This is not intended to be an exhaustive guide. We make no representations that the information contained in this article is error free, or that the interpretations of the law contained herein are accurate. Interested parties are advised to read the legislation comprehensively and obtain appropriate legal advice.
At inploi we take data transparency and protection seriously. The GDPR is a nifty piece of European Union legislation designed to provide formal regulations for doing just this, protecting the data of EU residents. Whilst the GDPR brings about extensive changes and added responsibilities for those who hold and process people’s data, we believe it is a welcome intervention and a step in the right direction to ensuring that people’s privacy is protected.
We have set out to demystify it a little, to explain (in broad terms) what it is, what rights it grants to people, and how they are able to exercise those rights. This is a lightweight, easily understandable (hopefully) guide to a complex piece of legislation, for both individuals (“data subjects”) and companies/organisations (“data controllers”/’data processors”).
What is the GDPR?
The General Data Protection Regulation (GDPR) is a European Union regulation [(EU) 2016/679] intended to harmonise data privacy laws across the EU’s member states. It deals with the protection of natural persons (individuals) with regard to the processing of their personal data, and the movement of such data.
Whose data does it protect?
The protections granted to individuals under the GDPR are broad, and apply to “all data subjects residing in the Union” – i.e. to all natural persons (human individuals) within the EU’s member states.
What sort of data does it cover?
The GDPR applies to any information concerning an identified or identifiable natural person. Specifically, ‘personal data’ means any information relating to a ‘data subject’ – someone who can be identified, directly or indirectly, using data including an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This includes cookies, IP addresses, contact information, and RFID tags.
Anonymous / anonymised information (provided it cannot be attributed to an individual using additional information) is not covered. The data of deceased persons is also not within its scope.
Who has to comply with it?
The provisions of the GDPR are binding on all ‘data controllers’ – those who hold and process - the information of European data subjects – regardless of their location, or the locations of their servers.
Why is this happening?
The EU clearly lays out the rationale for the implementation of the Regulation:
(6) “ Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data”.
(7) “Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced”.
The regulation continues, saying:
(11) “Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States”.
Enter the GDPR.
When does it come into effect?
The provisions of the GDPR are enforceable from the 25th of May 2018. As a regulation rather than a directive, it is immediately binding on national governments and they are not required to pass their own legislation.
What about BREXIT? Do UK companies still have to comply?
In short, yes. Despite its intention to leave at the time of writing Britain remains a member of the EU, and as such it is subject to EU regulations. It also seems likely that there will be a period of ‘regulatory continuity’ after BREXIT during which time the laws will remain equivalent.
It is unclear whether the UK will retain the provisions of the GDPR in national law following exit from the EU. Many if not all provisions may be retained. Nevertheless, any UK companies providing goods or services within the EU/to EU citizens will still have to comply.
Individual countries are required to provide for an independent public authority to be responsible for monitoring the application of the GDPR, protecting the rights and freedoms of people, enforcing its provisions regarding the processing of data, and facilitating the free flow of information within the Union. In the UK this authority is the Information Commissioner's office.
What does processing mean?
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
What does it say about this processing of data?
There are 6 key overarching principles relating to the processing of personal data laid out in the GDPR. This processing shall be:
Done lawfully (with regards to the regulation), fairly, and transparently
Collected for specified, explicit, and legitimate purposes (and not further processed in a way that is incompatible with those purposes)
Only done in so far as is necessary for that purpose
Accurate and, where necessary, kept up to date
Kept in a form that allows for the identification of data subjects for no longer than is necessary, given the reason for its processing
Processed in a manner that ensures appropriate security (implementing the principles of data protection by design, and by default)
Special categories of personal data
Nevertheless, with the exception of particular circumstances (which are not covered in this document), it is prohibited to process certain data, including that which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. The processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a person's sex life or sexual orientation is also prohibited. Data on past criminal convictions also has specific protections.
How do you get consent?
Consent is likely the most common avenue through which a controller can lawfully process data (and is arguably the most ‘clear-cut’). It is important that this consent is obtained explicitly. Consent must cover all processing activities carried out for the same purpose. When processing has multiple purposes, consent must be given for all of them.
To demonstrate this consent it must be shown that:
The subject has (freely) given their consent
The request for such consent was clear, and is clearly distinguishable (it is not hidden away somewhere)
Specifically, consent must be given by:
a clear affirmative act (a pre-ticked consent box is not affirmative)
establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of their personal data
This act could include a written statement, an oral statement, the active ticking of a box, or conduct which clearly indicates in a specific context the data subject's acceptance of the proposed processing of his or her personal data. If consent is to be given by electronic means, the request must be clear and concise. The proposed processing for which consent is asked cannot be unnecessarily broad.
