Should you bother about GDPR ?
An overview guide to understand the GDPR regulation
General Data Protection regulation (GDPR) is a new legal framework formalized in Europe Union (EU) in 2016, it’s expected that all the applicable organizations will be in compliance with the GDPR by May 2018. The GDPR effectively replace the Data Protection Directive (DPD) introduced in 1995 and considered as a much stronger than the Data Protection Directive (DPD). Before we discuss anything further about the GDPR, it’s worth to identify major distinction between the DPD and the GDPR, that is the DPD is a directive while the GDPR is a regulation.
The DPD is a directive : In EU ‘Directive’ is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.
The GDPR is a regulation : In EU ‘Regulation’ is a binding legal force throughout every Member State and enter into force on a set date in all the member states, It must be applied in its entirety across the EU.
One can easily get a wrong impression about the GDPR by understanding it as an attempt to constrain the processing of personal data belong to individuals for the commercial purposes. But the reality is, the GDPR facilitate to the expansion of digital transformation by providing certainty to business organizations and put the customer back in control over his/her personal data, with the GDPR business can engage with customers within a properly defined legal context.
- The GDPR enhance and accept the fundamental rights of protection of personal data belong to an individual, also ensure the freedom in processing personal data based on individual’s explicit and positive consent. This will enable customers to engage with business organizations under a well defined context with an assurance on consumer rights.
- The GDPR provides business organizations certainty on data processing, now organizations can make proper judgment on customer data processing without getting into the risk of data protection related lawsuits.
The DPD formalized in 1995 is the original root of the GDPR, then there were significant proposal level discussions happened from 2012 to 2014 and EU Parliament and Council have come to an agreement on the GDPR on December, 2015. Finally the GDPR became a EU regulation in April, 2017 and it will be in effect from 25th May 2018. Following reference on eugdpr.org provide detailed timeline.
The subject of the GDPR
The GDPR is only applicable to natural person not for legal person, wikipedia define natural person as follows.
“In jurisprudence, a natural person is a person (in legal meaning. i.e., one who has its own legal personality) that is an individual human being, as opposed to a legal person, which may be a private (i.e., business entity or non-governmental organization) or public (i.e., government) organization”
In very basic terms, GDPR is applicable for living human beings on EU but the GDPR is not effective on personal data belongs to any deceased individual.
Objectives of the GDPR
As per very first article, the GDPR mainly concern about two areas.
- Processing of personal data belong to a natural person.
- Free movement of personal data within the union.
It’s important to understand that the GDPR does not try to restrict or prohibit free movement of personal data “within the EU”, instead it strengthen fundamental right to protect personal data and freedom of individuals. The GDPR also provide clear process and safeguard measures to transfer personal data outside the EU.
The GDPR and Brexit
Impact of the Brexit on GDPR is a controversial topic for some people but in reality there is a very high chance that UK will establish similar policy on data protection which will closely follow the GDPR. In fact there is already a press release from UK government to strengthen data protection laws through a new bill. Additionally the Data Protection Act (DPA) currently used in UK is closely follow the EU Data Protection Directive (DPD).
There is no universally accepted definition for personal data, in practice each country uses their own formal definition defined within their national policies but most of these definitions are close to each other and fundamentally based on same set of privacy principles.
In US “Personally Identifiable Information (PII)” defined by the NIST is used to identify personal data, in their system personal data are further categorized as Personally Identifiable Information (PII) and Sensitive Personal Information (SPI). In UK the Data Protection Act (DPA) formalized in 1998 provide a definition for personal data. Here is the GDPR definition of personal data.
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
- Any information that can be used to identify a natural person is considered as personal data and need to be regulated according to the GDPR.
- It could be online identifier such as username, email address, IRC username, Cookie, IP address, Radio Frequency Identification (RFID) tags, devices, or an applications.
- It could be a biometric element such as facial recognition, fingerprint or something similar.
As an conclusion, if you process any of above data categories then your business need to be in compliance with GDPR regulations.
So far we have heavily used the term “processing” in this post but the GDPR definition of the term is not exactly align with generally accepted meaning, according to the GDPR the term “Processing” refer to any of followings.
- Collection of personal data.
- Recording of personal data.
- Organizing, cataloging or structuring of personal data.
- Storing of personal data.
- Adaptation or alteration of personal data.
- Retrieval of personal data.
- Consultation based on personal data.
- Personal data disclosure by transmission.
- Dissemination or otherwise making available of personal data.
- Alignment or combination of personal data.
- Restrictions on personal data.
- Erasure or destruction of personal data.
