GDPR compliance changes and how to keep on top of them
GDPR EU explains what organisations need to understand to be fully compliant with the regulation that dictates data protection, usage and collection in European member states.
Ensuring GDPR compliance is legally necessary for every organisation. But understanding personal data protection and data privacy can also represent an opportunity for positive change.
Data privacy laws were ad hoc and convoluted prior to the introduction by the EU of the General Data Protection Regulation in May 2018. The new legal basis for every EU member state superseded all previous data protection laws.
The general data protection regulation governs all data processing operations and management by an organisation, located or doing business in an EU member state.
It was introduced to ensure that data processing and personal data laws kept pace with a constantly evolving digital world. Not only does the data protection law govern how organisations utilise people’s personal data, but it also reinforces the security standards and privacy rights of every individual who lives in an EU member state.
Because it takes the place of all data protection legislation before May 2018, the GDPR ensures a comprehensive and consistent approach to data protection law by organisations across the European Union
The data protection law applies to organisations across the EU that store, collect or in some way process personal data. However, businesses or organisations outside of the European Union that offer goods and services or otherwise have access to data of EU residents must also comply.
Since Brexit, the UK has introduced its own data protection law – the Data Protection Act 2018. This applies to organisations within the UK and to those outside of the UK that have access to personal data of people who live there.
While this may seem even more complicated, it’s worth knowing that the UK Data Protection Act 2018 mostly aligns with the EU’s data protection law. This means that if your business is fully compliant with the EU GDPR, it should be relatively simple to achieve compliance with the UK’s version.
Before we go on to explain the ins and outs of GDPR compliance, here’s some of the terminology that we’ll use and what it means.
The GDPR states that personal data is: “any information relating to an identified or identifiable natural person (data subjects).” This specifically includes things like cookies or IP addresses or other online identifiers.
This means individuals: “who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an ID number, location data or other online identifier.”
This refers to: “… a legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
This is: “a person, public authority or other body that processes personal data on behalf of the controller”. Specifically, security standards state that they can only process data in accordance with instructions from the data controllers.
There are various reasons why GDPR compliance should be met:
Businesses that maintain transparency and authenticity when using customer data and partner data will benefit from higher trust levels. This can go a long way to improving business relations.
Customers that are satisfied with the expert knowledge of a business and that they feel are following good security practices are less likely to exercise their rights as data subjects.
As well as keeping business partners and customers happy, a business being transparent about its GDPR compliant operations will benefit from improved efficiency and services. There is also a cost saving.
For example, following the appropriate security standards means collecting less data than before, which makes processes faster and simpler. Furthermore, given that being GDPR compliant means keeping records and communicating in clear and plain language, projects automatically become simpler to manage.
Another strong reason for a business to strive for GDPR compliance is the surrounding ecosystem. The more businesses that are implementing all of these data processing rules and data protection, the more it will be expected of everyone in the service supply chain.
If, for example, a competitor business begins advertising the way it is complying with GDPR and processing personal data, then your customers will expect the same level of data protection from your business too.
Businesses that fail to demonstrate compliance may be subject to a penalty in the form of a fine. There are two tiers of fines stipulated under GDPR:
To be GDPR compliant, a business must demonstrate compliance with Article 5 of the Regulation.
All other regulations under the GDPR are designed to support Article 5. The main data protection principles are as follows:
Businesses must ensure that they are lawfully processing personal data. To avoid non compliance, this means that one of the lawful bases of the General Data Protection Regulation must be met. Furthermore, the data processing must not breach other laws
Data processing must also be carried out fairly and with proper consent, in a way that isn’t misleading or a problem for data subjects. And finally, along with valid consent, the data must be processed in a transparent way.
This is where the business must use clear and transparent language to communicate with individuals about personal data use and storage. To fully comply with the data protection regulation, the business must be open and honest with the data subjects about how their personal data (and potentially sensitive personal data) will be used. This is generally through using privacy notices.
A privacy notice regarding personal data must include specific information, including but not limited to the following:
While this information is detailed and specific, the business must ensure it’s communicated openly, honestly and in an accessible way. Data collection should not be communicated using vague statements or legalese.
For example, if a business wants to use the data relating to the subject to provide personalised services, then these should be clearly described and outlined. The statement should be clear, honest and beneficial for both parties.
As well as complying with the security law, this will allow companies to build better quality relationships with their customers.
Personal data can only be collected and processed by a business for specific, named purposes. These purposes must also be made extremely clear to the data subjects from the outset.
The purpose of the data processing must also be fully documented. If the business then wants to utilise the same personal data for a separate purpose, they need to get specific, separate consent.
The amount of personal data collected by the relevant controller must be kept to a minimum. This means that it must be as relevant as possible to restrict processing to the minimum.
In other words, data collection should only cover data linked to the declared purpose. The data collection should only comprise what is strictly necessary.
The data protection officer should make sure that data collection is accurate. Data protection measures stipulate that the data subject must fully understand how much data has been collected and how the business will process data.
All personal data, including potentially sensitive personal data, must be kept up to date (for example, payroll data).
Should the data protection officer or data controllers find that there is inconsistency or inaccuracy in the personal data collected then they should either erase or correct it. Adequate documentation must be kept for the supervisory authority in all cases.
The data protection officer should ensure that personal data is only kept for as long as strictly necessary to fulfil the initial stated purpose of
This means the business should take necessary data protection measures, such as keeping documentation for each type of data held.
In order to monitor compliance, appropriate security measures should be taken, such as periodically reviewing the data held. If the private data is discovered, through systematic monitoring, to be no longer useful it should be destroyed.
All personal data held by the data controller should be secure. The data security must also be maintained while processing personal data by using various measures
These include measures such as data protection impact assessments and risk assessments. The results of these then inform the data protection measures implemented.
Data protection measures can include, for example, technical measures such as firewalls and anti-malware software being installed. However, it’s also important that data protection measures include employee training and the implementation of all the necessary documentation.
Data processing must also be secured in such a way as to ensure integrity and confidentiality. Furthermore, data privacy must be maintained by the prevention of unauthorised modification of the sensitive personal data.
The final data protection principle is for data controllers, whether individual or joint controllers, to be able to fully demonstrate compliance with the first six principles.
Compliance is demonstrated by the joint controller or individual data controller, through a mix of documentation and technical measures.
These include policies and procedures relevant to data protection and data portability, privacy notices (as outlined above), training records for employees, data breach records, data protection impact assessments, and controller-processor contracts.
This isn’t the full list for GDPR compliance, as the information commissioner’s office will require other forms of compliance.
These include appointing a data protection officer for example and demonstrating that their responsibilities and duties are fully laid out.
As we’ve seen, the first processing principle is about the lawful basis of collecting and using data.
For example, if a business wants to collect genetic and biometric data then they need to demonstrate compliance with one of the six GDPR lawful bases as outlined in Article 6(1).
This is where the processing of data, whether that’s genetic and biometric data, IP addresses or any other form of personal data. is necessary to enter a lawful contract with the data subject.
This could be to deliver on an already existing contract or to start a new one.
The data processors must demonstrate that the processing is necessary to comply with a legal obligation. The specific legal requirement must be specified through a data protection impact assessment or other form of documentation.
This is where data processing is deemed necessary for the protection of someone’s life. This could be the life of the data subject or someone else.
This can’t be relied on for data that comes under special categories, such as health data, if the person can’t give consent.
Special category data is laid out in Article 9 of the GDPR. Any data deemed special category is subject to higher levels of protection.
“… personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation.”
GDPR prohibits processing data that falls under this category without a valid lawful basis. For example, if a business processes data concerning someone’s political opinions, then this will impact separate GDPR obligations.
While this is most important for a public authority, it can apply to any entity that is performing a task in the public interest and acting as the official authority for said task.
This is the most flexible category of lawful bases for data collection, and as such, businesses need expert knowledge.
It applies where a data protection impact assessment or other form of assessment has deemed data processing necessary to pursue the legitimate interests of the data controller.
However, these interests can’t be superseded by the rights of the data subject. This is something that data processors and controllers must be aware of when processing the data of children, for example.
