Please note: This is not intended to be an exhaustive guide. We make no representations that the information contained in this article is error free, or that the interpretations of the law contained herein are accurate. Interested parties are advised to read the legislation comprehensively and obtain appropriate legal advice.
At inploi we take data transparency and protection extremely seriously. The GDPR is a nifty piece of European Union legislation designed to provide formal regulations for doing just this, protecting the data of EU residents. Whilst the GDPR brings about extensive changes and added responsibilities for those who hold and process people’s data, we believe it is a welcome intervention and a step in the right direction to ensuring that people’s privacy is protected.
We have set out to demystify it a little, to explain (in broad terms) what it is, what rights it grants to people, and how they are able to exercise those rights. This is a lightweight, easily understandable (hopefully) guide to a complex piece of legislation, for both individuals (“data subjects”) and companies/organisations (“data controllers”/’data processors”).
The General Data Protection Regulation (GDPR) is a European Union regulation [(EU) 2016/679] intended to harmonise data privacy laws across the EU’s member states. It deals with the protection of natural persons (individuals) with regard to the processing of their personal data, and the movement of such data.
The protections granted to individuals under the GDPR are broad, and apply to “all data subjects residing in the Union” – i.e. to all natural persons (human individuals) within the EU’s member states.
The GDPR applies to any information concerning an identified or identifiable natural person. Specifically, ‘personal data’ means any information relating to a ‘data subject’ – someone who can be identified, directly or indirectly, using data including an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This includes cookies, IP addresses, contact information, and RFID tags.
Anonymous / anonymised information (provided it cannot be attributed to an individual using additional information) is not covered. The data of deceased persons is also not within its scope.
The provisions of the GDPR are binding on all ‘data controllers’ – those who hold and process - the information of European data subjects – regardless of the their location, or the locations of their servers.
The EU clearly lays out the rationale for the implementation of the Regulation:
(6) “ Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data”.
(7) “Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced”.
The regulation continues, saying:
(11) “Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States”.
Enter the GDPR.
The provisions of the GDPR are enforceable from the 25th of May 2018. As a regulation rather than a directive, it is immediately binding on national governments and they are not required to pass their own legislation.
In short, yes. Britain remains a member of the EU until the 30th of March 2019, within which period it is subject to EU regulations. It also seems likely that there will be a period of ‘regulatory continuity’ after BREXIT during which time the laws of the EU will remain binding.
It is unclear whether the UK will retain the provisions of the GDPR in national law following exit and the passing of the “Great Repeal Bill”. Many if not all provisions will almost certainly be retained. Nevertheless, any UK companies providing goods or services within the EU/to EU citizens will still have to comply.
Individual countries are required to provide for an independent public authority to be responsible for monitoring the application of the GDPR, protecting the rights and freedoms of people, enforcing its provisions regarding the processing of data, and facilitating the free flow of information within the Union. In the UK this authority is the Information Commissioner's office.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
There are 6 key overarching principles relating to the processing of personal data laid out in the GDPR. This processing shall be:
Nevertheless, with the exception of particular circumstances (which are not covered in this document), it is prohibited to process certain data, including that which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. The processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a person's sex life or sexual orientation is also prohibited. Data on past criminal convictions also has specific protections.
Consent is likely the most common avenue through which a controller can lawfully process data (and is arguably the most ‘clear-cut’). It is important that this consent is obtained explicitly. Consent must cover all processing activities carried out for the same purpose. When processing has multiple purposes, consent must be given for all of them.
To demonstrate this consent it must be shown that:
Specifically, consent must be given by:
This act could include a written statement, an oral statement, the active ticking of a box, or conduct which clearly indicates in a specific context the data subject's acceptance of the proposed processing of his or her personal data. If consent is to be given by electronic means, the request must be clear and concise. The proposed processing for which consent is asked cannot be unnecessarily broad.
Silence, pre-ticked boxes or inactivity/non-response does not constitute consent.
Consent can be withdrawn by a subject at any time.
It is necessary to consider whether processing for another purpose is compatible with the purposes for which it was originally collected, taking into account of:
If it is compatible, having considered the above, then no separate legal basis from that which allowed the processing of the personal data in the first place is required.
If it is not compatible, controllers must provide subjects with information about the new purpose and provide them with required information (see below – “what do you need to tell data subjects”). This does not apply insofar as a subject already has or has been provided with the information.
Where personal data are collected from a data subject the controller must provide the subject with information (generally in the form of a Privacy/Data Policy) on:
In instances where personal data has not been obtained directly from the data subject, the controller must provide the subject the information above, in addition to information about the source of the personal data, within a reasonable period of time. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.
