GDPR Key Points
13.11.2017 - by John Clough
General Data Protection Regulation (GDPR) is the new European wide standard for processing data. It comes in to force on 25th May 2018. It builds on existing national legislation and, where necessary, enhances it.
Data Controller - the organisation that determines the purpose of processing
Data Processor - processes on behalf of the Data Controller
Processing - anything you can do with data
Data - information held or stored, either in computer or manual form
Sensitive Personal Data - Data including health, sex life, religion, ethnicity, criminal record etc
Data Subject - The subject of the data that is held
Data Protection Act 1998
GDPR builds on the existing 8 principals of the Data Protection Act. They are;
(!) Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
(2) Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
(3) Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
(4) Personal data shall be accurate and, where necessary, kept up to date.
(5) Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
(6) Personal data shall be processed in accordance with the rights of data subjects under this Act.
(7) Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
(8) Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
It also enhances the conditions for processing that are set out in schedule 2 and 3. At least one of the following conditions must be met whenever you process personal data;
(1) The individual whom the personal data is about has consented to the processing.
(2) The processing is necessary:
(a) in relation to a contract which the individual has entered into; or
(b) because the individual has asked for something to be done so they can enter into a contract.
(3) The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract).
(4) The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident.
(5) The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions
(6) The processing is in accordance with the “legitimate interests” condition.
And also, at least one condition must be satisfied.;
(1) the explicit consent of the data subject has been obtained;
(2) the data is necessary to perform a legal obligation in connection with employment;
(3) the data is necessary to protect the vital interests of the data subject or another person;
(4) the data is required for legitimate activities of a political, religious, or trade union body;
(5) personal data has already been made deliberately public by the data subject;
(6) the data i necessary for legal proceedings;
(7) the data is necessary for administration of justice or public functions;
(8) the data is necessary for medical purposes as carried out by a health professional;
(9) the data is necessary to review equality of opportunity;
(10) other circumstances specified by the Secretary of State
GDPR Key Points in detail;
(1) GDPR applies to all companies processing personal data or European citizens;
(2) It widens the definition of personal data to include any identifiable data, including for example, biometric data or IP address;
GDPR will apply to any information that can be used to identify an individual. Personal data itself includes obvious categories (name, identification number, etc.) but also includes location data, physical and physiological information. It includes for the first time characteristics such as genetic, mental, economic or social information and there is particular sensitivity about what it refers to as special categories — racial, ethnic, political, religious, health, biometric and sexual orientation. Profiling and personal preferences, which demonstrate a person’s conduct and behaviour, are also within the scope of GDPR. For example, the fact that an individual liked a particular tweet or Facebook post would constitute personal data. In reality, hardly any personal data will not fall under GDPR. For some companies, the classification of data already in their possession maybe an initial challenge in terms of separating personal data from other information that is held.
(3) There are new rules for obtaining valid consent from individuals to store and use data that relates to them;
New rules have been introduced relating to the collection of data. In particular, consent must be explicit for certain
categories unless, for example, it is required by law. It will require the use of simple language, clarity on how the information is going to be used and organisations will need to be able to prove that affirmative consent has been given. Silence or inactivity no longer constitutes consent and it must be as easy to withdraw consent as it is to give
it. In addition, businesses can no longer require consent in exchange for their services. Consumers have often complained that opting out or unsubscribing has been difficult to obtain and hard to validate. This changes with GDPR. In addition, existing consents may no longer be valid. There is no question that the new rules provide greater protection for personal data and how it is used. Previously, companies could rely on an implied consent for use of data. Now it has to be explicitly given, even if it has been already collected. Identity Methods, a provider of Identity Management and Data Security solutions in the UK, reported that 67% of people were concerned about not having complete control over the information they provide on-line. Hardly surprising therefore that 93% of their public survey were in favour of heavy fines for companies not adhering to regulations on personal data. There is also a requirement for the data to be accurate and up-to-date. This means that companies must have good records relating to personal data and be able to review its history and accuracy. Whilst this requirement may only apply to companies employing over 250 people unless the processing is deemed to be of high risk to individuals, sensitive or performed on a regular basis, it would seem to be best practice to keep records.
(4) Personal data should only be held for as long as necessary. The subject has a right to be forgotten;
GDPR requires organisations not to hold onto data for longer than is absolutely necessary, nor to change the use of the data from which it was originally collected and most importantly to be able to delete any data at the request of the data subject. As a result, organisations will need to ensure they have the process and technology in place to handle such requests. This includes ensuring that data is not only erased on their system but also on any third party
systems that have access to the information.
