of time for which the data will be stored
      6. A statement giving the data subject the right to access, rectify and erase personal data
      7. vii.A statement giving the data subject the right to portability
      8. viii.A statement giving the data subject the right to lodge a complaint with a supervisor/higher authority
      9. A statement giving the data subject the right to withdraw their consent to process data
      10. Details regarding the automated profiling of data processing and other automated decision making
      11. The source of the data
    3. What is the process for dealing with an individual’s request for access? Will this be done in a timely manner?
    4. What is the process for dealing with an individual’s request for data portability?
  6. Ensure to account for all possible risks.
    1. Are there adequate records to prove the lawfulness of each instance of data processing?
    2. When appropriate, are consent forms in use (as per Articles 7 and 8)?
    3. Is it possible to show that data subjects have given their explicit consent to data processing?
    4. Is there a management system in place to ensure that data is protected and data processing complies with GDPR regulations?
    5. Have all processes been reviewed and refined in accordance with Article 24 GDPR? For example, have checklists been rewritten with a risk-oriented approach regarding the nature, extent, context and purpose of processing the data?
    6. Are there adequate procedures to test security measures?
    7. Have protective measures, such as anonymization, pseudonymization, and encryption, been used to protect private data from personal attacks?
    8. Is there a management system in place such that a data protection impact assessment can be conducted, and when it should be conducted?
  7. Ensure there are procedures for dealing with data breaches in place.
    1. Are there measures in place to detect data breaches?
    2. As per Article 33 of GDPR, are there adequate measures in place to ensure that a higher authority has been notified of data breaches within 72 hours of its discovery?
    3. How will these breaches be dealt with internally?

GDPR Guide for Dummies: Conclusion

It is important to note this GDPR Guide for Dummies is a very basic guide and should not be considered a basis for GDPR compliance. The General Data Protection Regulation contains 11 Chapters and 99 Articles of regulations relating to the protection of data and how its should be obtained, processed and stored. Naturally not every line of text will apply to every GDPR-covered entity, but businesses and organizations outside the EU should be aware each EU member state has its own data protection legislation that also has to be complied with.

A further consideration for businesses and organizations operating outside the European Economic Area (EEA) is that data subject to GDPR can only be shared with businesses and organizations in non-EU countries that have an adequacy agreement in place. This will affect all businesses and organizations that operate in the cloud and who archive data in jurisdictions (regions and availability zones) that have not met the standards of GDPR adequacy. In this case, it will be necessary to re-migrate the data to a GDPR-compliant region.

The requirements for GDPR compliance are long and complex, and businesses subject to GDPR  not only have to ensure their operations are compliant, but also the operations of third parties with whom data is shared. Although it is not an automatic requirement of GDPR for businesses to appoint a Data Protection Officer to address compliance issues (this requirement only applies in certain circumstances), it is recommended businesses conduct a compliance audit and discuss their current level of data security with a GDPR Compliance Consultant.

Additional Articles about GDPR