What is the EU GDPR? A short guide

This quick guide provides an overview of the EU General Data Protection Regulation and outlines the key principles of compliance.

Use the free resources links below for more guidance, including downloadable guides, sample documents and a variety of blogs to make compliance even easier.

Free EU GDPR Resources Links:

• EU GDPR Implementation Guide
• EU GDPR Toolkit Sample Document
• EU GDPR Blogs

What is the EU GDPR?

The General Data Protection Regulation (GDPR) was approved by the European Commission (EC) on 27 April 2016 and became law from 25 May, 2018. It replaces the previous EC legislation which dealt with data protection which was the Data Protection Directive of 1995. One of the major differences between the GDPR and the previous law is that the GDPR is a regulation rather than a directive. This means that it automatically became law in each of the countries that make up the European Union without each of these countries needing to create their own, individual laws. This is in contrast with the previous directive where, in each of the member states, a separate Data Protection Act had to be passed by the relevant state legislative body to enact it.

While the emphasis is often on the rights of the data subject when discussing the GDPR, it’s important to remember that the EC is also trying to make it easier for organisations to share personal data and “oil the wheels” of business within the EU, so it’s not as one-sided as often thought. However, there are several important things to realise about the GDPR before we get into the detail.

1. It concerns the personal data of EU citizens, wherever that data is held. This means that if your organisation is not based in the European Union but has customers (or suppliers or other parties) within it whose data you hold, the GDPR applies to you.
2. Leading on from this, it means that if your organisation doesn’t look after that data in the way the GDPR requires, your organisation may be subject to the penalties that the regulation allows. These penalties are a step change from previous legislation and, in serious cases, they are designed to impact business.
3. If you do experience a breach of personal data, you have no choice but to tell the relevant supervisory authority about it. There are some caveats on that which we will come to later, but keeping a serious data breach to yourself is no longer an option.

The mainstay of what the GDPR is about is forcing organisations to take the protection of the personal data of EU citizens seriously.

The documentation

The GDPR document is 88 pages long and consists of two main parts:

Recitals – 173 numbered paragraphs that lay out the principles and intentions of the Regulation; if you like, the background.

Articles – the 99 sections that set out the detail of the Regulation – this is the part that must be complied with. Note, however, that a significant part of the GDPR is concerned with the internal workings of the various EU bodies and so the number of articles that an organisation needing to comply with the GDPR must worry about is much less than that 99 figure.

The 7 principles of the GDPR

The GDPR establishes a number of principles that underpin the legislation and are outlined using the following terms (with our quick summary given after each):

1. Lawfulness, fairness and transparency – keep it legal and fair; say what you’re going to do with the data in clear terms.
2. Purpose limitation – don’t do more with the data than you said you would.
3. Data minimisation – don’t collect more data than you need.
4. Accuracy – keep it up to date and deal with inaccuracies as soon as possible.
5. Storage limitation – don’t keep the data for longer than necessary.
6. Integrity and confidentiality – keep the data safe while you have it.
7. Accountability – be able to show that you’re complying with the principles above.

If you keep these principles in mind at all times, you’re unlikely to fall foul of the GDPR.

Keeping it lawful

For the processing of personal data to be lawful, it must meet at least one of a number of criteria. An important first step in considering your processing activities is to clearly establish which of the criteria applies in any given situation.

In essence, the criteria to choose from with regard to the lawfulness of the processing are as follows:

1. The data subject has consented to it.
2. It’s needed to perform a contract between your organisation and the data subject, or to see whether a contract can happen.
3. You legally have to do it.
4. You’re protecting the vital interests of the data subject.
5. It’s in the public interest.
6. It’s for your legitimate interests – as long as it doesn’t affect the data subject’s rights and freedoms.

So, while consent is an important aspect of the GDPR, it’s not the only way in which collecting and processing personal data can be lawful. In fact, you may find that a significant proportion of the personal data your organisation holds and processes doesn’t require consent; instead it is required for lawful purposes such as providing support to customers (contractual), paying employees (contractual/legal) or dealing with the tax authority (legal). The process of obtaining and maintaining consent may involve changes to business processes and systems so it is a good idea to make sure there is no other lawful basis on which processing can take place first.

In many cases it may be prudent to go for legitimate interest as the lawful basis for processing; if you choose to go down this route you will need to carry out a legitimate interest assessment which shows that you have considered all the angles.

What about consent?

If you believe that your processing is lawful because you have the data subject’s consent, then you must be able to prove it. You can’t hide the consent wording in amongst other contractual ramblings and expect to get away with it either. It must be in an “intelligible and easily-accessible form, in clear and plain language” (GDPR Article 7, paragraph 2) otherwise the consent doesn’t count, and your processing could be judged to be unlawful.