A business wanting to rely on this lawful basis, should check with its supervisory authority first. They may have a legitimate interest’s template to follow, or some kind of guidance available.
If there is no other legal basis applicable for a specific data processing project, then the business can only rely on the data subject’s consent.
GDPR Article 7 lays out all the consent conditions, which must be followed to avoid a data breach notification.
To qualify as consent under GDPR, consent must be:
Record-keeping is obviously key when it comes to collecting data consent. These must include how the consent was given and what was communicated to the individual in order to obtain the consent.
Data processors and controllers should be fully aware of the rights of the data subject under GDPR. These are:
GDPR Article 12 gives the subject the right to know what data is being collected, for what purpose and how it will be used. This must be communicated up front, and this is usually in the form of the privacy notices as outlined above. There are other forms of communication that can be used if they are in clear and plain language.
GDPR Article 15 gives the subject the right of accessing their data through a data subject access request (DSAR). Usually, this needs the data controller to give the subject a copy of their own personal data in an easy-to-understand format within four weeks of the DSAR being received.
GDPR Article 16 gives the subject the right to rectify their data, whether this is in the form of correcting or completing it.
Under GDPR Article 17, if a data subject wants their personal data erased then they have this right. You may see the right of personal data erased called the ‘right to be forgotten’. Controllers must delete this data within four weeks of the subject making the request.
However, this isn’t a definite, absolute right for the data subject. It does depend on certain circumstances. If a business can lawfully refuse to comply with the request for erasure, then must still communicate their reasoning directly with the subject.
GDPR Article 18 gives people the right to restrict the processing of their data. This means that the business can store it but not process it. This, again, is not an absolute right for the data subject and it can be refused on certain grounds.
GDPR Article 20 gives subjects the right to data portability. This means they are permitted to get data from the data controller in a “structured, commonly used and machine-readable format.” The subject can then transfer the data to another service provider or different tech companies, for example.
GDPR Article 21 gives data subjects the right to object to a business processing their data. Once again, this is not absolute and if the controller can clearly demonstrate legitimate reasons to continue processing the data, then they can continue.
Article 22 lays out the data subject’s rights surrounding this kind of decision making, including profiling. This is when automated data processing is used to make decisions about the subject.
Data subjects have the legal right to not be subjected to any form of automated decision making that may led to legal consequences about them.
So far, we’ve outlined the core principles of GDPR compliance. Any data breach of these principles leads to the higher tier of fines. However, there are other actions that businesses and organisations can take to ensure compliance outside of the core principles.
This may not be a specific requirement under GDPR, but it is a good place for a organisation to start. By knowing exactly what kind of data is being processed, for what purpose and how it’s being dealt with, an organisation can avoid data breaches. It’s also a good way to compile the kinds of record keeping that is mandatory under GDPR. An organisation can turn to a supervisory authority for assistance and guidance. It’s a good way to encourage compliance in an accessible way.
We’ve already touched on these above as they come under Articles 35 and 36. Non-compliance with DPIAs for high-risk processing is considered a data breach. A DPIA is like a risk assessment but specifically to ascertain whether any data processing activity might cause harm to the subject.
GDPR Article 33 states that some data breaches must be reported directly to the supervisory authority or national data protection authority with 72 hours. Failing to ensure that the data breach notification is made in a timely way can leave the organisation vulnerable to penalties.
Systematic monitoring, keeping good records, ensuring that a data protection officer (DPO) is appointed and properly understands their remit and understanding the requirements should mean an organisation remains compliant.
Some organisations may need to make large scale changes to the way that data collection is communicated and managed, but the guidance is clear and accessible.
It’s always worth checking legislation periodically as it may change, although large scale changes in the law should be easy to keep on top of. In particular, the UK Government is keeping the framework of its data protection law under review and could feasibly make significant changes in the future.
Either way, implementing a structured large-scale methodology for data collection, usage, and communication, should be something every organisation takes seriously. Achieving full compliance is perfectly possible but may take some significant changes for some organisations.
The good news for businesses is that GDPR compliance isn’t just about the law. Improving openness, honesty and communication surrounding personal data can mean stronger customer and client relationships and more two-way trust.