GDPR has been introduced to protect the privacy of all EU citizens. It has also been designed to modernise data protection, in a world where cyber risks are increased.
If, as a business, you comply with the current Data Protection Act, then you are already half way towards compliance for GDPR, but here we aim to highlight the key areas of change.
GDPR without a doubt has extended jurisdiction. It applies to all companies, no matter how small, who process personal data, and it does not matter if the controller/processor is based in the EU or not. For non-EU businesses, processing the data of EU citizens, a representative in the EU will need to be appointed.
The biggest headline title accompanied with GDPR information currently, is the cost of getting it wrong, and for very good reason! Breach of GDPR regulations can mean fines of 4% of annual global turnover, or €20 million (whichever is greater). These fines can be imposed on both Controllers and Processors, meaning getting clued up on the new regulations is essential.
Lawful Basis for Processing
Under GDPR, there must always be a lawful reason for processing data, which must be determined before the data is processed. There are six lawful bases for processing:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Data Protection Officers
The GDPR makes it a requirement that organisations appoint a data protection officer (DPO) in some circumstances and contains provisions about the tasks a DPO should carry out and the duties of the employer in respect of the DPO. Under the GDPR, you must appoint a DPO if you:
ü are a public authority (except for courts acting in their judicial capacity);
ü carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
ü carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
The DPO’s minimum tasks are defined in Article 39:
ü To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
ü To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
ü To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
Right to Be Forgotten (Data Erasure)
This new legislation entitles the data subject to request that the data controller erases his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. Article 17 of the GDPR highlights more on this subject, including the conditions for erasure.
Under the Data Protection Act, consent is a very loosely defined concept! (e.g. consent can be gathered via opt out options amongst hundreds of other terms and conditions). Under GDPR consent must now be obtained in an intelligible form and must be in clear language and distinguishable from other terms. Finally, consent must be as easy to withdraw, as it is to give.
GDPR will make breach notification mandatory in all member states, where a breach is “likely to result in a risk for the rights and freedoms of individuals”. There is also a time limit of 72 hours after first becoming aware of the breach. Processors will also be required to notify customers (the controllers).
Right to Access
With the rights of the data subject in mind, GDPR aims to also provide means to obtain confirmation from a data controller as to whether personal data about them is being processes, and if so, where and for what reason. On request, controllers must also provide this data in an electronic format, free of charge.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
Privacy by Design
Privacy by Design has only become a legal requirement under GDPR. Now, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.