GDPR - User-Friendly Guide to General Data Protection Regulation
Your straightforward guide to the GDPR. Meaning, definitions, principles, rights, compliance and more, helping you understand the regulations.
This transfer of information certainly makes life easier; still, it comes with the requirement for the organization collecting and processing that data to do so with safeguards in place for its protection and security. Having data protection laws in place, such as the GDPR, ensures that when data is shared, it is used in a legally appropriate way.
No matter where a business or organization is in the world, if they have the ability to capture personal data from someone based within the European Union, then it’s likely that they will need to review how they manage that process to comply with the General Data Protection Regulation (GDPR). Even if not directly impacted, many EU based organizations have required their suppliers and contractors across the world to implement similar best practice data processing procedures.
Understanding the requirements of the GDPR enables businesses across the globe to ensure that compliance becomes a key factor in the way in which they process personal information and formulate their data protection protocols. And if that is not motivation enough, fines for non-compliance can reach $25 million or 4% of a company’s global annual revenue (whichever is greater).
What is the Purpose of GDPR?
Launched in April 2016, the GDPR aimed to provide a single set of data privacy laws across the European Union, which provided higher levels of protection and rights to individuals than those already in place. The GDPR provides the protocols for how businesses and other organizations handle the information relating to the individuals who interact with them. GDPR also brought in new definitions of personal data, consent types, accountability standards, and the roles involved in decision making, interpreting, and processing the data.
From the EU citizens’ perspective, the aim of GDPR is to make it easier to understand how their data will be used before collection, and also to be able to raise a complaint, no matter where in the world that data is held.
Technology has dramatically changed how businesses operate and how individuals live their day to day lives. And while the IT infrastructure was growing rapidly, the legislation which protected the personal data being passed back and forth had some catching up to do.
To remedy this, the European Data Protection Directive came onto the stature books in 1995. This allowed individual countries within the European Union to implement their own legislation formulated around minimum data privacy and security standards. However, this freedom of interpretation resulted in requirements varying whether you were based, for example, in the UK, Germany, or France. As a result, the rights and freedoms of the EU citizen varied depending on which member country they lived in.
Meanwhile, the internet was experiencing exponential growth, and businesses were becoming aware of the value of personal data. It soon became evident that greater protections were needed when legal action was taken against a company accused of scanning users’ emails; the general public was understandably concerned with what seemed to be a disregard for their data protection.
Not long after this, it was declared that the European Union needed “a comprehensive approach on personal data protection,” and so work commenced on revising the 1995 directive.
By April 2016, the GDPR had passed through the European Parliament, with the requirement that all organizations were compliant by May 25, 2018.
With the purpose of GDPR being to protect data belonging to European citizens and residents, the requirements apply to organizations that handle this type of data no matter whether they are based in the European Union or not. There are two key scenarios in which non-European organizations will need to ensure GDPR compliance:
The power of the internet has made it possible to purchase goods and services from across the world, which creates amazing opportunities, but it does, in turn, create potential risks for the protection and security of personal data.
GDPR does take a sensible approach to this situation in that occasional instances of trading within the European Parliament region does not require GDPR compliance. If, however, a US-based company provided pricing in euros or they had a targeted ad in German, then that would imply an intent for more than an occasional instance.
If an organization tracks cookies or IP addresses of people who visit their website from EU countries, then they would fall within the remit for compliance with the regulation. GDPR compliance means that there needs to processes in place to ensure data privacy along with security and protection procedures for the way in which that data is stored and used in the future.
To achieve greater levels of clarity, the GDPR provides definitions of the key terms, requirements, and roles associated with providing data protection.
From an organization’s perspective, being compliant with GDPR requires an understanding of whether the information they process could be classified as personal data. This is considered to be any personal information which relates to an individual who can be identified or is identifiable. Now, some of this data is straightforward to establish as falling within the requirements of the act, and examples of this type of data include a customer number, an address, telephone, or credit card number.
