GDPR Requirements - Quick Guide on Principles & Rights
This GDPR Requirements Guide provides you with information on what a business or organization is required to implement in order to meet the requirements of the General Data Protection Regulation.
This guide provides you with information on what a business or organization is required to implement in order to meet the requirements of the General Data Protection Regulation (GDPR). On our homepage, which covers The Meaning of GDPR we discussed what the regulation aims to achieve. Now we revisit those aims, but with a focus on the requirements an organization needs to meet to ensure that GDPR compliance is in place.
When an organization is considering the requirements for becoming compliant with GDPR, there are two key areas which need to be considered.
First of all, the seven key principles around which the specific requirements of the GDPR are based. Then there are the individual rights which ensure that data subjects are aware of how an organization handles both data privacy and data protection.
These aspects of the regulation also require an organization to ensure that their data protection officer has assisted them in both introducing and reviewing procedures around compliance for the handling of requests from individuals.
The European Union and its member states have sent a very clear message that GDPR requirements are ongoing and as such, require regular and considered review in order for their obligations to be met.
In considering who needs to ensure that they are complying, GDPR has a worldwide remit to protect the data of its European citizens. This then means that if you have interaction with individuals who are based within the European Union, then it is likely that you will have some responsibilities to meet under the regulation.
With both data privacy and data protection being key themes of the GDPR if an organization collects or processes any personal data, including electronic information such as cookies, then they will need to take action to ensure the rights of the individual are protected.
There are six lawful reasons for the processing of data, and at least one must apply to ensure GDPR compliance:
Generally, for processing to fall within a lawful basis, then it needs to have been established as a necessary requirement. Now there’s no need for it to be essential, but it does need to be more than a standard practice which is undertaken without consideration of what the specific purpose is.
The General Data Protection Regulation requires you to consider whether there is an opportunity to achieve the objective through processing less data or if the aim can be achieved through less intrusive means.
There also needs to be an awareness that simply stating that ‘this is the way we do things,’ or ‘we’ve always done it this way’ is not going to result in GDPR compliance. Instead, an objective perspective is needed in reviewing whether the processing is genuinely required.
On the basis that processing is needed, then all personal data should be processed with the individual’s rights in mind, so that’s lawfully, fairly and in a transparent manner. If no lawful basis applies to the processing, then it will be considered to be unlawful and so in breach of the first principle.
With these GDPR requirements in mind, organizations must identify the legal basis before starting to process personal data. There needs to be an awareness that this is an important decision to get right. That’s because if a decision is made to change the basis on which the data was collected, then it’s likely to be unfair to the data subjects.
This, in turn, leads to issues around accountability and transparency. For example, if a business states that they need a person’s data in order to process an order but then at a later data add them to their marketing database promoting a very different type of product, then that is likely to be unlawful under GDPR.
This new form of processing would require new agreement from the data subjects to ensure their rights are met
This second principle requires that there is clarity for the reasons for collecting personal data and its intended purpose before the processing commences. Organizations are then required to document these justifications to demonstrate that due diligence and consideration was undertaken and to ensure that there is no additional processing.
In turn, these documents also provide transparency in informing individuals of the purposes for requiring their personal data. This protection of the personal information forms a fundamental requisite of the GDPR and the subsequent data protection it provides to EU citizens.
Additional requirements to meet purpose limitation include the regular and general review of the processing being undertaken, and when needed, the updating of documentation and procedures.
As with much of the General Data Protection Regulation, while there are requirements to be met, there are also few specifics provided and this is the same when considering data minimization. This, in turn, means that there needs to be careful consideration for each element of data collected, resulting in the identification of a clear basis of necessity. For example, if you require individuals to provide personal data to become a user, then the collection of their home address would be questionable unless there is a requirement to send items to their home.
With the need to minimize the data collected there may need to be an alternate route for becoming a user, prior to goods being sent out. It would not be lawful to collect the data just in case there is a need for it in the future.
Three key measures need to be considered:
The need to obtain adequate information from data subjects presents the requirement for the collection of sufficient data in order to meet the requirements for processing.
A system which allows for the collection of partial data sets such as name and address but not email address where the purpose is a monthly newsletter means that the incomplete data is being held but without any way of processing it. This would be seen as a non-compliance with the GDPR in just the same way as holding too much personal information.
As an added advantage to the organization, lower volumes of personal data being collected will result in a lower requirement for data protection purposes.
There are four key requirements to be met to ensure that an organization meets with the accuracy principle.
Firstly, GDPR requires that reasonable steps are taken, which result in the accuracy of the data. With no specific requirements for what needs to be put in place to meet the ‘reasonable steps’ then there needs to be a consideration for the circumstances, the type of personal data being processed and the reason that it is being used.
This then means that an assessment is needed as to how important that personal data is and then that the care and attention placed into ensuring its accuracy grows with the level of importance. For example, confirmation of membership of a professional body may be essential for nursing or teaching roles.
However, checking proof of employment undertaken twenty years previous, may not be appropriate for some other positions.