(5) Those processing data on behalf of organisations are now liable for correct processing activities, whereas previously only the data controllers were liable;
Previously, only data controllers were held responsible for data processing activities but this has been extended to all organisations that touch personal data.
(6) GDPR requires that privacy is included in systems and processes by design;
According to the EU, privacy by design means that each new service or business process that makes use of personal data must take the protection of such data into account from the inception of any new technology. An organisation needs to be able to show that they have adequate security in place and that compliance is monitored. In practice this means that an IT department must take privacy into account during the whole life cycle of the system or process development. Privacy by default means that strict privacy settings automatically apply once a customer acquires a new product or service with no manual change to the privacy settings required on the part of the user. Personal information must by default only be kept for the amount of time necessary to provide the product or service. In addition, only information on an individual should be disclosed that is necessary to provide that service. The regulation also stipulates that personal information should not by default be accessible to an indefinite number of individuals.
(7) All businesses processing personal data must appoint a Data Processing Officer (DPO);
GDPR requires the mandatory appointment of a Data Protection Officer (DPO) in all public authorities and any company that processes lots of personal information of individuals or sensitive information on a regular or systematic basis. The GDPR does away with the criterion of number of employees in a company and focuses instead on what an organisation does with the data. The GDPR also allows the data protection officer functions to be performed by either an employee of the controller or processor or by a third party service provider, creating opportunities for consulting and legal firms to offer outside DPO services.
(8) GDPR requires data controllers to assess privacy risks to individuals ;
GDPR requires data controllers to conduct PIAs to assess privacy risks to individuals in the collection, use, and disclosure of their personal data. Specifically, data controllers must conduct PIAs where privacy breach risks are high so that the risks to data subjects are minimized. The impact assessment should happen before organisations start processing personal data. When risks are identified, the GDPR expects that an organisation formulates measures to
address these risks. Those measures may take the form of technical controls such as encryption or anonymisation of
data. Companies processing personal data are obliged to keep detailed records of the data they hold, as well as the details of the processing conducted on that data. The requirements may vary by size of company but it is certainly best practice to do so, particularly as it may help reduce any breach fines imposed. For example, maintaining a record of a data transfer to a third country would be a sensible action.
(9) In the event of a breach the relevant supervisory authority must be notified within 72 hours;
GDPR harmonises the various data breach notification laws in Europe and is aimed at ensuring organisations constantly
monitor for breaches of personal data. Businesses will need to ensure they have the technologies and processes in place to detect and respond to a data breach. GDPR requires all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. This covers personal breaches; a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Breaches are assessed on a case-by-case basis, and a notifiable breach has to be reported to the relevant supervisory authority (NDPA) within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period so it allows companies to provide information in phases. Failing to notify a breach when required to do so can result in a significant fine up to €10 million or 2% of your global turnover. Either fine could be crippling to an organisation, in particular to SMEs. So, what sort of information must a breach notification contain?
(a) The nature of the personal data breach including, where possible:
(b) The categories and approximate number of individuals concerned; and
(c) The categories and approximate number of personal data records concerned
(d) The name and contact details of the data protection officer (if an organisation has one) or other contact point where more information can be obtained
(e) A description of the likely consequences of the personal data breach; and
(f) A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where
appropriate, of the measurements taken to mitigate any possible adverse effects
For many organisations, this may require training of personnel to ensure data breaches are properly understood and
recognised, and making changes to internal data security policies. In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation, internal reporting procedures in place and a data breach plan with specific roles and responsibilities for individuals within the company.
(10) GDPR restricts the transfer of personal data to countries outside the European Union;
GDPR imposes restrictions on the transfer of personal data outside the European Union, to “third countries”(countries
outside the EU) in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined. Data transfers have increased rapidly due to the rise in social media and the adoption of cloud services. The current EU Data Protection Directive allows transfers only to third countries that demonstrate “equivalent” data protection laws: importantly the US is not one of those countries. The transfer of personal data comes where the organisation
receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer. GDPR also allows subjects to request that their data is provided to them or a third party in a “structured, commonly used and machine readable format”. Requests must be acknowledged in a timely manner (within one month of the request). In most cases, this should be relatively straightforward if the data is held in a structured form. Increasingly, however, data is held in unstructured formats. Where there are multiple standards such as video, this may be more challenging.
What you need to do to prepare
Category : Compliance