What is GDPR?
A person’s data is highly sensitive information. As well as revealing a lot about the person it concerns, things such as health data or credit card numbers also has high black-market value. Thus, especially since the digitalisation of health data, it is critical that the adequate protections are in place to minimise the risk that this information is accessed by criminals. In Europe, the Council of Europe and the European Union are in charge of setting data regulations. However, cyberattacks are on the rise, and in the last year we’ve also seen major companies getting involved in schemes that sell customer data.
With this in mind, the General Data Protection Regulations (GDPR) was established. This establishes a number of principles that aim to minimise the risk posed to data, but also give more rights to the person the data concerns. Based on early documents relating to data security within the EU (such as the Council of Europe’s Convention 108 for the Protection of Individuals with Regard to Automatic Processing of Personal Data), the new legislation is more pertinent to modern life.
GDPR came into effect on the 25th May 2018, replacing the national privacy laws of all EU member states. However, just a few months before just 2% of representatives thought their organisation was “GDPR-ready”. To ensure that all future practices are GDPR-compliant, and that customers’ privacy is safeguarded, all employees must be trained in the field of GDPR compliance. Here, we lay out a general training course suitable for a broad range of employees regardless of rank or role. However, it is also recommended that employees seek out role-specific recommendations for GDPR compliance in addition to this article.
Where and when does GDPR apply?
Any controller or processor that operates within an EU member state must be GDPR-compliant. This holds true even if the actual data processing it outsourced to operations in a non-EU country.
Additionally, any controller or processor that handles the data of EU nationals must also adhere to GDPR. This also extends to consular posts or embassies of EU member states.
GDPR applies in most cases where the personal data of a natural or legal person is involved. There are, however, a few notable exceptions. One is when there is a legitimate threat to national security, where qualified individuals may process data without all the necessary consent steps. Similarly, if data must be processed to prevent a crime, it is allowed.
Information about the deceased also does not fall within the definition of personal data.
What is data processing?
As mentioned above, personal data is highly sensitive information. Anything that can be used to identify a person (termed the “data subject”), either directly or indirectly, is considered to be an “identifier” and thus must be protected under GDPR. Some possible identifiers are listed below:
- Name (first, last, middle, maiden etc.)
- Date of birth
- Telephone numbers
- Audio/visual recordings of the individual
- Bank details
- Passport numbers
- Location data
This data all has to be “processed” . This means that, either manually or automatically, it is collected, organised, stored, analysed, altered etc.. Essentially, GDPR defines processing as any action or operation performed on the personal data.
The party that collects the data is known as the “controller”. They also decide what kind of data is collected and what will be done with it after collection. Data may be collected by social media firms via a registration form to use the site or a dentist after medical X-rays are taken. All must comply to GDPR.
Often the controller will enlist a third party, the processor, to manage the data. They will be instructed by the controller as to how the data should be organised, analysed, and stored. Any organisation contracted by a controller to undertake such actions must also be GDPR-compliant.
Article 5 of GDPR outlines six principles of data processing:
- Lawfulness, fairness and transparency of data processing
- Purpose limitation: data collected for a specified purpose should only be used for that purpose unless used for public health or social/scientific research
- Data minimisation: only the minimum amount of data for the task at hand should be collected
- Storage limitation: data must not be kept for more than the time necessary to properly process the data (unless medical data)
- Integrity and confidentiality: all necessary safeguards must be in place to protect data from unauthorised access.
To ensure that these principles are met, it is advised that organisations employ someone in a role equivalent to the Information Security Officer in a hospital. The ISO is in charge of ensuring only the appropriate personnel have access to medical records or part of medical records. For example, someone in billing does not need a patient’s full medical history to send an invoice.
In addition to these six principles, GDPR outlines six legal grounds for data processing. They are shown in Table 1.
Table 1: Legal grounds for data processing.
|Consent must be obtained from the data subject.|
|Legal contracts require data processing for fulfilment.|
|Processing is necessary for compliance with a legal obligation.|
|Emergency situations where processing is in the vital interest of the data subject.|
|Tasks of public interest or for official duties (e..g issues of national security).|
|Other legitimate interests.|
Even if one or more of these conditions are met, controllers and data processors must still ensure that the physical, administrative and technical safeguards are in place to protect a customer’s data.
What is consent in the context of GDPR?