Photographs also fall within the remit of the legislation, so that means publishing photos of attendees at events needs careful consideration to ensure that the organization remains GDPR compliant. Then, even if it’s not possible to identify the individual, there is a requirement to consider if the individual is identifiable. That means reviewing the information being processed alongside all the ways in which it could be used to identify that individual.
The provisions of the GDPR go further than just regular customer data; they also perceive that an IP address or a cookie to be additional ways in which an individual may be directly identified.
GDPR is clear, however, that data is not classified as personal information unless it relates to an individual, and that’s even if an individual is identifiable. If it does relate to a person, then there is a requirement to take into account not only the content of that information but also the reasons as to why it is being processed in the first place. Then there also needs to be an evaluation of the potential impact there may be for the individual as a result of the processing.
With those definitions in mind, it then becomes evident that information could be classified as personal data by one organization yet not fall within the requirements of the GDPR by another organization. For example, a job title may not be data that identifies an individual when considered in isolation. However, if the organization’s name was also obtained, and there is the potential for only one person with that job title to be employed, then that, in turn, means that the individual could be identified.
It’s often assumed that a person’s name is personal data; however, Tom Smith may not always be an identifier as there are many people with that name. It’s not until it’s combined with their address or telephone number that it becomes clear which Tom Smith is being referred to. Likewise, you may be able to identify your neighbors by knowing where they live, but you might not know their names.
The pseudonymization of the data or the holding of inaccurate information does not exempt it from GDPR compliance. However, if the data is genuinely anonymous, then it doesn’t fall within its remit.
It was decided that some data is particularly sensitive and, as such, requires additional safeguards to ensure its protection. This Special Category Data covers details that:
This is the person to whom the data relates. GDPR only applies to living individuals; however, any duty of confidence in place prior to the death extends beyond that point.
GDPR identifies several positions within an organization that have a responsibility for the protection of the data subjects’ information.
The Data Protection Officer (DPO) is a mandatory requirement within three different scenarios:
The Data Protection Officer is required to be an expert within this field, along with the requirement for them to report to the highest management level. With this being a challenging aspect of GDPR compliance for smaller organizations, there is the option to make an external appointment of a third-party and the possibility of several organizations appointing a single data protection officer between them.
The Data Controller is the company or an individual who has overall control over the processing of personal data. It is possible to have more than one Data Controller within an organization who would then be classed as Joint Controllers if they jointly decide the purposes and means of how personal data is processed. That said, if they are processing the same data, but for different reasons, then they would not be considered to be Joint Controllers.
It is the Data Controller who takes on the responsibility for GDPR compliance, and through this role, they need to show that they and the Data Processors are meeting with all the regulations requirements. Data Controllers are generally the individuals who supervisory authorities, such as the Information Commissioners Office in the UK, would take action against if there were issues such as a data breach. With this in mind, an individual taking on the role of Data Controller needs to have had sufficient training and be able to competently ensure the security and protection of data held within the organization.
The Data Processor is the person who is responsible for the processing of personal information. Generally, this role is undertaken under the instruction of the data controller. So, this might mean obtaining or recording the data, it’s adaption and use. It may also include the disclosure of the data or making it available for others. Generally, the Data Processor is involved in the more technical elements of the operation, while the interpretation and main decision making is the role of the Data Controllers.
It is possible under the definitions provided within the GDPR for a person to be both a controller of some data and a processor for others.
In simple terms, GDPR means reviewing how personal data is captured and used within an organization. In then ensuring compliance, it aims to provide data protection for European Union customer data, to reduce the severity and frequency of data breaches, and the potential for mishandling or misprocessing of personal data on the web.
The seven principles lie at the core of the GDPR. They provide guidance for everyone who is required to be GDPR compliant, and they provide clear expectations for EU citizens as to how their data should be processed. The principles do not provide explicit instructions to ensure GDPR compliance; instead, they guide organizations in the decisions they make to ensure the protection and appropriate use of data.