This information must be provided within a reasonable time after obtaining such data but at the latest within one month, or, if the personal data are to be used for communications with the subject then at the time of the first communication to the subject.
Data subjects are granted the right to obtain confirmation from the data controller as to whether personal data concerning them is being processed, what it is, where it is processed, and for what purposes. The information listed in “what information do you need to provide data subjects” must be given to subjects, in addition to a copy of all data held.
The right to get the controller to rectify any inaccurate personal data concerning data subjects.
Data subjects are entitled have their data erased, ceasing its further dissemination, and to have third parties halt processing that data.
Where the controller has made personal data public and is obliged to subsequently erase it the controller must take reasonable steps to inform other controllers processing that data that the subject has requested the erasure of that data, including a request to erase any links to, copies of, or replications of those personal data.
Data subjects have the right to receive the personal data concerning them, which they have previously provided, in a 'commonly used and machine readable format' and have the right to transmit that data to another controller.
Where personal data are processed for direct marketing purposes, the data subject has the right to object to processing of personal data for such marketing, which includes profiling to the extent that it is related to such marketing. Personal data should no longer be used for such purposes in this case. This right must be brought to the attention of users explicitly and stated separately from other information.
The protection of data must be integral to the building of systems and the processing of information. The controller must implement appropriate technical and organisational safeguards including data protection policies to affect this. Controllers should hold and process only the data necessary for the completion of their duties (data minimisation), as well as limiting the access to personal data to those needing to conduct processing.
Regardless of severity, the controller must document all data breaches detailing the facts of what happened, its effects, and what was done to address it. This must be kept to demonstrate compliance to any supervisory authority.
When a data breach is likely to “result in a risk to the rights and freedoms of individuals” the controller must within 72 hours of first having become aware of the breach notify the supervisory authority [the ICO].
When necessary, notifications must include:
In instances likely to result in a risk to the rights and freedoms of individuals the data subject must also be informed “without undue delay”, unless:
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to the analysis or prediction of aspects concerning performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
The controller should use appropriate mathematical/statistical procedures for profiling, implementing technical and organisational measures to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and that the risk of errors and discrimination are minimised.
Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, unless amongst other things, this is based on explicit consent. E-recruiting and the electronic evaluation of a subjects performance at work are explicitly identified in this provision.
Regardless, the subject has the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest a decision based on such profiling.
Every data subject has the right to lodge a complaint with a supervisory authority, in the member state of residence, of work, or of alleged infringement if the subject considers the data processing to infringe the GDPR.
In circumstances when it is necessary to provide information to data subjects (e.g. following a request for data/information) this should be done:
Information must be provided without undue delay, within one month of the receipt of the request. This can be extended to two months in certain circumstances. It must be made clear to subjects how they can exercise their rights.
The provision of information must be done free of charge, unless requests for information are manifestly unfounded or excessive. In this case, a reasonable fee may be charged or a request refused.
If the controller does not provide the information the subject must be informed why not and told about the possibility to lodge a complaint.
The controller should only use external processors provided that sufficient guarantees have been provided that they will implement appropriate technical and organisational measures, and satisfied the controller that the manner of processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
External processors are not allowed to engage other processors without the written authorisation of the controller.
Agreements/contracts with these parties must set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. The GDPR lays out the contents of such agreements explicitly in article 30.
Controllers must keep a copy of processing activities under their responsibility, including:
Processors should maintain a similar register of information.
However, employers employing under 250 persons are exempt from this requirement, unless the processing is not occasional, includes sensitive categories, or is likely to result in a risk to the rights and freedoms of subjects.
Taking into account ‘state of the art’ procedures, costs of implementation, context, and purposes of processing in addition to the risk to the rights of subjects, technological and operational security features must be implemented, including, as appropriate:
Particular consideration should be given to the consequences of data loss/breach when determining appropriate measures.
The appointment of a DPO is only mandatory for controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. They must be suitably qualified and not do any task that could relate in a conflict of interest.
Supervisory authorities have particular remedies available to them in order to address contraventions of the GDPR. Their application of these shall be determined on a case by case basis, and include:
Administrative fines can be imposed in addition to or instead of other remedial measures. These can be up to a maximum of €20m or 4% of global annual turnover in the preceding financial year (whichever is the greater). When deciding whether to impose a fine (and its amount), regard should be given to:
So the bottom line is that whilst it is unlikely the ICO will act vindictively and without due warning and an appreciation of circumstances, the GDPR has got to be taken seriously – not only because of the punitive measures which may result from breach, but because it is a broadly sensible regulation that is intended to secure and protect people’s data – including yours!
For organisations / “data controller” contemplating how to become compliant with the GDPR the Information Conditioners Office has put together a handy document which is thoroughly recommended: 12 Steps to Take Now.