In all usual circumstances, for the processing of data to be lawful it must be done with the data subject’s prior consent. When consent is being solicited, the controller’s objectives must be clearly and unambiguously stated. By giving consent, data subjects are stating that they are happy for the controller to process data in the agreed manner. If the controller later wants to use the data for a different purpose, they must once again seek consent. This must be clearly distinguished from the prior cases of consent.
After giving consent, data subjects retain the right to withdraw this approval. This right should be clearly stated in the initial document seeking consent. However, if the data has already been processed, this processing is considered to be lawful.
All contracts or statements requesting consent from the data subject must be intelligible by a non-professional. They should also be easily accessed. Once the agreement has been signed, consent is considered to have been “freely given”. If the data subject has no choice or cannot withdraw consent, consent is then not considered to be freely given.
Children are an increasingly prominent demographic when it comes to digital media and data. However, as they are legally minors, they cannot freely give consent for their data to be processed. Article 8, in particular, provides for this.
If a controller provides a service directly to a minor (considered to be below the age of 16), processing is only considered lawful if consent is given by a legal guardian of the minor. The EU already has laws regarding contracts involving children, and sets a general rule that the child involved must not be younger than 13 regardless of parental permissions. The onus is on the controller to ensure that consent is given by a legal guardian.
What rights do a data subject have?
GDPR awards data subjects with several rights. They are described below.
|Right to access||15||Right to obtain data from the controller or to otherwise the access said data.|
|Right to rectify||16||Right to change any personal data should it prove incorrect. There should be no delays in amending the data.|
|Right to object||21||Right to prevent controllers and processors from further handling or storage of data.|
|Right to restriction of processing||18||Right to prevent further processing of personal data.|
|Right to erasure||17||Right to request that personal data held by controllers is erased as soon as possible.|
|Right to data portability||20||Right to obtain personal data from controllers in a common, digital format.|
|Right to complain||77||Right to lodge a complaint with a supervisory authority in the nation they reside.|
|Right to judicial remedy||78/79||Right to an effective judicial remedy against decisions of supervisory authorities and/or controller and processor.|
|Right to not be automatically processed||22||Right not to be subjected to a decision that is based only on an automated processing, including profiling. Applicable profiling has legal consequences for an individual.|
|Right to receive compensation||82||Right to be compensated by the controller or processor for material or non-material damage.|
|Right to representation||80||Right to be represented by a not-for-profit body when lodging complaints or receiving compensation.|
What are the responsibilities of the controller and processor?
First and foremost, the controller must show that they are legally GDPR-compliant. This means that the controller and processor must demonstrate that they have the technical and administrative safeguards in place that protect the rights of the data subject. Ideally, these measures will be implemented by design, i.e. the controller’s policies are set up to provide the maximum protection to the data subject.
If, despite these measures, personal data is still accessed by unauthorised personnel, the controller must notify the supervisory authority without undue delay. To help with this process, and to ensure general GDPR compliance, the controller may find it beneficial to appoint a Data Protection Officer.
The controller also has a duty towards its data subjects to ensure that they can exercise their rights with ease. This applies to all levels of processing, from ensuring the data subject has adequate information when the data is being collected to notifying them of the length of time their data will be stored.
Other obligations of the controller are listed below:
- Maintain records of all types of processing carried out on the data
- Cooperate with the supervisory authority
- Ensure that adequate security is provided
- Notify supervisory authorities if a data breach occurs
- Carry out regular assessments
- Specify procedures for transfer of data outside of the EU
Article 5 also lays out the so-called “Accountability Principle”, which means controllers should be able to demonstrate GDPR compliance and are responsible for ensuring that continued compliance.
How can we collect personal data in a GDPR-compliant manner?
It is imperative that, when collecting data, the data subject receives enough information for them to understand why the data is being collected and how it is being processed. They must also understand their rights (e.g. their right to access the data after collection, or the right to amend it if it has been found to be wrong).
When asked for their personal data, the data subject must be provided with the following details:
- Contact details of the controller
- Contact details of the controller’s Data Protection Officer
- Any legal basis for data processing
- The purpose of data processing
- Whether the controller intends to transfer the data outside of the EU
- Why the data subject needs to provide information (e.g. the statutory or contractual requirements)
- Consequences for not providing data
- The rights of the data subject (outlined above)
- If automated processing is being used
- Any other information relating to the handling or processing of data
However, data may be collected indirectly. This does not mean the controller no longer has to provide any information to the data subject. Rather, one piece of extra information is needed: how the data was obtained.