Lawfulness refers to the need for there to have been the identification of specific grounds for the requirement of processing personal data. To meet the requirements of specific grounds, the General Data Protection Regulation details six different reasons of which at least one must be applicable:
If none of the six reasons apply, then the processing would be considered to be unlawful.
Of course, there is always a requirement to ensure that personal data is not used in a way that would be considered illegal, aside from the stipulations of GDPR. So, this means that if through processing the data, a criminal offense is committed, then that would also be unlawful. That might include copyright being infringed or a duty of confidence being breached.
This principle ensures that data subjects understand the reasons for providing their personal information and have reasonable expectations about what the organization aims to do with it. The General Data Protection Regulation sees this as a way of ensuring accountability and prevents the temptation to use the data for purposes other than those disclosed to the individual.
This also allows an individual to decide whether they are happy to provide their details, and it gives them some security over its use in the future. Now, that doesn’t mean to say that GDPR prevents all future use for other purposes, but it is limited. One potential scenario is when there is a link between the new use and the original reason the data was collected.
For example, if a person has contacted a business to request information about holidays to California, it would be compatible to let them know about a special offer on flights to Los Angeles. If, however, they then wanted to contact them about goods or services which have nothing to do with California holidays, then they would need to request their permission to use their data in this new way.
The third principle of the GDPR is to consider the minimum data needed to meet the purpose and with that t becoming the maximum held. The regulation talks about the need for data to be adequate, relevant, and limited. However, there are no specific definitions of these as it depends on the particular reason for collecting the data to begin with.
What is important to this third principle is to see data subjects as individuals. This means that if some of the detail collected is only needed for a small set of individuals, then it would be inappropriate to gather it from all data subjects. Additionally, there cannot be a culture of collecting data on the basis that it may be useful at a future date. If, however, there is an identified requirement for the data in the future, then the GDPR allows for it to be collected in advance.
There is also the requirement to consider this from the alternate perspective of holding inadequate data. This refers to situations in which the data is insufficient for the purpose it was collected for. In this case, the data should not be processed as it cannot meet the criteria for which it was deemed necessary.
The fourth principle focuses on the quality of the data being collected. Along with giving a data subject the right to have inaccurate data corrected, GDPR also means having processes in place to ensure the accuracy of the data to begin with. While there is a requirement to update the information on a regular basis, this should be as appropriate for the reason it was collected to begin with. For example, if a customer places a one-off order, there is no need to contact them on a regular basis to ensure that the address details are still correct.
GDPR allows for the holding of data which includes the opinions of data subjects, as long as they are clearly annotated as such and cannot be misconstrued as fact.
Clarity is required on what the personal data record should show, as this is likely to influence whether it is considered to be accurate or not—for example, holding a client’s old address when they have moved house is still accurate as long as it is clearly annotated as historical data.
Data should only be kept for the duration defined within the original requirements. So, that means that even if you have collected it according to the requirements of GDPR, it cannot be kept for longer than you actually need it.
The regulation does not specify what a reasonable time is for keeping the data; instead, the onus is on the business to justify the timescale that they have put in place. When considering an appropriate period of time, it does need to be assumed that the older the data is, the more likely that it is inaccurate or out of date.
There are three situations in which data can be kept for an indefinite period:
More commonly known as the principle of security, this aspect of the GDPR is concerned with data being processed securely. This requirement extends beyond cybersecurity and also includes both physical and organizational security. For example, if customer data is used in paper form, there should be processes to ensure accountability for its security and that it is not accessible to visitors to the business.
GDPR requires that data can only be accessed and managed by those who have appropriate authorization. Additionally, if it is accidentally lost, altered, or destroyed, then there is a way in which to recover it, removing the potential for any issues for the data subjects.
Just as with data storage, GDPR does not define the security measures which should be put in place. Instead, it requires that a level of security is put in place, which is ‘appropriate’ to the risks associated with the data processing being undertaken.
