What is GDPR and why was it introduced? A person’s personal information contains a lot of sensitive information which could, in the wrong hands, be used to cause harm. The personal information collected by companies can reveal a great deal about a person, and information such as health data and credit card numbers have considerable potential to be abused resulting in financial losses for the data subject.
A great deal of information is now collected digitally, and without appropriate protections in place, that information could be accessed remotely by unauthorized individuals. There is no shortage of people trying to do just that. Cyberattacks are now an everyday occurrence. Cyberattacks aside, there are other potentially harmful uses of personal data. Many companies are collecting information on consumers and are using that information for purposes that the consumer is not aware of. Their personal data is being sold on to companies the consumer may not even be aware of.
The Council of Europe and the European Union have taken steps to improve the rights of consumers to protect their privacy, put them in control of their personal data, and make sure that any company that collects the personal information of consumers or processes consumer data puts appropriate safeguards in place to make sure that information remains private and confidential. The need to protect personal data, control its use, and improve consumer rights led to the creation of the General Data Protection Regulations (GDPR).
GDPR established a number of principles that aim to minimize the risk to personal data and gave consumers more rights over their personal information. GDPR is based on earlier documents relating to data security within the EU (such as the Council of Europe’s Convention 108 for the Protection of Individuals with Regard to Automatic Processing of Personal Data), but the new legislation is much more comprehensive and relevant to modern life and current data uses.
GDPR came into effect on the 25th May 2018, replacing the national privacy laws of all EU member states. However, just a few months before that compliance date, a survey revealed that only 2% business leaders thought their company was “GDPR-ready”. Now, a year after the compliance date, there are still companies that are not fully compliant and are unaware of their responsibilities under GDPR.
GDPR text is extensive, and for many people, a little complicated. In this article, we explain some of the most important elements of GDPR to improve understanding of this important EU law.
All entities that collect or use the personal data of EU citizens must comply with GDPR, irrespective of where they are located and even if they do not have a base within the EU. GDPR classifies these entities as either controllers or processors. These entities can be individuals, companies, public authorities, charities, or other bodies.
A controller is an entity that determines the purposes and means of the processing of personal data, while a processor is an entity that processes personal data on behalf of a controller. Any controller or processor that operates within an EU member state (or deals with the personal information of EU data subjects) must be GDPR-compliant. This holds true even if the actual data processing it outsourced to operations in a non-EU country.
GDPR applies in most cases where the personal data of a natural or legal person is involved. One of the cornerstones of the legislation is consent. Consent must be obtained before any personal data can be collected or processed. There are, however, a few notable exceptions. One is when there is a legitimate threat to national security, where qualified individuals may process data without all the necessary consent steps. Similarly, if data must be processed to prevent a crime, this is also allowed without consent. Information about the deceased also does not fall within the definition of personal data.
As mentioned above, personal data can contain highly sensitive information. Anything that can be used to identify a person (termed the “data subject”), either directly or indirectly, is considered to be an “identifier” and thus must be protected under GDPR. Some possible identifiers are listed below:
After collection, this information is often “processed”. This means, either manually or automatically, it is organized, stored, analyzed, altered etc. Essentially, GDPR defines processing as any action or operation performed on personal data.
The party that collects the data is known as the “controller”. The controller decides what kind of information is collected and what will be done with the information after collection. Data may be collected by social media firms via a registration form prior to use a website, by healthcare providers, retailers and many other entities. All must comply with GDPR.
Often the controller will enlist a third party, the processor, to manage the data. They will be instructed by the controller as to how the data should be organized, analyzed, and stored. Any organization contracted by a controller to undertake such actions must also be GDPR-compliant.
Article 5 of GDPR outlines six principles of data processing:
To ensure that these principles are met, it is advised that organizations employ a person in a role equivalent to the Information Security Officer or Privacy Officer in a hospital. The ISO is in charge of ensuring only the appropriate personnel have access to medical records or other health information. For example, someone in billing does not need a patient’s full medical history to send an invoice.
In addition to these six principles, GDPR outlines six legal grounds for data processing. They are shown in Table 1.
Table 1: Legal grounds for data processing.
|Consent must be obtained from the data subject.|
|Legal contracts require data processing for fulfillment.|
|Processing is necessary for compliance with a legal obligation.|
|Emergency situations where processing is in the vital interest of the data subject.|
|Tasks of public interest or for official duties (e..g issues of national security).|
|Other legitimate interests.|
Even if one or more of these conditions are met, controllers and data processors must still ensure that physical, administrative and technical safeguards are in place to protect personal data.
In all usual circumstances, for the processing of data to be lawful it must be done with the data subject’s prior consent. When consent is being solicited, the controller’s objectives must be clearly and unambiguously stated. By giving consent, data subjects are stating that they are happy for the controller to process data in the agreed manner. If the controller later wants to use the data for a different purpose, they must once again seek consent. This must be clearly distinguished from prior consent.
After giving consent, data subjects retain the right to withdraw this approval. This right should be clearly stated in the initial document seeking consent. However, if the data has already been processed, this processing is considered to be lawful.
All contracts or statements requesting consent from the data subject must be understandable to a non-professional. They should also be easily accessible. Once the agreement has been signed, consent is considered to have been “freely given”. If the data subject has no choice or cannot withdraw consent, consent is then not considered to have been freely given.
Children are an increasingly prominent demographic when it comes to digital media and data. However, as they are legally minors, they cannot freely give consent for their data to be processed. Article 8, in particular, covers this area of consent.
If a controller provides a service directly to a minor (an individual below the age of 16), processing is only considered lawful if consent is given by a parent or legal guardian of the minor. The EU already has laws regarding contracts involving children, and sets a general rule that the child involved must not be younger than 13 regardless of parental permissions. The onus is on the controller to ensure that consent is given by a parent or legal guardian.