Silence, pre-ticked boxes or inactivity/non-response does not constitute consent.
Consent can be withdrawn by a subject at any time.
What if you subsequently use data for a purpose that consent was not expressly given for at collection? Does the initial consent still provide a valid legal basis for processing?
It is necessary to consider whether processing for another purpose is compatible with the purposes for which it was originally collected, taking into account of:
Any link between the purposes for which it was collected and the purposes of further processing
The context in which it was collected (in particular the reasonable expectations of data subjects based on their relationship with the controller as to further use)
The nature of the personal data (particularly if it is one of the ‘special’ categories of sensitive data like ethnicity, political opinion, sexuality etc.)
The possible consequences to subjects of further processing
The existence of appropriate safeguards (incl. encryption and pseudonymisation)
If it is compatible, having considered the above, then no separate legal basis from that which allowed the processing of the personal data in the first place is required.
If it is not compatible, controllers must provide subjects with information about the new purpose and provide them with required information (see below – “what do you need to tell data subjects”). This does not apply insofar as a subject already has or has been provided with the information.
What information do you need to provide data subjects with (when obtaining consent and otherwise)?
Where personal data are collected from a data subject the controller must provide the subject with information (generally in the form of a Privacy/Data Policy) on:
the identity and contact information of the data controller
the contact details of the Data Protection Officer (if applicable)
the purpose for the processing of data
the legal basis for processing
the recipients of personal data
where applicable, the fact that personal data may/will be transferred to a third country and
the period for which personal data will be stored / the criteria used to determine the storage period
the existence of, and how to exercise, the rights to:
request access to and rectification/erasure of personal data
restrict processing concerning the data subject/to object to processing
data portability (the ability for a subject to obtain a transferable copy of their data)
lodge a complaint with a supervisory authority;
Whether the subject is obliged to provide their data and possible consequences of the failure to provide such data
About the existence of automated decision-making, including profiling, and provide meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject
In instances where personal data has not been obtained directly from the data subject, the controller must provide the subject the information above, in addition to information about the source of the personal data, within a reasonable period of time. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.
This information must be provided within a reasonable time after obtaining such data but at the latest within one month, or, if the personal data are to be used for communications with the subject, then at the time of the first communication to the subject.
What rights are explicitly granted by the GDPR to subjects?
The right to access information
Data subjects are granted the right to obtain confirmation from the data controller as to whether personal data concerning them is being processed, what it is, where it is processed, and for what purposes. The information listed in “what information do you need to provide data subjects” must be given to subjects, in addition to a copy of all data held.
The right to rectification
The right to get the controller to rectify any inaccurate personal data concerning data subjects.
The right to erasure (“the right to be forgotten”)
Data subjects are entitled have their data erased, ceasing its further dissemination, and to have third parties halt processing that data.
Where the controller has made personal data public and is obliged to subsequently erase it the controller must take reasonable steps to inform other controllers processing that data that the subject has requested the erasure of that data, including a request to erase any links to, copies of, or replications of those personal data.
The right to data portability
Data subjects have the right to receive the personal data concerning them, which they have previously provided, in a 'commonly used and machine readable format' and have the right to transmit that data to another controller.
The right to object (with relation to direct marketing)
Where personal data are processed for direct marketing purposes, the data subject has the right to object to processing of personal data for such marketing, which includes profiling to the extent that it is related to such marketing. Personal data should no longer be used for such purposes in this case. This right must be brought to the attention of users explicitly and stated separately from other information.
The requirement for privacy and minimisation
The protection of data must be integral to the building of systems and the processing of information. The controller must implement appropriate technical and organisational safeguards including data protection policies to affect this. Controllers should hold and process only the data necessary for the completion of their duties (data minimisation), as well as limiting the access to personal data to those needing to conduct processing.
The right to notification of data breaches
Regardless of severity, the controller must document all data breaches detailing the facts of what happened, its effects, and what was done to address it. This must be kept to demonstrate compliance to any supervisory authority.
When a data breach is likely to “result in a risk to the rights and freedoms of individuals” the controller must within 72 hours of first having become aware of the breach notify the supervisory authority [the ICO].
When necessary, notifications must include:
The nature of the breach
Where possible approximate number of subjects affected and the data that was compromised
The contact details of the controllers DPO
A description of likely consequences
A description of the measures to be taken to address the breach and measures to mitigate its effects
In instances likely to result in a risk to the rights and freedoms of individuals the data subject must also be informed “without undue delay”, unless:
Appropriate technical and organisational protection measures were taken, meaning the data is unintelligible (e.g. encryption)
Measures have been taken to mitigate any ‘high risks’ to the rights and freedoms of subjects
It would involve disproportionate effort (in which case a broad public communication should be made)
Information about automated decision making / profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to the analysis or prediction of aspects concerning performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
The controller should use appropriate mathematical/statistical procedures for profiling, implementing technical and organisational measures to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and that the risk of errors and discrimination are minimised.
Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, unless amongst other things, this is based on explicit consent. E-recruiting and the electronic evaluation of a subjects performance at work are explicitly identified in this provision.
Regardless, the subject has the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest a decision based on such profiling.
The right to lodge a complaint
Every data subject has the right to lodge a complaint with a supervisory authority, in the member state of residence, of work, or of alleged infringement if the subject considers the data processing to infringe the GDPR.
General guidelines in the requirements for disclosure of information to subjects
In circumstances when it is necessary to provide information to data subjects (e.g. following a request for data/information) this should be done:
Using clean and plain language
Information must be provided without undue delay, within one month of the receipt of the request. This can be extended to two months in certain circumstances. It must be made clear to subjects how they can exercise their rights.
The provision of information must be done free of charge, unless requests for information are manifestly unfounded or excessive. In this case a reasonable fee may be charged or a request refused.
If the controller does not provide the information the subject must be informed why not and told about the possibility to lodge a complaint.
What if data is to be processed by external third parties (e.g contractors/service providers)?
The controller should only use external processors provided that sufficient guarantees have been provided that they will implement appropriate technical and organisational measures, and satisfied the controller that the manner of processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
External processors are not allowed to engage other processors without the written authorisation of the controller.
Agreements/contracts with these parties must set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. The GDPR lays out the contents of such agreements explicitly in article 30.
Controllers must keep a copy of processing activities under their responsibility, including:
Name and contact details of the controller
Purposes of the processing
Description of the categories of data subjects and categories of personal data
Recipients of the data
Transfers to a third country/international organisation
Where possible, envisaged time limits for erasure
A description of technical and organisational security measures
Processors should maintain a similar register of information.
However, employers employing under 250 persons are exempt from this requirement, unless the processing is not occasional, includes sensitive categories, or is likely to result in a risk to the rights and freedoms of subjects.
Taking into account ‘state of the art’ procedures, costs of implementation, context, and purposes of processing in addition to the risk to the rights of subjects, technological and operational security features must be implemented, including, as appropriate:
The ability to ensure ongoing confidentiality, integrity, availability, and resilience of systems
The ability to restore data in a timely manner following an incident
A process to regularly test, assess, and evaluate the above measures
Particular consideration should be given to the consequences of data loss/breach when determining appropriate measures.
The appointment of a Data Protection Officer
The appointment of a DPO is only mandatory for controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. They must be suitably qualified and not do any task that could relate in a conflict of interest.
What happens if a controller contravenes the provisions of the GDPR?
Supervisory authorities have particular remedies available to them in order to address contraventions of the GDPR. Their application of these shall be determined on a case by case basis, and include:
Issuing warnings of likely infringement
Issuing reprimands where processing has infringed provisions
Ordering the controller/processor to comply with a data subjects requests’ to exercise their rights pursuant to the GDPR
Ordering the controller/processor to bring processing operations into compliance with the provisions of the GDPR
Ordering a controller to communicate a data breach to subjects
Imposing temporary/definitive limitations or bans on processing
Ordering the erasure of personal data
Ordering the suspension of data flows to recipients in a third country/an international organisation
Imposing an administrative fine
Administrative fines can be imposed in addition to or instead of other remedial measures. These can be up to a maximum of €20m or 4% of global annual turnover in the preceding financial year (whichever is the greater). When deciding whether to impose a fine (and its amount), regard should be given to:
The nature, gravity, and duration of the infringement, taking into account the nature, scope, or purpose of the processing concerned, and the number of data subjects damaged
The intentional/negligent character of the infringement
Any action taken to mitigate damage suffered by data subjects
The degree of responsibility of the controller, taking into account technical and organisational protection measures implemented
Any previous infringements
The categories of data affected
The manner the infringement became known to the supervisory authority and in particular if the controller/processor informed the supervisory authority of it
Whether other remedial steps have previously been ordered regarding the same subject matter
Adherence to approved codes of conduct/approved certifications
Any other aggravating/mitigating factors applicable, such as financial benefits gained/losses avoided
So the bottom line is that whilst it is unlikely the ICO will act vindictively and without due warning and an appreciation of circumstances, the GDPR has got to be taken seriously – not only because of the punitive measures which may result from breach, but because it is a broadly sensible regulation that is intended to secure and protect people’s data – including yours!
For organisations / “data controller” contemplating how to become compliant with the GDPR the Information Conditioners Office has put together a handy document which is thoroughly recommended: 12 Steps to Take Now.