The final principle is of accountability. This aspect of GDPR requires those processing personal data to take responsibility for their interactions with personal data and their adherence to the other principles. To meet this requirement, there needs to be both measures and records in place so that compliance can be demonstrated.
While this not only demonstrates that an organization takes a lawful approach to their data processing, it also shows clients and suppliers that there is respect for an individual’s rights and freedoms and that data protection is taken seriously.
It also means that if there is an issue such as a data breach, then it can be demonstrated that there were both measures and safeguards in place to reduce the risk of such an event. This may then mean that there is mitigation against any legal enforcement action.
The risk with any requirement, such as the General Data Protection Regulation, is that it becomes a policy that is written and then sits in the bookcase, forgotten about until something happens. It is evident that this regulation is not only about complying; GDPR is also about the need for regular review and updates to ensure that best practice is always in place.
As well as stipulating the requirements that organizations must meet, the regulation also outlines the rights that have been given to individuals in the management of their data.
Organizations must inform the user what is being collected, what it is being used for, how long it will be kept, and if and with whom it will be shared.
Organizations must provide a way in which individuals can contact them to request a copy of the data they hold on them.
Individuals must be able to check that the information held is accurate. If it is found to be inaccurate, then it must be updated.
While this is not an absolute right, individuals can request that any data held about them is deleted.
While this once more is not an absolute right, an individual can state that they deny the consent for the processing of their data.
This gives the right to take the personal data which is held by one company and extract it for use elsewhere. For example, downloading profile information on Facebook so that it could be used on another social media platform
This provides an individual with the ability to demand that an organization stops using their data in a way in which they object to. For example, making nuisance phone calls or sending marketing material through the post.
With the huge growth in profiling, individuals can object to or appeal against automated decisions, such as the use of targeted advertisements or content.
There are two key exceptions to the requirement for GDPR compliance. First, GDPR does not apply to any activity which is classed as personal or household activity. So that means if someone were to collect friends’ email addresses to keep them up to date on wedding plans, they would not be required to take additional steps to meet with data privacy requirements. The GDPR only applies when there is “professional or commercial activity” taking place.
The second exception relates to those organizations that have fewer than 250 employees. These smaller entities are, however, not entirely free of GDPR requirements; there are still requirements around data protection and security for EU citizens. However, they are generally exempt from record-keeping requirements making GDPR compliance less burdensome.
Should an organization experience a data breach, then the General Data Protection Regulation (GDPR) requires an assessment to be carried out to assess whether there is a potential risk to the data subjects affected. If there is a risk to those people’s rights and freedoms, then there is a requirement to report the breach. This has to be done as soon as it is feasible and within 72 hours of the issue being identified. Each country within Europe has a procedure for the reporting of the breach.
In the UK, for example, the notification is made to the Information Commissioners Office and in France to the Commission Nationale Informatique et Libertés (CNIL). This European centric approach to issues ensures that EU citizens experience the same level of attention no matter their country of residence.
The GDPR is clear in that the 72 hour period should be seen as the maximum point in time for reporting the incident. This then means that there is a need for a log to be kept, which details the exact time that the breach was identified and the steps that were taken to determine what has happened and what was done to contain any further risk to the protection and security of the data.
The complexity of the GDPR can be overwhelming, especially for small businesses with limited resources. So, to provide a brief and plain English explanation, GDPR stands for General Data Protection Regulation, and it was designed by the EU to protect the personal details of its citizens. Despite being passed in Europe, it has an impact on businesses worldwide.
GDPR set new standards for data protection, and this was spurred on by the fact that personal data has become of enormous value to companies who can then sell it on to advertisers and other third parties. This regulation clearly tells companies what the limitations are with regard to the processing of that data.
The regulation also addresses data breaches, and as a result, it has been responsible for multi-million dollar fines being awarded to global organizations such as British Airways, Marriott, and Google. Had there been full GDPR compliance, then there would have been appropriate levels of data protection, and the security breach could have been avoided.