It’s also important to understand that the definition of “processing” does not restricted to automated means instead it applies for any means, as an example collecting of data by filling a manual form or recording/storing of personal data while someone ordering a pizza are also applicable. Additionally it’s does not matter whether you process personal data wholly or partially.
However the GDPR definition of ‘processing’ is not applicable for following cases.
- Processing of data belong to a legal person such as company or public authority.
- Processing of personal data belong to deceased persons, but EU member states can provide separate regulations on processing of data belong to deceased persons.
- An activity which does not fall under the EU law.
- A purpose which is purely a personal or household activity.
- When a member of EU carrying out an activity which is categorized as “Common Security and Defence Policy” , Title -V of the Treaty on European Union (TEU) provides the exact definitions for such activities.
- When a public authority carrying out an activity for the purposes of the prevention, investigation, detection or prosecution of criminal offence and the purpose of prevention of threats to public security.
The GDPR and SMEs
Under the GDPR data processing organizations are required to maintain records of all data processing activities, but micro, small and medium-sized (SME) enterprises with fewer than 250 employees are excluded from this regulation. For the benefit of those who are not familiar with EU, the EU notion of SME is given below.
SME — An enterprise categorized as micro, small and medium-sized (SME) enterprises if they fall under following two criteria.
- Number of employees is fewer than 250.
- Annual turnover or balance sheet is less than EUR 50 million.
Within the SME category there are further sub-categories as small and micro.
- Number of employees is fewer than 50.
- Annual turnover or balance sheet is less than EUR 10 million.
- Number of employees is fewer than 10.
- Annual turnover or balance sheet is less than EUR 2 million.
In the GDPR “controller’ means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union/Member State law.
According to above definition, “controller’ can be any organization or any person who decide ..
- The purposes for the personal data processing — WHY ?
- The means of processing — HOW ?
Both of above ‘why’ and ‘how’ factors should be based on EU members laws. Banks, general practitioners, pharmacists and traders who keep personal information about their patients, clients etc. are all examples for controllers.
The recipient is the entity to which the personal data are disclosed, whether a third party or not. However, any public authorities which may receive personal data in accordance with the law are count as recipients but the processing of those data by those public authorities should be in compliance with GDPR.
Information society services
This is defined as “any service normally provided for remuneration at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, at the individual request of a recipient of the service”.
Who affected with the GDPR
Territorial applicability of the GDPR is determined based on the “Establishment” of the processing organization by evaluating following simple criteria .
— If the processing organization is established within the EU, the GDPR is applicable for any processing of personal data regardless of
- Whether the processing take place within the EU or not.
- Whether the data subject (natural person) is within the EU or not.
— If the processing organization is not established within the EU then GDPR is applicable
- If the processing organization is established in a place where the EU law is applicable.
- If the processing organization process data belong to a EU citizen.
- If the processing organization process behaviour of an individual where these behaviours happen within the EU. (Diplomatic mission, consular post are few examples. )
Privacy principles of GDPR
The GDPR is based on several privacy principles, these principles need to be discussed in detail in a separate post but for the completeness of this discussion let’s look at those principles in brief.
- Lawfulness, fairness and transparency
You must have legitimate grounds for collecting and using the personal data and in order to become “lawful” all kind of processing on personal data must be according to the common law. The GDPR defines following 6 broad approach as lawful processing.
A consent from an individual.
- A contract with an individual.
- To be in Compliance with a legal obligation.
- Vital interests.
- Public tasks.
- Legitimate interests.
Additionally processing of personal data should be fair and should provide very high degree of transparency. Providing a properly designed privacy notice is one of the best approach to educate your customers about transparency of data processing. You can refer few good examples for privacy notices from Facebook, Google and Amazon.
2. Purpose limitation
The purpose of the data processing must be limited to the original purpose mentioned and individual has consented at the data collection time. In order to process the data other than the original purpose you need to get a fresh consent from each individual.
3. Data minimization
When collecting and storing the personal data you need to ensure that you are collecting/storing data only required to fulfill the purpose of current processing, you are not suppose to collect/store any additional data which does not required for current processing.
As a data processing organization you must make sure all the personal data that you are processing are accurate. In a situation where it reveals that the data are not accurate you have to take immediate actions to rectify incorrect data or delate incorrect data.
5. Storage limitations
You can only store personal data to the extend of the original purpose is valid, once original purpose become invalid personal data should be deleted from the storage or you can keep those data after removing uniquely identifiable details.
6. Integrity and confidentiality
Processing organizations should make sure that only authorized people have access to the data . Additionally you should make sure these authorized people use strong passwords and you have best practices handling password policies in place.
According to accountability principle a processing organization should able to demonstrate that the organization comply with the principles and states explicitly that this is the organization’s responsibility.
Individual’s right under the GDPR
Again this a topic for a separate post, but it’s worth to provide a summery on individual’s right under the GDPR. Following are the list of rights provided for individuals.
- The right of transparency and modalities
All the processing activities based on personal data must be transparent to individuals, it’s a responsibility of processing organization to make these processing details available for individuals in clear, concise, intelligible manner. Additionally those information should use easily accessible format and should use plain language.
2. The right to be informed
Each individual should be properly informed by the data processing organization about adequate level of information about the processing, this includes name and contact details of the organization, purpose for the data processing, legal basis for the processing, intended period of time to keep individual’s data, whether the automate decision making system in place, other recipients of data including 3rd parties and rights of individuals such as right to access their data at anytime, right to withdraw previous consents, right to lodge a complain etc.
Above details need to be provided when collecting personal data directly from individuals and when collecting personal data indirectly. Privacy notice is the typical approach to provide above details by commercial organizations.
3. The right of access
The GDPR facilitates individuals to request information about data processing from a processing organization by sending a Subject access Request (SAR), information such as what personal data has proceed, processing purpose, what are data stored within the system can be requested.
Under the GDPR it’s mandate for processing organization to response to SARs at latest within one month of receipt, if the processing of SAR is complex organization can further extend this period by another two months but subject to notify the individual about the such extension.
4. The right to rectification
An individual should have the right to require the the processing organization to correct errors in personal data processed without any delays.
5. The right to be forgotten
An individual should have the right to request the processing organizations to erase of personal data without any delays. Additionally when a processing organization make personal data public , an individual can request to erase any links to, or copy or replication of those personal data.
6. The right to restrict processing
It’s possible for an individual to request from a processing organization to restrict his/her personal data processing. In such cases the processing organization may continue to store the data, but the purposes for which the data can be processed are strictly limited.
7. The right for notification obligation
In following cases processing organization should communicate to the individual in a concise manner.
- Personal data rectification.
- Personal data erasure.
- Personal data restriction.
8. The right to data portability
An individual has right to receive his/her personal data stored in a processing organization in a structured, commonly used and machine-readable format. This facilitate to transmit received information to another organization easily.
When technical feasibility exists, an individual can request to transfer his/her personal data from one processing organization to another directly.
9. The right to object
An individual can object to processing of own personal data at any time, in such cases the processing organization should stop the processing of affected data unless they can demonstrate legitimate ground to carry out processing of affected data.
10. Rights in relation to automated decision making and profiling
An individual has the right not to be subject to decisions based solely on automated processing which significantly affect them. Online credit application, e-recruiting or e-evaluation of performance without any human intervention are some of the examples for solely automated processing.
As we already discussed in a previous section, ‘user consent’ is one of the five lawful processing means defined in the GDPR, but in commercial world that is the most common and widely used approach. Providing a well designed consent when collecting data or when get approval from an individual is a significant step towards your business to be in compliance with the GDPR.
According to the GDPR consent should be specific, informed, unambiguous and should be given freely so that individual can make a real choice as he/she wish. In cases where consent can not be given freely such as public authorities, consent should not be used instead one of the other lawful processing mean can be used.
Following are some of the import aspect you need to pay attention when implementing consents.
- Active opt-in — Consent requires a positive opt-in and avoid pre-ticked boxes or any other method of consent by default.
- Informed — Consent should be clear, concise and specific about the content.
- Unbundled — Consent should be presented separately in a distinguishable manner from other content such as general terms and conditions.
- Named — Consent should provide clear information about the processing organization.
- Easy to Withdraw — Consent should explicitly mention about the individual’s right to withdraw the consent at any time with clear instructions about withdrawal procedure.
- Granular — Organizations should provide granular consents so that consumers can consent for different types of processing separately.
- Continuous Reviewed — Organizations should establish a process to continuously review consent with business/system changes to make sure they are in compliance with GDPR.
- Documented — Processing organization should Keep evidence of consent such as who, when, how, and what you told.
- No imbalanced in relationships — when there is an imbalance between an individual and the processing organization (cases such as public authorities and employers ) it is not possible to provide a consent freely, in such cases some other legitimate mean should be used instead of consent.
- Time Limits — There is no explicit rules about how long you can keep personal data but it’s recommended to mention how long that you will store and process personal data with the consent.
