Frequently Asked Questions about GDPR
The General Data Protection Regulation (GDPR) is the new European regulation on personal data protection that goes into effect on 25 May 2018.
Regulates how personal data can be processed by private businesses, state administration and other organisations. (“Processing” includes anything related to the collection, aggregation, mining or sharing of data.)
The GDPR also regulates that personal data should be stored and processed securely.
The GDPR is designed to protect the personal data of everyone who is in the European Union. The regulation aims to create one standard for all European countries, thereby simplifying doing business across the continent.
The regulation will be applied directly and equally in all 28 European Union countries, to all private businesses, state administration and other organisations that hold and process personal data. These entities have had over two years – since 27 April 2016 – to prepare for compliance.
But the regulation also applies to companies and organisations operating outside the EU: If a company or organisation processes the personal data of individuals living within the EU, it has to comply with the GDPR – no matter where that company or organisation is based.
- Certain state bodies, including intelligence agencies, the police and the courts, will be governed by separate national rules.
- Individuals are exempt if they are collecting data for ‘personal or domestic use’ – for example if they store personal contact details on their phone.
- Churches can maintain their own regulations for the protection of personal data and their own bodies supervising this area – but their rules must still be in line with the GDPR.
If they process data or sell goods to EU citizens or have EU citizens as employees then yes, they need to comply. When talking about the need to comply to the GDPR, it all comes down to the individuals whose data you are processing. Whether you are selling goods, processing their data when they create an account on your website, or employing someone, if any of the people you work with is a EU citizen, the GDPR applies to you.
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from GDPR enforcement.
Data Subjects Rights
As a Data Subject:
- You have the right to information.
- Companies and organisations are now required to communicate to you, in plain and accessible language, what personal data they process and how they use it. (“Processing” includes anything related to the collection, aggregation, mining or sharing of data.)
- If a company or organisation builds a profile on you (e.g. from data matched up from different sources), you have the right to know what’s in this profile.
- You have the right to secure handling.
The GDPR regulates that personal data should be stored and processed securely.
- You have the right to access the personal data a company or organisation holds on you, at any time.
- If the data is inaccurate, you can change or complete it.
- If the data is no longer necessary, you can ask the company or organisation to delete it.
- If you initially gave the company or organisation more data than was necessary for receiving the service (e.g. for marketing purposes), but no longer want them to have this data, you can ask them to delete it.
- You have the right to use a service without giving away additional data .
If a company or organisation wants to process personal data that is not strictly necessary for the provision of a particular service (e.g. a transport app that wants access to your phone’s contact list), they need to get your explicit consent to process that data. . (Note that even if a company or organisation believes that certain data is in their interest to process, this does not always mean that it is necessary). If you have already consented to the processing of additional data, you can always withdraw this consent.
- When it comes to automated decision-making you have the right to explanation and human intervention. If a decision has been made about you through automatic mechanisms, you have the right to:
- know how the decision was made (i.e. you are entitled to an explanation of the logic behind the mechanism used);
- disagree with the result of this decision (eg. with the fact that you were denied a credit because of a “wrong” scoring result);
- demand human intervention (eg. a person that you can talk to should verify how the decision was made and whether the result is fair).
Under the GDPR, each individual has the right to be given information about how their data is being processed and why. The first step should happen when asking for their consent – here the individual needs to understand all the details regarding the processing. However, they have the right to be informed after they have given consent as well. If they want they should be able to know how their personal data is being used at every step of the way. All information you supply to an individual should be concise, intelligible, easily accessible, free of charge and written in plain language. The last condition is especially important if you are addressing children, the language you use should be understandable to them.
As to what exactly you should be telling the data subject, there are a variety of categories of information. These include the identity and contact details of the controller and if applicable those of the data protection officer; the source the personal data originates from; if there has been any automated decision making, including profiling and how these decisions are made. You should also inform data subjects of any transfers to third countries and the safeguards that exist.
The right to erasure (also called the right to be forgotten) means, that individuals have the right to request the erasure of their personal data in certain situations. Data controllers must respond immediately to such a request. Recently, ICD conducted a survey that revealed most people feel the right to be forgotten will pose the greatest challenges to their organization. It is an interesting result and not what was expected. It speaks a lot about the great number of changes and challenges the GDPR will bring for organizations.
There are several situations when this right can be applied. The first is when the data is no longer necessary for the purpose for which it had been collected. The second is the case when the data subject withdraws the consent and there is no other justification, legal or of other type, to continue the processing. Another situation would be when the data processing is unlawful (in a way that can be considered a breach under the GDPR).