There are a few circumstances in which the controller does not need to supply details of processing etc. to the data subject:
- If the data subject has already been informed
- The provision of information would require disproportionate effort (e.g. in public health research)
- The provision of information severely impairs the aims of processing
- Member State law protects the interest of data subjects
- Data must be confidential under Member State law.
How can data be stored in a GDPR-compliant manner?
GDPR stipulates that controllers and processors must maintain meticulous records of all processing activities carried out on the data (Article 30). These records must include the following:
- Name and contact details of controller and DPO
- Types of personal data included
- Purposes of processing
- Procedures for transferring data outside of the EU
- Time limits for storage
- Brief description of the technical and administrative safeguards used by the controller.
All records must be in writing and available to the relevant supervisory authority upon request. If the controller has fewer than 250 employees, they can be exempt from this requirement unless their processing activities put the data subject’s rights at risk, the data concerns criminal offences or the data includes special types of personal data.
We have mentioned “technical and administrative safeguards” many times throughout this piece without going into much detail. Essentially, they are any measure enacted by the controller to protect data from any risks that it faces. These risks can take the form of errors made by employees or attacks from cybercriminals. The controller must make sure their operating systems are completely secure, that data is encrypted and – where possible – anonymised. They must also carry out regular assessments to ensure the continued security of data in light of new advancements.
Do processors have any obligations?
As they are acting on behalf of the controller, processors have similar requirements regarding the protection of data privacy. If the processor breaches GDPR, they will be treated as a controller and prosecuted.
There are some other legal requirements of data processors:
- Comply with documented instructions as given by the controller
- Maintain confidentiality and GDPR compliance
- Ensure the controller has enough information to be GDPR-compliant
- Ensure the security of data processing
- Act on the decisions of the controller when processing data.
What happens if there’s been a breach?
In the unfortunate event of a data breach, the controller has just seventy-two hours after discovery of the breach to notify the relevant supervisory authority. If there is a delay in notifying the authority, this must be justified by the controller.
The controller should provide the supervisory authority with information regarding the nature of the breach, the type of data that has been breached, contact details of their DPO, the number of data subjects involved and their plan of action to mitigate any consequences.
Of course, the controller also has a duty to notify the data subject of the breach. This should also be done without delay, especially if it concerns the rights of the data subject. In clear language, the same information must be provided to the data subject as to the supervisory authority. If, however, it is deemed that appropriate measures have been implemented to protect the data (e.g. it has been encrypted) or that the effort to notify is disproportionate, the controller is exempt from notifying the data subject.
What are the penalties of GDPR non-compliance?
GDPR would have little authority if there were no negative consequences of non-compliance. If a breach occurs, or other damages result from data processing, it is the controller that is legally liable. If the data subject has suffered as a consequence of the controller’s actions, they retain the right to seek compensation for said damages.
GDPR infringement attracts large fines: €10-20 million, or 2-4% of the controller’s financial turnover based on the previous year. GDPR lays out the limits for fines, but it is down to the discretion of the supervisory authority to decide how much should be paid for specific violations. The fine should not be excessive, when considering the nature of the violation, but it should also be sufficiently dissuasive.
Some breaches may also lead to legal action being taken against the controller. These will usually take place in the place where the effected data subject has residency, even if the controller technically has no physical establishment in that country.
After a grace period stretching two years, GDPR has finally become law. It is now imperative that all organisations are familiar with the new regulations and have adapted their practices accordingly. GDPR awards new rights to data subjects, as well as giving more responsibilities to controllers and processors. The latter parties must do their utmost to protect personal data, as well as helping data subjects exercise their rights.
However, even recently, many controllers said they felt ill-equipped to deal with changing legislation. It is advised they conduct thorough audits to check whether they are GDPR-compliant and thus avoid hefty fines. Some questions to consider include:
- Who deals with personal data within the organisation?
- How are data physically safeguarded?
- How are data safeguarded from an administrative standpoint?
- What kind of data is collected? How?
- How can we inform data subjects of their rights?
By considering these questions, amongst others, controllers can take a step towards being GDPR-ready.