This e-book is derived from a full GDPR course I created that has had over 11,000 student enrolments. I thought it would be useful to provide a version on Medium. Data protection law can be complex and an e-book cannot be sure to cover your organisation’s circumstances, so be sure to seek professional advice if you have any doubts when processing personal data.
In this opening chapter, I introduce the book and place the regulations in context.
This e-book is designed to give you an overview of the key areas that you should focus on in order to achieve an acceptable level of compliance with the General Data Protection Regulation. The aim of this book is to help you significantly lower the risk of regulatory intervention in your organisation. Reading this will not make you compliant, but it will point you in the right direction, improving your awareness so that you can take further action in the areas where you feel your organisation lacks compliance.
The book is aimed at businesses and organisations who want to understand what actions they need take to meet the regulation. It covers the content of the GDPR how this relates to actual activity needed to achieve a more compliant position.
The boring but important bit
This book is primarily focussed on UK businesses as this is where the author’s experience lies however, being European law, the principles will apply across all European Union nation states. All of the applicable principles and regulatory requirements will be relevant throughout the EU. As a general rule, you can consider any references to the UK’s Information Commissioner’s Office (or the “ICO”) as equivalent to references to the applicable supervisory authorities in any of the other EU countries.
The book was written in 2018, so reflects the position at that point. There have been some minor updates, but if in doubt, seek professional advice.
The text is written from a Data Controller’s perspective as this is the widest point of compliance. If you meet this level of compliance, you can’t go wrong. Data Processors will have lesser obligations, however it is likely that any processor is likely to have elements of their business where they act as a Controller.
This text focuses on the key areas of compliance risk only. There is a significant amount of legislation to cover to achieve full compliance across the GDPR. Between this and the UK Data Protection Act 2018 and the vast amounts of guidance and commentary relating to the GDPR, the overall landscape is a bit of a moving target! As such, while the author has made reasonable efforts to make the information in this book as accurate as possible, it is not possible to guarantee that it is 100% in line with the evolving data protection landscape. In order to structure the book, the authors has focussed on the highest risk areas that are most likely to come under regulatory scrutiny under the GDPR.
The law will require that every organisation must be fully compliant with the GDPR from 25 May 2018 onwards. This date is known as the enforcement date. Beyond this date all organisations that process personal data should be able to demonstrate compliance, however, the reality is that for many organisations this may prove difficult to achieve. Whatever the reasons for this, this book not only offers guidance on how to improve your compliance, but also provides assistance on the highest risk areas for compliance that should be tackled first in order to lower risk for the business and for data subjects.
As with any new legislation, not every element is relevant to every organisation, and the risks presented to each organisation will differ, so this book should act as a guide only and you should seek legal or expert advice if you are uncertain about what the legislation means to you. The book is written from the perspective of a small to medium sized enterprise with multiple processing activities, processing customer data and employing a significant number of staff as this represents the point where all the necessary compliance actions will apply.
One final note, the terms data subject, individual and person are used interchangeably throughout the text to mean people to whom personal data belongs.
Chapter 1 — Introduction
The purpose of this e-book is to give you an understanding of the key concepts of the GDPR. We will introduce the General Data Protection Regulation and will explore how it fits into the regulatory landscape, including a specific look at the UK position as a result of the Brexit referendum.
· We will explore how the regulation is framed around certain data processing principles that provide the boundaries for processing personal data and what these mean.
· We will cover how data processing must be in line with one of the lawful reasons for processing and will look at how to go about determining which basis of processing is appropriate.
· We will work through the rights that each data subject has under the GDPR and how those rights may be exercised and the circumstances that may apply when complying with those rights.
· We will look at the requirements for reporting any data breaches that may occur, exploring possible exemptions for reporting and how the accountability principle ensures that reporting decisions are recorded.
· We’ve looked at the requirement for privacy to be embedded into organisations through the principle of privacy by design and have considered the use of privacy impact assessments to encourage responsible behaviour.
· Finally we will examine the special role of the Data Protection Officer and how this role should fit into organisations who process personal data.
As mentioned at the beginning, if any of the topics covered here apply to your activities and you have any uncertainty about your obligations you should consider seeking expert advice.
The GDPR — What’s it all about?
The General Data Protection Regulation, or GDPR, is a European Union regulation that came into force from 25 May 2018 and governs the use of personal data belonging to EU citizens and those located within the EU.
This previous data protection framework was written before smartphones, before Facebook and before people started depositing large volumes of personal data online. The new framework is designed to ensure that control of data, especially online data, is retained by the individual, but it affects businesses processing data whether it is collected over the internet or by more traditional methods.
Organisations that process personal data belonging to EU citizens need to be ready to follow the new regulations or face the possibility of investigation and possibly fines from their member state’s regulator.. If you collect, store or use data relating to anyone alive in the EU today then the changes could impact you.
The regulations apply to both organisations processing data in the EU and organisations based outside the EU who are processing the data of EU citizens.