Additional procedures need to be in place for the updating and amendment of personal information on the data subjects request, one of several rights that GDPR provides to individuals have over the data which is held about them.
Again, consideration is needed as to the importance of the data when deciding what additional checks may be required. If, for example, a client asks for the email address to be updated on the organizations mailing list, then this can probably be undertaken without any further checks.
If, however, a client wishes their bank account to be updated and that will change where payment is made, then additional checks or evidence may be required to verify the accuracy of the request.
This principle from the General Data Protection Regulation requires that organizations have in place defined timescales for the keeping of personal information. This means that there need to be processes in place for the regular deletion or anonymizing of data as it reaches the end of its processing timescale.
The rights of the data subject in their personal information only being held when necessary is a fundamental requirement of the GDPR.
An organizations retention policy or schedule details the data held, what its defined use is, and the period of time for which it will be kept. A system then needs to be implemented to ensure that the policy is followed and that there are regular reviews to ensure that it still represents current and future practices.
Additionally, there needs to be the flexibility to allow for early deletion, if for example, that is requested by data subjects or if the data is no longer being used.
While smaller organizations may not need a documented retention policy, there is still the requirement to regularly review held data and delete or anonymize any which is no longer needed.
Consideration does need to be made towards any legal requirements to retain information, aside from the requirements of the General Data Protection Regulation.
For example, credit reference agencies and accountants may have requirements to retain data for periods beyond its use for auditing purposes.
The holding and processing of personal data and the compliance with GDPR security requirements mean that there needs to be a level of data security which is compatible with the impact on the EU citizen should there be a data breach. That then means that there must be appropriate levels of data protection in place to prevent it from being compromised, whether by accident or through deliberate action.
The data protection officer will likely formulate how this is achieved with both the data controller and the data processor having responsibilities for the day to day protection and privacy of the personal data being held.
There are three key requirements relating to data protection and privacy which are detailed within this aspect of the regulation:
When considering the requirements to be implemented to ensure data security and reduce the likelihood of data breaches, there needs to security which is in proportion to the potential risks from the processing. Key measures come from considering how valuable the data may be along with the nature of its sensitivity and confidentiality.
Producing a data protection impact assessment is one way in which the data protection risk can be assessed, and this process is discussed further within the Implementation of GDPR article. Accountability for data security is a key requirement in ensuring data privacy and the protection of personal information from an unauthorized third party.
Where there has been a breach of data privacy, the GDPR lays out very clear requirements. Where personal data is involved, and people are put at risk, then the organization is required to report the incident to that country’s information commissioner within 72 hours of the data breach being identified. From there, a process of assessing who may now have the data, the scale of the issue and how seriously people may be affected is required.
If there is a requirement to report the incident, it cannot be emphasized strongly enough how important it is to meet the timescale of reporting the breach within 72 hours. Even if not all the information is available, taking the situation seriously, showing that there is respect of data privacy laws, may reduce or limit any fines or financial penalties which are issued to the organization.
GDPR requires that not only does an organization recognize their responsibility to comply with its requirements but that it can also demonstrate that compliance is in place. Within the legislation, it states that the data controller is the person who has the ultimate responsibility for this principal. In reality, however, the data protection officer will likely be able to provide guidance to ensure that GDPR compliance is in place.
Accountability requirements do differ depending on the size of the operation. Larger organizations may decide to introduce a privacy management framework which embeds a culture of committing to data protection and the meeting of GDPR requirements. This might include reporting, assessment and evaluation procedures along with program controls to ensure data privacy and reducing the likelihood of data breaches.
Smaller organizations may meet the accountability requirement by firstly ensuring that there is an understanding of the need for data protection and the impact this can have on data subjects. This then needs to be combined with policies and procedures for how personal data is handled in all its forms along with records being kept of what data is processed and for what reason.
The Data Protection Impact Assessment (DPIA) is a key requirement for meeting the GDPR accountability principle. This requires both the identification and minimizing of the data protection risks where there is processing which is likely to result in a high risk to the data subjects.
Whilst a data protection impact assessment is essential in that situation, it is also considered to be good practice to carry out the process for any significant project where there is the potential for data protection or data privacy issues.
The DPIA must include the following:
GDPR suggests that assessing risk requires the consideration of both the likelihood and the severity.
This then means that high risk has the potential to come from the high probability of some harm, or a low possibility of serious harm. Where a high risk is identified, which cannot be mitigated then the Information Commission Office of the relevant country will need to know of the issue and consider the situation before the processing commences.
The European Union were very clear within their implementation of the GDPR that EU citizens should have several rights for the protection of their personal data and to ensure data privacy. From these, eight areas were established, each of which has its own specific requirements to ensure GDPR compliance.
This first requirement is the underlying basis for GDPR, it’s about ensuring that individuals have clear information about what an organization does with their personal data. When considering the information that needs to be provided, there are two key differences in the requirements depending on whether a business collects the personal data directly from the individual or whether they obtain it from another source. The first difference is that when the data comes from another source, the individual needs to be advised of who that source was.