Effect on existing consents
It’s not compulsory to discard all of your existing consents and get fresh consents from individuals to be in compliance with the GDPR but it’s absolutely necessary to conduct a review on current consent management process, if the current process is in compliance with the GDPR then you can consider existing consents are valid and continue processing.
In case if you have any doubt on existing consents in related to the GDPR compliance requirements, it always a good idea to discard them and get fresh consent in the GDPR compliance manner.
Impact on Direct marketing
According to the GDPR direct marketing is a special case where an individual can object to processing of own personal data at any time and upon receiving a such objection the processing organization should not process concerned personal data for the purpose of direct marketing.
Further, processing organizations cannot email or text to ask for consumer consent because such message itself constitutes a direct marketing messages, there are some real world example cases already exists to be used as guidelines.
The GDPR and Children’s data
The GDPR pays special attention on processing personal data belong to children. When a processing organization get a positive consent from a child to process his/her data, the processing organization should be responsible to make sure information within the consent and options given in the consent are well understood by the children. It’s possible to use techniques such as graphical designs, videos, simple language to design such consents.
Also in applicable cases the processing organization should use all possible attempts to verify the age of the child so that the processing organization can decide whether the child can understand the consent and assess risk involved with the consent. Also the processing organization should use adequate attempt to get approval from the parental responsibility holder of the child.
Data Protection Officer (DPO)
GDPR introduce a special role called Data Protection Officer (DPO) to provide necessary advices to processing organizations and act as the point of contact for individuals and supervisory authorities. DPO can be a staff members or external contractor but should have professional qualifications, expert knowledge to perform the tasks associated with role.
According to GDPR appointment of the DPO is required in following cases.
- Processing is carried out by a public authority expect courts.
- The nature of data processing require regular monitoring from individuals.
- Data processing involves large amount of data or proceeding data related to criminal convictions.
- Some other conditions according to the EU/Member state laws
The GDPR text itself does not provide quantitative interpretation about the phrase “ large amount of data” but according to one of the recent publication from Gartner
processing more than 5000 individuals data within 12 months then such organizations are inclusive under large amount of data (http://www.gartner.com/smarterwithgartner/top-five-priorities-to-prepare-for-eu-gdpr/)
GDPR also list out following basic responsibilities for the DPO.
- Inform and advise staff members on data protection regulations and procedures.
- Monitor the compliance with the regulations.
- Advice on data protection impact assessments (DPIA) when requested.
- Cooperate with supervisory authorities and act as point of contact for supervisory authorities.
- Act as the point of contact for individuals related to any data protection related matters.
Data Protection Impact assessments (DPIA)
GDPR recommends processing organizations to carry out a data protection impact assessment (DPIA) depending on the nature of data processing specially when moving to use new technologies. This DPIA need to be conducted prior to any data processing and if the DPO present the organization can seek for advice.
Following are cases that the GDPR mandate to conduct DPIA.
- Systematically and extensively evaluating personal data using automated processing including profiling.
- Processing large scale of personal data belong to special category.
- Large scale systematic monitoring of publicly accessible area.
- Additionally supervisory authorities can mandate list of such cases.
How to behave in a data breach
One of the important aspect of the GDPR is, it explains the procedure to follow in a data breach in precise and detailed manner. In summery, the processing organization must communicate about the data breach to the supervisory bodies within first 72 hours with adequate details about the incident and proposed mitigation actions.
If there is a possibility to affect the data breach to individuals, processing organization should communicate to each affected individual without any delays with mitigation actions.
Establishing a well defined process and action plans to communicate supervisory bodies within first 72 hours and communicate to affected individuals effectively should be a very important task of your the GDPR complacent preparation plan.
Code-of-conduct and certifications
Under the GDPR associations or other bodies such as professional bodies representing various industry and professional fields are encouraged to come up with codes-of-conduct within the limits of the GDPR and the GDPR also define the provisioning procedures for such code-of-conducts. The main objective here is to facilitate the effective application of the GDPR.
Also in order to help processing organizations to be in compliance with regulation, the GDPR encourage the establishment of certification mechanisms and data protection seals. From individuals point of view such certifications and seals help to quickly assess the level of data protection of relevant products and services.
Adopting EU approved code-of-conduct related to your industry/related to your professional practice and/or get certification from a GDPR approved certification body are two best approaches that you can used to be in compliance with the GDPR.
- The GDPR in a readable format : https://gdpr-info.eu
- The EU Data Protection Directive : http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
- The GDPR timeline : http://www.eugdpr.org/gdpr-timeline.html