Across the EU, each Member State has implemented law in their jurisdiction to enforce the GDPR. The laws across the EU all conform to the GDPR, however there may be some differences where existing legal frameworks necessitate variances, for example, the legal systems in Denmark and Estonia do not allow administrative fines and require a workaround that fits within their legal frameworks. There is also scope for limited national opt outs (technically known as derogations) in areas such as processing for national security.
After the implementation date in 2018, existing Data Protection laws across the EU were superseded by the new regulations. In the UK this means that the Data Protection Act 1998 was superseded by the UK Data Protection Act 2018 which supports the implementation of the GDPR. Each EU Member State has a local regulator which is charged with enforcing the GDPR and local data protection law. In the UK the regulator is the Information Commissioner’s Office (generally shortened to the ICO). The ICO had existing duties under the Data Protection Act and carried those duties forward its role into the new regulatory environment. It is known as a supervisory authority in the GDPR.
GDPR beyond the EU
The regulations apply to both organisations that process data in the EU and to any organisations based outside the EU who are processing the data of EU citizens.
The regulations accept that, in a global economy, it is likely that transfers of data will need to occur outside the EU. For example, how many businesses or their suppliers have their main IT servers based in the UK, but also have email servers or disaster recovery backup servers based in another country? In order to ensure that EU citizens remain protected, the GDPR requires recipient organisations outside of the EU to have data privacy and protection standards of a similar standard to those in EU Member States. This is a protection referred to as adequacy.
Put simply, transfers to third countries (those outside the EU rules) and international organisations may only be carried with complete adherence to the GDPR. Organisations outside of the EU who wish to process personal data belonging to EU citizens must follow the GDPR or a local scheme that has been agreed with the EU as being of GDPR level compliance. If an entire country is deemed to have reached the appropriate standard then the EU will formally declare this in an “adequacy” decision.
The EU has recognised 12 non-EU countries as having adequate data protection measures in place, including Argentina, Israel and New Zealand.
If an organisation in a third party country wishes to process personal data belonging to EU citizens, then it must fulfil certain obligations, such as appointing a representative who is based in an EU Member State.
It should be noted that the EU does not accept that the United States’ data protection laws are good enough to protect the rights of EU citizens. The GDPR provides a number of options for data transfers in this situation, such as binding corporate rules and certification mechanisms, but the current preferred approach is to use standard contractual clauses with third country organisations, combined with a documented assessment of risks to data subjects and the necessity of the processing. International data transfers are a complex area, so if you need to do them, seek specialist legal advice!
The local data protection regulator has the power to investigate complaints made against organisations based in its jurisdiction or by data subjects based in its jurisdiction. Each EU Member State has a data protection regulator; for example, the UK has the Information Commissioner’s Office whilst Finland has the Office of the Data Protection Ombudsman. Regardless of their name, they all enforce the GDPR.
Guidance issued by the GDPR European Data Protection Board has established the principles for national regulators to act within when the regulations have been breached. The guidance is clear that the nature of the breach and the circumstances must be taken into account. This means that flagrant disregard of the regulations will attract higher levels of corrective action than minor data protection issues or good intentions with poor execution.
One of the key areas that has attracted a lot of publicity is the scale of the fines that regulators can levy against organisations who are found to be in breach of the regulations. Fines under GDPR can reach as high as 20 Million Euros or up to 4% of an organisation’s global turnover, whichever is greater. This provision is designed to prevent large global corporations, such as the internet giants, from shrugging off a monetary sum that would barely dent their profits.
A range of enforcement options exist for regulators. These range from reprimanding offending organisations through to issuing fines and public censure. It is also clear that, because of a principle of comparison across regulatory regimes, organisations will face similar regulatory regimes across the EU.
In reality the regulatory landscape, and specifically how data protection regulators will set the bar for enforcement, is going to evolve as the GDPR is implemented and precedents are set.
GDPR and Brexit
On the 23rd June 2016, a majority of the people of the UK voted to leave the European Union.
The UK government was clear that Brexit will not affect the current UK implementation of the GDPR. As such, individuals and organisations should continue to work on the understanding that the GDPR, as implemented by the UK Data Protection Act will apply in the UK in the medium term.
However, depending on the nature of the final Brexit arrangement, which is still evolving, it is possible that the regulatory and legal framework will change in the future. Although, it should be noted that the EU will expect equivalent protections if data is to be shared freely between the EU and the UK.
If free data transfers with the EU is a desired outcome for the UK, as a “third country”, the UK will need to achieve and maintain an adequacy decision to allow data transfers to occur and will need to be GDPR compliant. At the time of writing, the UK has been granted an adequacy decision, so data can continue to transfer between the EU and the United Kingdom.
If you enjoy reading stories like this and want to support me as a writer, consider signing up to become a Medium member. It’s $5 a month, giving you unlimited access to stories of Medium. If you sign up using my link, I’ll earn a small commission.
Here are the links to the rest of the book.