Of course, there are also exemptions. For instance, if the processing is necessary to exercise the right of freedom of expression and information, the right to erasure will not be applied. The same is available when the processing is required for public health reasons, for the establishment, exercise or defence of legal claims, for the exercise of an official authority or for compliance with a legal obligation.
Under the GDPR, the right to restrict processing can be exercised by individuals with regard to their personal data. When they do, all you will be allowed to do is store it. Do not confuse with the right to erasure – it is true that the two rights are often discussed together and the some situations in which an individual can request either of them are similar, but they are different rights.
A data subject can restrict processing of their personal data when they believe the data is not accurate. In this situation, the processing should be restricted until the accuracy of the data is verified. Also, processing will be restricted when the individual objects to it – if the data had been necessary for the performance of a public task but you, as an organization, are unsure of your legitimate grounds. Also, restriction will be mandatory when the processing has been unlawful but the data subject refuses erasure. Finally, if you no longer need the data but the individual does not want the data to be erased because they need to to exercise a legal claim, the restriction of processing will come into effect again.
If you’ve shared the personal data with a third party, you should inform them when the individual exercises the right to restrict processing, unless this is impossible.
Data portability is a new right for individuals under the GDPR. It can be said it is the answer to the ‘Big Data’ trend so as to increase the user’s choice of online services. In certain cases, the data controller may even be required to transmit the data directly to the competitor.
Data portability rights apply only when processing was based on the individual’s consent or on a contract. However, it does not apply to processing based on public interest or the controller’s legitimate interest.
If you’ve shared the personal data with a third party, you should inform them when the individual exercises the right to restrict processing, unless this is impossible.
Under the GDPR, it should be as easy to withdraw consent as it is to give. It is a change with regards to the Directive, which did not specifically address the idea of withdrawing consent. Now data subjects can withdraw their consent at any time, without being required to explain their decision. Note however, that this right cannot be applied to data already processed, it can only refer to future processing.
Processing children’s data is a sensitive topic, as they are identified as “vulnerable individuals” who deserve “special protection”. In the case of online services consent should be given by a person with parental responsibilities for the child. The requirement stands for children under the age of 16. Member States may be permitted to lower the age limit, but not less than 13 years old. If you offer services directly to a child, make sure all notices are drafted with their understanding in mind.
To note also, that even though the idea of protecting them is mentioned several times in the GDPR the final text offers few dispositions and any real restrictions will most likely come from national laws or codes of conduct. Most of the requirements regarding children’s data processing, such as parental consent, are only available in the case of online data. Offline data remains subject to the laws of each Member State.
Profiling is defined under article 4 of the GDPR as “any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
Generally, profiling consists of three elements: it is an automated form of processing, it concerns personal data and its purpose is to evaluate personal aspects about a natural person. The individual has the right to refuse profiling. There are a few special cases where automated decisioning is permitted, such as when the process is authorized by law or regulation within a Member State or when it is necessary for entering into a contract between the data subject and the data controller or if it is based on explicit consent. In the case of contractual agreement, the controller has to implement measures that protect the rights of the individuals. For example, individuals should be allowed to express their point of view, to obtain information about the decision that has been reached based on the profiling and of course, the right to contest this decision.
So, why is it such a concern? The general view is that profiling can have a considerable effect to the fundamental rights of an individual and it can lead, in its most extreme forms, to the violation of the principle of non-discrimination. If done correctly however, profiling can have benefits for both the organization and the individual. Correct forms of profiling include for instance consensual interviews, both online or face-to-face, meant as marketing research. As long as the rights of the individual are respected, the results can be used in a positive manner, to improve the quality of the services provided.
Each country will have an independent public Data Protection Authority (DPA) to ensure that companies are in compliance with the regulation. You have the right to lodge a complaint with your DPA or to go to court if you feel that your rights have been violated.
Personal data is at the heart of the GDPR – the regulation does not apply to all the data companies have.
Personal data is any information that can be linked to an identifiable individual. Since identification of an individual can often be done by putting different pieces of information together (even without a name attached), what counts as personal data can be quite broad. A shoe size, a hobby or an image, for example, could all be classified as personal data if it’s possible to identify which person these bits of information apply to.
Note too that it doesn’t necessarily have to be the data controllers themselves (the companies or organisations processing the data) who are capable of identification.
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
Data protection by design means that companies and organisations should take privacy into account when designing, implementing and operating any technology which processes personal data. Prior to the GDPR, the burden was on the user to take privacy protecting measures within a given product or a service; by changing the default settings, opting out, or turning on access controls, for example on location data. The GDPR privacy by design and by default principle requires that privacy standards are built into the technology and offered to the user by default. The GDPR shifts the burden of implementing privacy protecting measures from the user on to the company or organisation.