GDPR awards data subjects several rights. They are described below.
|Right to access||15||Right to obtain data from the controller or to otherwise access said data.|
|Right to rectify||16||Right to change any personal data if it is determined to be incorrect. There should be no delays in amending data.|
|Right to object||21||Right to prevent controllers and processors from further handling or storage of data.|
|Right to restriction of processing||18||Right to prevent further processing of personal data.|
|Right to erasure||17||Right to request that personal data held by controllers is erased as soon as possible.|
|Right to data portability||20||Right to obtain personal data from controllers in a common, digital format.|
|Right to complain||77||Right to lodge a complaint with a supervisory authority in the nation in which they reside.|
|Right to judicial remedy||78/79||Right to an effective judicial remedy against decisions of supervisory authorities and/or controllers and processors.|
|Right to not be automatically processed||22||Right not to be subjected to a decision that is based only on automated processing, including profiling. Applicable profiling has legal consequences for an individual.|
|Right to receive compensation||82||Right to be compensated by the controller or processor for material or non-material damage.|
|Right to representation||80||Right to be represented by a not-for-profit body when lodging complaints or receiving compensation.|
First and foremost, the controller must show that they are legally GDPR-compliant. This means that the controller and processor must demonstrate that they have the technical and administrative safeguards in place that protect the rights of the data subject. Ideally, these measures will be implemented by design, i.e. the controller’s policies are set up to provide the maximum protection to the data subject.
If, despite these measures, personal data is still accessed by unauthorized individuals, the controller must notify the supervisory authority without undue delay and within 72 hours of the discovery of a data breach. To help with this process, and to ensure general GDPR compliance, the controller may find it beneficial to appoint a Data Protection Officer.
The controller also has a duty towards its data subjects to ensure that they can exercise their rights with ease. This applies to all levels of processing, from ensuring the data subject has adequate information when the data is being collected to notifying them of the length of time their data will be stored.
Other obligations of the controller are listed below:
Article 5 also lays out the so-called “Accountability Principle”, which means controllers should be able to demonstrate GDPR compliance and are responsible for ensuring their continued compliance.
It is imperative that, when collecting data, the data subject receives enough information for them to understand why the data is being collected and how it will be processed. They must also understand their rights (e.g. their right to access the data after collection, or the right to amend data if it has been discovered to be inaccurate).
When asked for their personal data, the data subject must be provided with the following information:
However, data may be collected indirectly. This does not mean the controller no longer has to provide any information to the data subject. Rather, one piece of extra information is needed: How the data was obtained.
There are a few circumstances in which the controller does not need to supply details of processing etc. to the data subject:
GDPR stipulates that controllers and processors must maintain meticulous records of all processing activities carried out on the data (Article 30). These records must include the following:
All records must be in writing and available to the relevant supervisory authority upon request. If the controller has fewer than 250 employees, they can be exempt from this requirement unless their processing activities put the data subject’s rights at risk, the data concerns criminal offences or the data includes special types of personal data.
We have mentioned “technical and administrative safeguards” many times throughout this piece without going into much detail. Essentially, they are any measure enacted by the controller to protect data from any risks. These risks can take the form of errors made by employees or attacks by cybercriminals. The controller must make sure their operating systems are completely secure, that data is encrypted and – where possible – anonymized. They must also carry out regular risk assessments to ensure the continued security of data in light of new technological advancements and changes to business operations, policies and procedures.
As they are acting on behalf of the controller, processors have similar requirements regarding the protection of data privacy. If the processor breaches GDPR, they will be treated in the same way as a controller and can be prosecuted.
There are some other legal requirements of data processors:
In the unfortunate event of a data breach, the controller has just seventy-two hours after the discovery of the breach to notify the relevant supervisory authority. If there is a delay in notifying the authority, this must be justified by the controller.
The controller should provide the supervisory authority with information regarding the nature of the breach, the type of data that has been breached, contact details of their DPO, the number of data subjects involved and their plan of action to mitigate any consequences.
Of course, the controller also has a duty to notify the data subject of the breach. This should also be done without delay, especially if it concerns the rights of the data subject. In clear language, the same information must be provided to the data subject as is provided to the supervisory authority. If, however, it is deemed that appropriate measures have been implemented to protect the data (e.g. it has been encrypted) or that the effort to notify is disproportionate, the controller is exempt from notifying the data subject.
GDPR would have little effect if there were no negative consequences of non-compliance. If a breach occurs, or other damages result from data processing, it is the controller that is legally liable. If the data subject has suffered harm as a consequence of the controller’s actions, they retain the right to seek compensation.
GDPR non-compliance can attract large fines: The maximum fine, depending on the penalty tier is either €10 or 20 million, or 2% of 4% of the controller’s annual global financial turnover based on the previous year. GDPR lays out the limits for fines, but it is down to the discretion of the supervisory authority to decide how much should be paid for specific violations. The fine should not be excessive, when considering the nature of the violation, but it should also be sufficiently dissuasive.
Some breaches may also lead to legal action being taken against the controller. These will usually be resolved where the affected data subject has residency, even if the controller technically has no physical base in that country.
After a grace period stretching two years, GDPR has finally become law. It is now imperative that all organizations are familiar with the new regulations and have adapted their practices accordingly. GDPR awards new rights to data subjects, as well as giving more responsibilities to controllers and processors. The latter parties must do their utmost to protect personal data, as well as helping data subjects exercise their rights.
However, even recently, many controllers have said they are unsure if they are GDPR-compliant. It is strongly advisable to conduct an internal audit to check whether they are GDPR-compliant and thus avoid hefty fines. Some questions to consider include:
By considering these questions and others, controllers can move forward with their GDPR compliance programs.