GDPR for Dummies
Why do we need GDPR?
The General Data Protection Regulations is a landmark piece of data privacy legislation that came into effect on May 25th 2018. GDPR was designed to introduce many principles that aim to minimise the risk of data theft and ensure adequate protections are put in place to protect the integrity of confidential information. GDPR also aims to give individuals more rights over their data.
We now live in the age of ‘big data’, and it was evident that before GDPR, existing data protection laws were not robust enough to deal with recent rapid technological advances. The expanding black market in personal data poses a significant threat to any individual who stores data online. European lawmakers recognised that there were not enough legal protections in place to ensure that large organisations adequately protect the data they hold. In January 2012, the European Commission set out plans for data protection reform across the European Union to make Europe ‘fit for the digital age’. GDPR was the result.
Basic GDPR Definitions
It is essential to become familiar with the definitions of the most basic concepts of GDPR to have a comprehensive understanding of the rest of the legislation. The definitions are presented in GDPR Article 4.
Personal data: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Processing: “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection,
recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Controller: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Who must comply with GDPR?
GDPR covers organisations that process the data of people living within the EU, no matter where the organisation itself is located. GDPR covers all types of organisations, including public agencies, governments, or companies of various sizes.
The law states that “any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out following this Regulation, regardless of whether the processing itself takes place within the Union.” Even if an organisation only collects or processes data through a subsidiary or branch of the leading company which is based in the EU, they are bound to be compliant with GDPR.
For example, a Canadian company that collects the data of French citizens through an online transaction must comply with GDPR, even though they have no physical presence in France.
As a reminder, the EU Member States are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.
Although the UK is due to leave the EU in March 2019, GDPR was introduced to their laws in May 2018 along with the other member states. Therefore, GDPR will remain a part of UK law after Brexit.
Are there any GDPR Exemptions?
There are certain circumstances in which GDPR does not apply. Articles 85 and 91 outline these exemptions, although Article 23 clarifies that member states may apply their specific exemptions to GDPR.
One of the most critical cases in which GDPR does not apply is if an individual poses a threat to the rights and freedoms of others, their data is not treated the same way as data of other citizens.
Such circumstances may include:
- Defence concerns
- Crime prevention
- Financial security
- Prosecution of a crime
- Suspected tax evasion
- Public health concerns
- Freedom of information
Member states are also free to add additional requirements to ensure extra protection to private data. Organisations must meet all GDPR requirements in addition to the additional requirements.
GDPR’s Data Breach Requirements
Article 33 of GDPR requires data controllers to notify the supervisory authority of a data breach within 72 hours of its discovery unless they have determined that the risk of harm to the individuals affected is minimal. Data processes are required to inform data controllers that a data breach has occurred without “undue delay”.
Article 34 stipulates that the organisation is required to notify individuals that their data has been compromised if it is possible that they are at heightened risk of fraud or having their data used for nefarious purposes. However, they are not required to notify individuals of a data breach if the breached data was “unintelligible to any person who is not authorised to access it”, such as through encryption.
Cost of GDPR Violations
As can be seen above, the cost to an organisation of complying with GDPR can be significant. However, the cost of violating GDPR is even higher. The EU can fine organisations for GDPR non-compliance, with the size of the fine varying on the type and severity of the violation. The maximum fine, reserved for particularly egregious breaches, is €20 million or 4% of global annual turnover, whichever is higher.
In addition to the financial costs, organisations who are found to be non-compliant with GDPR may suffer severe reputational damage. Consumers are becoming increasingly concerned about how businesses use their data and may wish to avoid organisations who do not take their responsibilities seriously. The implementation of GDPR received a great deal of press coverage; significant violations may receive the same treatment.
Summary: How to Become GDPR Compliant
1) Become familiar with GDPR
Those wishing to become compliant with GDPR must become thoroughly aware of all of its rules and stipulations. GDPR is a complex piece of legislation; many resources may need to be invested in ensuring that compliance is achieved. Depending on the size of an organisation’s operations, this may prove costly. If there is any doubt about a piece of the legislation, legal counsel should be sought.
2) Perform an audit on data
GDPR requires all organisations to know the details of what data they hold, where they store it, for what reason they use it, and who is responsible for managing it. Performing
a comprehensive audit on the data the organisation currently holds is the easiest way to achieve this. Furthermore, an audit will allow the organisation to identify any areas which may need particular attention to make them compliant with the new regulations.
3) Check processes and procedures
GDPR has many rules and stipulations, and organisations must ensure that they can have processes and procedures in place to follow these requirements. They also need to fully document these processes and procedures so that they can prove they are acting in compliance with the regulation.
4) Check consent processes
One of the most critical changes that GDPR introduces was revolutionising consent procedures. Businesses will need to ensure that they have consent to process personal data, except if there are other valid legal reasons for them to process the data. Businesses must obtain the consent of the individual for each specific reason for processing. Using pre-checked boxes or consent-as- default in violation of GDPR.
5) Recognise high-risk data and processes
Article 9 of GDPR covers “high risk” data. Businesses need to assess whether aspects of their data processing might also present a high risk. Every business needs to adjust for these risks by producing detailed plans and procedures to follow. If the business cannot correctly adjust its practices, the business should seek advice from the relevant Data Processing Authority (DPA) before any processing of the data can be attempted.
6) Plan for a data breach
Data breaches can be catastrophic for individuals and organisations alike. The best way to mitigate the damage in the event of a data breach is to have a solid contingency plan in place beforehand. GDPR has strict requirements when it comes to dealing with data breaches, such as requiring organisations to report the data breach within 72 hours of its discovery. Organisations must ensure that they are ready to react immediately if a breach were to occur.
7) Consider hiring a data protection expert
It is recommended organisations consult with third-party data security experts to ensure that they have robust security frameworks in place to comply with GDPR’s data protection requirements. All organisations need to appoint a Data Protection Officer, but an external expert will help expedite the process of achieving compliance.