The second difference is that providing details of whether individuals are under a statutory or contractual obligation to provide the personal data, is only a requirement when the data is sourced directly from the individual.
Other than those differences all additional key information such as the name and contact details of the organization, the contact details of the data protection officer and the purposes of the processing should all be provided to both forms of data collection.
When considering when that information should be provided, the GDPR requires this to happen no later than one month after the personal data has been provided. However, if the data is used to communicate with the data subjects, then the right to be informed applies from the first communication taking place.
Likewise, if it is anticipated that the personal data will be disclosed to someone else, then notification needs to happen no later than when this disclosure takes place.
The required information can be provided on the organization’s website, but it does need users to be made aware of it and for it to be easily accessible. There are a few exceptions for this requirement which include when the data subject already had the information, when it would be impossible to provide the information or if there is a legal obligation to obtain the data.
The key requirement here is that individuals must be able to request a copy of the personal data which is held on them. This means that they must receive confirmation that their request is being processed, a copy of their personal data and any other supplementary information such as the purposes of the processing, the retention period of the data and the right to complain.
The GDPR does not define a specific format for the request to be made, so this could be done verbally, in writing or by social media. There is also no requirement for the request to be made to a specific person which heightens the need for all members of staff to understand the importance of recognizing a request.
Generally, a fee may not be charged for receiving this information, and it should be provided within one calendar month from the date that the request was made.
This requirement means that if a request for rectification is made, then reasonable steps need to be taken to either confirm that the data is correct or to rectify it where necessary. GDPR requires that the organization is required to consider any argument which is put forward by the data subject and also any evidence which is provided.
In terms of what reasonable steps are, this is determined by how important the data is, the greater the importance then the higher the effort required to check it.
While the data is being checked, then there should be an avoidance, where possible, of any additional processing. Organizations have one calendar month in which to comply with a request for rectification. It should be noted, however, that a request for rectification does not necessarily result in the data being rectified.
If the organization feels that the data is correct, then they are required to notify the data subject of their decision and provide information on the appeals process. Equally, if a request is deemed to be manifestly unfounded then again, the data subject can be advised, within one month that no further action will be taken and again also be informed of the appeal process.
There are several reasons why a data subject may request that their personal data is erased. These include, when the data is no longer needed for the purpose it was collected for and when consent is withdrawn for its use. There are some exemptions stated within the GDPR which remove the requirement to erase the data.
This includes where there is a legal obligation to hold it and where it is used in a task which is carried out for public interest.
Requests can be made by any means; there is no requirement for a request from a data subject to only be accepted when sent to a specific email address or to have a particular subject line. Organizations are then given a maximum of one calendar month to respond to the request.
In certain circumstances, the GDPR gives an individual the right request that their personal data is only used in ways which they approve. This does mean that organizations need to have a process in place which allows them to segment databases or flag specific data for processing in restricted ways.
An additional requirement to this right comes from where data is shared. This would mean that all those with whom the data was shared, must also be aware of and comply with any restrictions on data privacy which have been put in place.
Data subjects who request a restriction under the GDPR must be notified of the organizations decision, and where a refusal has been made, then they should be advised of the reason for this and of their right to make a complaint.
The right allows individuals to obtain and reuse their personal data across different services. It means that EU citizens can under the GDPR requirements move, copy or transfer their information from one IT environment to another is a way which ensures data privacy. This requirement enables data subjects to utilize third-party services to help find a better deal easily.
It is essential to recognize that this requirement is not limited to an individual’s identity data such as name and email address, it also includes the history of website usage or search activities and traffic or location data. Data portability only applies to personal data and not to that which is genuinely anonymized.
The data held also may contain information about a third party, and so consideration is needed as to whether they would be an adverse effect on them when transmitting data. For example, a joint bank account would require all of the account holders to agree to a portability request before it is actioned.
With this section of the GDPR giving individuals the right to stop or prevent the processing of their personal data, there needs to be a mechanism in place to both identify and action these requests. As with other requests, there is no set format which data subjects need to use to let an organization know of their objection, and so all client-facing roles should be aware of what action to take to ensure they are promoting GDPR compliance.
An additional challenge for this right is that it need not be an ‘all or nothing’ request that data subjects make. That means that they may only object to some of their personal data being processed or may request that specific methods of processing are stopped. For example, an individual may object to telephone marketing calls but is happy to receive marketing emails.
Exemptions do exist which allow for the continuing processing of personal data despite the individual’s request for it to stop. In this case, they need to know that processing is required for a public or legitimate task as defined by the General Data Protection Regulation.
GDPR defines automated decision making as being a process which is without human involvement and profiling as being the automated processing of personal data to make an evaluation about aspects of an individual.
Concerns about the rapid application of these forms of data processing led to the European Union making additional rules within the GDPR to ensure both data protection and data privacy.
Article 22 of the GDPR is very clear in the requirements of the legislation in that this form of decision making can only be carried out in three situations: