Posted on by startupnll

General Data Protection Regulation (GDPR) – an overview

On 25 May 2018, the GDPR comes into force, introducing a single legal framework for businesses across the EU to abide by with the overall aim of increasing data privacy for individuals across the region.

Who does it apply to?

Broadly speaking, anyone who is a ‘controller’ or ‘processor’ of EU citizens data. In practise, this covers anyone collecting data within a member state of the European Union. Although likely collecting data on a small scale, SMEs are by no means exempt.

What does it say?

  1. Consent

Consent for the collection of data must be freely given, specific, informed and unambiguous and given separately to the acceptance of terms and conditions.

How some mechanisms for consent are likely to be interpreted:

Acceptable

Unacceptable

Ticking a box (opt-in)

Silence

Placing a signature

Pre-ticked boxes (opt-out)

Explicit affirmative action

Inactivity

A service cannot be conditional upon consent, unless that processing is necessary for the service to be performed. Similarly, consent must be specific to each individual data processing operation.

Once given, the customer must be able to withdraw consent as easily as it was provided.

Consent from a child is only valid if authorised by a parent. Anyone below 16yrs is deemed a child (member states may reduce this to 13).

  1. Individual rights

The right to be informed

To be provided with ‘fair processing information’ i.e. via a privacy notice. Individuals should receive information on how and why their data is being processed and be shown the process of how to revoke consent.

The right of access

Individuals have the right to obtain confirmation that their data is being processed, access to their personal data and other supplementary information that corresponds to their data.

The right to rectification

Individuals have the right to have their personal data rectified if it is inaccurate or incomplete. Where third parties have had the data disclosed to them, they should also be made aware of the necessary corrections.

The right to erasure (‘to be forgotten’)

In the following circumstances, individuals have a right to have personal data erased and to prevent further processing:

  • Where personal data is no longer necessary for the purpose for which it was collected;
  • Where consent is withdrawn;
  • When there is no legitimate interest for continuing the processing;
  • Where personal data was unlawfully processed;
  • Where personal data has to be erased to comply with a legal obligation.

If a business has disclosed personal data to a third party, and subsequently receives a request for erasure, then that third party must also be told to erase that data.

The right to restrict processing

Under the following circumstances, individuals have the right to request that processing is suppressed, or blocked:

  • Where the accuracy of the data is contested, processing should pause until the data has been verified as accurate.
  • Where processing is unlawful and the individual opposes erasure (see above) and instead opts for processing restrictions.
  • Where the business no longer needs the data, although the individual requests the data to establish, exercise or defend a legal claim.

The right to data portability

Individuals have the right to obtain and reuse their personal data for their own purposes across different services. This right appears where:

  • A controller holds data for that individual;
  • The processing is based on the individuals consent or for the performance of a contract; and
  • The processing is carried out by automated means.

Upon a request, the data must be presented in a structured, commonly used and machine readable format.

The right to object

Individuals have the right to object to:

  • Processing based on legitimate interests or the performance of a task in the public interest;
  • Direct marketing; and
  • Processing for purposes of scientific/historical research and statistics.
  1. Data transfer outside of EU

Data must not be sent outside of the EU to a ‘third country’ who does not have adequate data protection. The European Commission determines which countries satisfy this requirement. So far this includes: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the USA[1].

A data transfer to a country not on this list must include a legally binding contract to make clear the non-EU recipient agrees to the data protection safeguard in place within the EU. If intending to transfer data abroad, businesses should bear in mind their obligations of consent, and should make the individual aware that their data may leave the EU.

  1. Mandatory breach notification[2]

Organisations must notify their supervisory authority of data breaches ‘without undue delay’ or within 72 hours, unless the breach is unlikely to be some risk to individuals data. If there is a high risk to individual’s data, then those individuals must also be notified of the breach.

If there is a delay, then reasons should be provided to the supervisory authority detailing why.

  1. Accountability

Organisations are obliged to prove that they are:

  • Establishing a culture of monitoring, reviewing and assessing data processing procedures;
  • Minimising data processing and retention of data;
  • Building in safeguards to data processing activities;
  • Documenting data processing policies, procedures and operations that must be made available to the supervisory authority on request.

When conducting particularly risky or large scale processing of personal data organisations must also undertake Privacy Impact Assessments as part of the GDPR’s Privacy by Design concept.

  1. Data Protection Officers

Individuals must be appointed as a Data Protection Officer if the organisation is a public authority, conducts regular and systematic monitoring of data subjects on a large scale, or organisations who process sensitive data on a large scale.

  1. Penalties

The GDPR implements a tiered approach to penalties:

  1. Non-compliance with basic principles for processing i.e. consent may result in a fine of up to €20M or 4% of annual global turnover, whichever is greater.
  2. Other more serious infringements may result in a fine of up to €10M or 4% of annual global turnover, whichever is greater.

What should you be doing?

A great place to start would be to take the ICO’s self-assessment toolkit. Start-ups will need to ask themselves – what data will I be collecting, how will I get it, and how will I store it? By addressing these questions, it will be clear if any immediate action is necessary (if any) to become GDPR compliant. If any action is needed then steps should be taken at the earliest possible opportunity. The earlier that these issues are addressed the less disruptive and costly they will be to the business.

It is also worth noting the external impact that compliance offers. Customers will enjoy a greater level of trust with any business in which it knows has carefully considered its use of data, and any would-be investor will have piece of mind that their money is not in a business at risk of hefty fines.

For more information please see:

  1. The ICO’s ‘Data protection self assessment’ toolkit: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/;
  2. The ICO’s ’12 steps to take now’ guide:  https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf; and,
  3. Guidance on the Cyber Essentials Scheme, a great starting point for data security: https://www.itgovernance.co.uk/cyber-essentials-scheme.

 

[1] Please see http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm for list.

[2] Note that the term data breach is very broad. It includes accidental disclosure and accidental loss. It should not be seen as purely the result of a cyberattack.

Leave a comment