The General Data Protection Regulation (GDPR) was approved by the European Commission (EC) on 27 April 2016 and became law from 25 May, 2018. It replaces the previous EC legislation which dealt with data protection which was the Data Protection Directive of 1995. One of the major differences between the GDPR and the previous law is that the GDPR is a regulation rather than a directive. This means that it automatically became law in each of the countries that make up the European Union without each of these countries needing to create their own, individual laws. This is in contrast with the previous directive where, in each of the member states, a separate Data Protection Act had to be passed by the relevant state legislative body to enact it.
While the emphasis is often on the rights of the data subject when discussing the GDPR, it’s important to remember that the EC is also trying to make it easier for organisations to share personal data and “oil the wheels” of business within the EU, so it’s not as one-sided as often thought. However, there are several important things to realise about the GDPR before we get into the detail.
The mainstay of what the GDPR is about is forcing organisations to take the protection of the personal data of EU citizens seriously.
The GDPR document is 88 pages long and consists of two main parts:
Recitals – 173 numbered paragraphs that lay out the principles and intentions of the Regulation; if you like, the background.
Articles – the 99 sections that set out the detail of the Regulation – this is the part that must be complied with. Note, however, that a significant part of the GDPR is concerned with the internal workings of the various EU bodies and so the number of articles that an organisation needing to comply with the GDPR must worry about is much less than that 99 figure.
The GDPR establishes a number of principles that underpin the legislation and are outlined using the following terms (with our quick summary given after each):
If you keep these principles in mind at all times, you’re unlikely to fall foul of the GDPR.
For the processing of personal data to be lawful, it must meet at least one of a number of criteria. An important first step in considering your processing activities is to clearly establish which of the criteria applies in any given situation.
In essence, the criteria to choose from with regard to the lawfulness of the processing are as follows:
So, while consent is an important aspect of the GDPR, it’s not the only way in which collecting and processing personal data can be lawful. In fact, you may find that a significant proportion of the personal data your organisation holds and processes doesn’t require consent; instead it is required for lawful purposes such as providing support to customers (contractual), paying employees (contractual/legal) or dealing with the tax authority (legal). The process of obtaining and maintaining consent may involve changes to business processes and systems so it is a good idea to make sure there is no other lawful basis on which processing can take place first.
In many cases it may be prudent to go for legitimate interest as the lawful basis for processing; if you choose to go down this route you will need to carry out a legitimate interest assessment which shows that you have considered all the angles.
If you believe that your processing is lawful because you have the data subject’s consent, then you must be able to prove it. You can’t hide the consent wording in amongst other contractual ramblings and expect to get away with it either. It must be in an “intelligible and easily-accessible form, in clear and plain language” (GDPR Article 7, paragraph 2) otherwise the consent doesn’t count, and your processing could be judged to be unlawful.
Once given, the consent can be withdrawn at any time by the data subject and this must be as easy to do as it was to give it in the first place. A child must be at least sixteen years of age to be able to give consent (younger if a member state decides so, with a lower limit of thirteen) otherwise parental consent must be obtained.
The GDPR establishes a set of rights that the data subject can exercise and which the controller holding their personal data must react and respond to, generally within a month.
These rights follow on from the principles outlined earlier and are aimed at ensuring that personal data is processed fairly and transparently, and that the data subject can do something about it if this doesn’t happen.
Depending on your organisation and what it does with personal data, you may or may not need a data protection officer. You will have to designate one if:
Data protection officers may be part-time, may be shared across organisations and may be external resources or services. They must remain independent and their contact details must be freely available, especially to data subjects. The data protection officer is the main contact with the supervisory authority and is likely to get involved when key issues of data privacy and protection are addressed within the organisation, such as during data protection impact assessments. The data protection officer will need to know a reasonable amount about data protection law in order to fulfil the role (but there’s no “official” qualification that is required).
The GDPR is very specific that it wants to see a contract in place between data controllers and processors that protects personal data and it defines the areas that this should cover. Basically, this involves detailing the purpose and duration of the processing, the personal data categories involved and the data subjects it affects. The processor has to contractually commit to a set of minimum terms related to data protection and existing contracts will need to be changed to include them.
What we’re seeing from the big players such as Google, Amazon Web Services and Microsoft is that they will make a pre-signed Data Processing Addendum to their current terms and conditions available to their customers, which in principle may save everyone a lot of time.
Sending the personal data of European citizens outside the European Union raises questions over how well the data will be protected, and the GDPR places restrictions on how this may be done. To be helpful, the European Commission regularly decides which countries it trusts to look after EU personal data and publishes a list of those deemed to be acceptable (called an “Adequacy Decision”). Currently, it’s a small list so you may need to look at the other ways to meet the GDPR if you need to do international transfers.
Other ways to get approval are:
If you’re going to use binding corporate rules, be aware that they have to be approved by the relevant supervisory authority and that can take a while. There are a few get-outs (or “derogation” as the GDPR calls them) for small, infrequent transfers so it may be worth checking the list in Article 49 if time is not on your side.
And so we come to the teeth of the regulation; the fines that can be levied for non-compliance with the GDPR are certainly larger than those for the directive it replaces. The actual amounts demanded will depend upon a wide variety of factors, including the personal data involved, how hard the culprit organisation tried to protect the data, how much they co-operated with the investigation and, most importantly, the specific article(s) of the GDPR they are judged to have contravened.
Fines allowable are up to 2% of global turnover or ten million euros for lower level infringements and up to 4% of global turnover or twenty million euros for more serious cases.
Data subjects can lodge a complaint with the relevant supervisory authority directly themselves or may use the services of a not-for-profit body active in the field of data protection.
The regulation provides a definition of 26 of the relevant terms, including the following (GDPR Article 4 – Definitions):
(1) ‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) ‘Processing’ means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(7) ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
(11) ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
CertiKit’s GDPR Compliance Toolkit can help your organisation meet the requirements of the EU General Data Protection Regulation quickly and effectively. Our high-quality template documents and checklists come complete with 12 months of updates and support, helping you to update your policies and procedures to achieve GDPR compliance fast.
Learn more about complying to the EU General Data Protection Regulation with our free implementation guide: