GDPR for Dummies
What is GDPR?
In May 2018, the EU introduced the General Data Protection Regulations. The need for GDPR was clear; existing regulations were unable to deal with the increased risk of data theft. The creators of GDPR sought to introduce regulations to reduce the risk of data theft to a minimum. GDPR requires organisations to place many safeguards on data to maintain the integrity of confidential information.
How does GDPR define personal data?
Article 4 of GDPR defines personal data as: ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.
Some examples of information that may be classified as ‘personal data’ include:
- Dates of birth
- Phone numbers
- Audio/visual recordings of the individual• Bank details
- Passport numbers
- Insurance policy numbers
Not all personal data is treated the same way under GDPR. Article 9 of GDPR defines “special category data” as data that, if exposed, could significantly impact the rights and freedoms of data subjects and potentially be used against them for unlawful discrimination.
Examples include the following:
- Race and ethnic origin
- Religious or philosophical beliefs
- Political opinions
- Trade union memberships
- Biometric data used to identify an individual
- Genetic data
- Health data
- Data related to sexual preferences, sex life, or sexual orientation
Under GDPR, organisations must have a legitimate and lawful reason for collecting, storing, transmitting, or processing these data. However, some EU member states have an outright ban on any organisation from using any special data even if the subject gave their consent for the organisation to do so.
Who must comply with GDPR?
In simple terms, any company that has offices within the EU is subject to the GDPR. The law states that “any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out following this Regulation, regardless of whether the processing itself takes place within the Union.” Even if an organisation only collects or processes data through a subsidiary or branch of the leading company which is based in the EU, they are bound to be compliant with GDPR.
GDPR’s scope does not end here; however; GDPR applies to any business or organisation that processes the data of people living within the EU, no matter where the organisation itself is located. For example, an American organisation that collects the data of EU citizens during, say, online transactions are required to protect that data to GDPR’s standards, even if they have no physical presence in the EU.
What are Data Controllers and Data Processors?
GDPR defines a data controller as an organisation which decides the reasons for which data must be collected and how that process occurs. Data controllers have many legal obligations under GDPR.
Data controllers must:
- Affording transparency with the data subject as to how they handle their data
- Ensuring that data may easily be translated from one place to another
- Providing evidence to the data subject that they are fully GDPR-compliant
- Ensuring that they can uphold the rights of a data subject
On the other hand, data processors as are “natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller”.
Data processors must:
- Have a pre-arranged contract with a data controller regarding the processing of data
- Ensure that the rights of the data subject are respected
- Adequate safeguards must be in place to protect the integrity of sensitive data
Who is Exempt from GDPR?
While the majority of organisations that fit the above criterion are expected to comply with GDPR, there are limited exceptions.
Circumstances relating to the processing of personal data which warrant GDPR exemptions include:
- Organisations that process data during an activity that falls outside of the law of the European Union
- Individuals that process data for personal or household activity
- Government agencies and law enforcement when data are collected and processed for the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties or for preventing threats to public safety
- Member States processing personal data for activities under the scope of Chapter 2, Title V, of the Treaty on European Union
Where will GDPR apply?
GDPR covers all types of organisations, including public agencies, governments, or companies of various sizes that collects the data of individuals located in the EU.
As a reminder, the EU Member States are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.
Although the UK is due to leave the EU in March 2019, GDPR was introduced to their laws in May 2018 along with the other member states. Therefore, GDPR will remain a part of UK law after Brexit.
What are the GDPR Penalties for Non-Compliance?
If a regulatory authority finds an organisation to be non-compliant with GDPR, they can charge them with any of a number of different penalties. The size of the fine depends upon various factors, including the type of violation or the number of records affected in a data breach. In the event of a data breach, the regulatory authority also takes the organisation’s response to the breach into account. Maximum penalties (which can include accidental disclosure) for GDPR non-compliance are considerable:
- Non-compliance with GDPR security standards may result in a €10 million or 2% of global annual turnover fine – whichever is higher.
- Non-compliance with GDPR privacy standards may result in a €20 million or 4% of global annual turnover fine – whichever is higher.
What are the GDPR’s Core Principles of Data Protection?
GDPR outlines several core principles of data protection that guide the rest of the legislation. These include:
- There are different categories of data, such as “identifiable data” or “special data”, and each class must be treated appropriately
- There must be a legal basis for processing data, and processing must be done in a fair and transparent manner
- Only the minimal amount of data necessary should be collected
- Data should only be processed for a pre-defined purpose
- Any data collected should be accurate and precise
- There should be limits to the length of time for which data can be stored
- The integrity and confidentiality of the data must be protected
Understanding these core concepts is essential if the organisation is to correctly implement GDPR and ensure that consumer data always remains secure.
What is a GDPR DPO?
Most organisations that are covered by GDPR must hire a data protection officer (DPO). The primary responsibility of a DPO is to ensure that the organisation protects the personal data of data subjects to the standards outlined in GDPR. A thorough understanding of privacy laws is fundamental to achieving full compliance with GDPR.
The other responsibilities of a DPO include:
- the education of staff on subject data rights and their responsibilities under GDPR
- advising to senior management regarding GDPR compliant business practices
- monitoring activities across the organisation to ensure they are GDPR compliant
- cooperation with the Lead Supervisory Authority
- assessing IT systems, computer networks and data protection safeguards to ensure they are of the required standard
- notifying data subjects in the event of a data breach
What is GDPR-compliant data collection?
GDPR has introduced strict procedures which must be followed to ensure that data collection is performed in a safe manner that is fair to the data subject. Companies looking to implement GDPR must be familiar with the correct forms of data collection.
Some of the most critical aspects of GDPR-compliant data collection are outlined here:
- The data subject should give their informed consent for their data to be collected, and they must be told precisely for what purposes their data will be used.
- GDPR states that individuals under the age of 16 are unable to give informed consent, and a parent or guardian must give consent. However, GDPR allows individual EU states to lower this age of consent to 13 if they wish.
- There are some special cases—such as a national emergency or criminal incident—for which the above rules do not apply, and consent is not needed for data collection to take place. Employees should be aware of the particular circumstances in which these exceptions apply.
Organisations must choose the most appropriate basis for processing, and consider all viable options in determining which process is best for a given situation.
- Become thoroughly aware of all the rules and stipulations of GDPR
- Perform a comprehensive audit on data and know what data is being held and for what purpose
- Check that all processes and procedures that involve consumer data are GDPR- compliant
- Ensure that consent for data collection and processing is obtained in a GDPR-compliant manner
- Recognise high-risk data and processes as described by Article 9 of GDPR and change business practices to handle this data in a safe and secure manner
- Have a full data breach contingency plan in place
- Consult with a third-party data security expert to ensure that your organisation’s security framework is both robust and fully compliant with GDPR
GDPR Guide for Dummies: Conclusion
GDPR is a very complex piece of legislation. Achieving full compliance is an arduous, labour-intensive and potentially costly task. This guide offers a starting point for organisations looking to become GDPR-compliant, but it is recommended that if you have any doubts about whether a particular process complies with the Regulations, you seek legal advice.