Once given, the consent can be withdrawn at any time by the data subject and this must be as easy to do as it was to give it in the first place. A child must be at least sixteen years of age to be able to give consent (younger if a member state decides so, with a lower limit of thirteen) otherwise parental consent must be obtained.

The rights of the data subject

The GDPR establishes a set of rights that the data subject can exercise and which the controller holding their personal data must react and respond to, generally within a month.

1. The right to be informed – being told what data will be collected, why, by whom, for what purpose and where the data will go.
2. The right of access – being able to see personal data that is being held about the data subject.
3. The right to rectification – getting the data corrected if it is wrong or inaccurate.
4. The right to erasure – having personal data removed when it is no longer necessary.
5. The right to restrict – pausing the processing of the data if there are grounds to do so.
6. The right to data – portability obtaining the data in a transportable form and moving it to an alternative processor.
7. The right to object – stopping the data from being processed.
8. Automated decision making and profiling – having a human involved in important decisions.

These rights follow on from the principles outlined earlier and are aimed at ensuring that personal data is processed fairly and transparently, and that the data subject can do something about it if this doesn’t happen.

The data subject must be informed of their rights, along with a variety of other information about what their data will be used for and why, when the personal data is collected (or within a month if the data comes from another source). This increased granularity of information means that a layered approach to privacy notices, with the relevant information being displayed “just in time” when the personal data is collected, may be preferable to the more traditional single privacy policy seen on many websites.

Do we need a data protection officer?

Depending on your organisation and what it does with personal data, you may or may not need a data protection officer. You will have to designate one if:

• You’re a public authority or body.
• You monitor data subjects on a large scale.
• Large volumes of special category data are involved.

Data protection officers may be part-time, may be shared across organisations and may be external resources or services. They must remain independent and their contact details must be freely available, especially to data subjects. The data protection officer is the main contact with the supervisory authority and is likely to get involved when key issues of data privacy and protection are addressed within the organisation, such as during data protection impact assessments. The data protection officer will need to know a reasonable amount about data protection law in order to fulfil the role (but there’s no “official” qualification that is required).

Contracts between controller and processor

The GDPR is very specific that it wants to see a contract in place between data controllers and processors that protects personal data and it defines the areas that this should cover. Basically, this involves detailing the purpose and duration of the processing, the personal data categories involved and the data subjects it affects. The processor has to contractually commit to a set of minimum terms related to data protection and existing contracts will need to be changed to include them.

What we’re seeing from the big players such as Google, Amazon Web Services and Microsoft is that they will make a pre-signed Data Processing Addendum to their current terms and conditions available to their customers, which in principle may save everyone a lot of time.

International transfers

Sending the personal data of European citizens outside the European Union raises questions over how well the data will be protected, and the GDPR places restrictions on how this may be done. To be helpful, the European Commission regularly decides which countries it trusts to look after EU personal data and publishes a list of those deemed to be acceptable (called an “Adequacy Decision”). Currently, it’s a small list so you may need to look at the other ways to meet the GDPR if you need to do international transfers.

Other ways to get approval are:

• A legally binding agreement (public bodies only).
• Binding corporate rules.
• Using standard clauses in your contract.
• Signing up to an approved code of conduct or certification scheme.

If you’re going to use binding corporate rules, be aware that they have to be approved by the relevant supervisory authority and that can take a while. There are a few get-outs (or “derogation” as the GDPR calls them) for small, infrequent transfers so it may be worth checking the list in Article 49 if time is not on your side.

Remedies, liabilities and penalties

And so we come to the teeth of the regulation; the fines that can be levied for non-compliance with the GDPR are certainly larger than those for the directive it replaces. The actual amounts demanded will depend upon a wide variety of factors, including the personal data involved, how hard the culprit organisation tried to protect the data, how much they co-operated with the investigation and, most importantly, the specific article(s) of the GDPR they are judged to have contravened.

Fines allowable are up to 2% of global turnover or ten million euros for lower level infringements and up to 4% of global turnover or twenty million euros for more serious cases.

Data subjects can lodge a complaint with the relevant supervisory authority directly themselves or may use the services of a not-for-profit body active in the field of data protection.

Glossary: A few definitions

The regulation provides a definition of 26 of the relevant terms, including the following (GDPR Article 4 – Definitions):

(1) ‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2) ‘Processing’ means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(7) ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8) ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

(11) ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

CertiKit’s EU GDPR Compliance Toolkit can help your organisation meet the requirements of the EU General Data Protection Regulation quickly and effectively. Our high-quality template documents and checklists come complete with lifetime updates and email support, helping you to update your policies and procedures to achieve GDPR compliance fast.