The EU-US Privacy Shield is a framework for exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes is to allow US companies to receive personal data from EU organizations more easily, while complying to the EU privacy laws meant to protect EU citizens. The previous framework, called International Safe Harbor Privacy Principles was declared invalid in October 2015. Discussions about the new framework began immediately and on February 2nd, 2016 a political agreement was reached. On July 12th, 2016 the Commission adopted its decision on the Shield. The new arrangements include strong data protection obligations on companies receiving personal data from the EU as well as safeguards of US government access to data. An annual joint review is envisioned to monitor the implementation.
We know that the GDPR influences any entity that works with EU citizens, even if the entity did not collect the data. Taking into consideration the interconnected and vast online environment, it is obvious the GDPR has immense implications in many sectors and for many businesses. There are significant differences in how the US and the EU perceive privacy. The Article 29 Working Party has issued their opinion on a wide variety of issues from Internet of Things, Cloud computing and more. The GDPR puts a strong emphasis on how data is transferred to third parties, especially to non-EU countries and the US has never been on the green list due to its more relaxed privacy rules and rights. For example, the right to erasure is much more limited and can only be used in special cases, whereas the GDPR gives each individual this right in a much easier manner. The GDPR will bring with it a number of changes, not only to those organizations directly in processing personal data, but it is very possible it will bring changes to the EU-US Privacy Shield agreement. Discussions are still in place, so the topic should be closely monitored in the near future.
Organisations need a Data Protection Officer (DPO) and his assignment is mandatory in certain specific cases:
- when the processing is carried out by a public authority or body;
- where the core activities of the controller or the processor consist of processing operations which require regular monitoring of data subjects;
- where the core activities consist of processing special categories of data on a large scale or personal data relating to criminal convictions.
Article 37(4) states that Union or Member State law may require the designation of a DPO in other situations as well. The conclusion is, in order to be on the safe side and make sure you are 100% compliant to the GDPR, you should appoint a DPO.
One of the first tasks of the Data Protection Officer is to inform and advise the organization of their obligations as per the Regulation and any other local privacy provisions. Also, the DPO will be responsible with monitoring compliance with the GDPR – including assigning responsibilities, raising awareness and training the staff. Another responsibility for the DPO will be to cooperate with the supervisory authority and act as the organization’s contact point on any issues related to the processing of personal data. Furthermore, they will respond to the individuals whose data is being processed on all issues related to the processing and allow them to exercise their rights under the GDPR.
We could say that the Data Protection Officer’s tasks fall into two categories. The first is related to monitoring the compliance of the organization to the GDPR, wether this is done by advising employees, organizing training sessions or just monitoring that the requirements of the Regulations are fulfilled. The second category is related to the DPO’s interactions with those outside of the organization – from the supervisory authority to the individuals whose data is being processed. It is at this point unclear if the DPO should interact with all data subjects. In the case of companies that process data from thousands of individuals, it would be difficult for the DPO to find a way to respond to all the incoming inquires from the data subjects, so finding a sustainable way to manage these interactions from the very beginning will be essential.
ISO27001 is a framework for information protection. The GDPR’s focus is personal data which is considered critical information and as a result it needs to be protected. Some of the GDPR requirements are not covered by ISO27001, but the standard can help with compliance to the regulation. For example, if in the implementation of the ISO standard you identify personal data as an asset, most of the GDPR requirements will be covered.
Some of the ISO27001 requirements will help you in your quest to be GDPR compliant regardless of how you identify personal data. For example, the risk assessment, an essential part of the standard, is similar to the Data Protection Impact Assessment which is required for GDPR compliance. Also, ISO27001 guides organizations through the implementation of a data policy and protection of personal information, bringing them one step closer to being compliant with the Regulation.
The asset management, or asset inventory is another critical step when implementing ISO27001. In doing so, most organization will find themselves in the need to clarify what personal data they use and where they store it, how long they store it for and who has access to it. Seeing as the GDPR requires organizations to clearly describe their use of personal data, implementing this step of the ISO standard will be helpful.
Breach notification, an extremely important part of the Regulation will be easier to manage if your organization has implemented ISO27001. The standard will ensure “a consistent and effective approach to the management of information security incidents, including communication on security events.” As a result, implementing the incident management will bring the organization closer to compliance with the GDPR.
Another well known GDPR requirement, privacy by design and by default will be aided by the implementation of ISO27001 as the standard puts a strong emphasis on information security.
ISO27001 is a broad standard. Its implementation is not mandatory for those who want to be GDPR compliant. Those who do implement it will find the standard very helpful in their journey for compliance with the Regulation.