GDPR & Data Protection

GDPR & Data Protection

General Data Protection Regulation (GDPR) was put into effect on May 25, 2018, considered as the toughest privacy and security law in the world, however, it was drafted and passed by the European Union (EU) and imposes obligations onto organisations anywhere, so long as they target or collect data related to people in the EU.

What is the GDPR? Europe’s new data privacy and security law includes hundreds of pages’ worth of new requirements for organisations around the globe. This GDPR overview will help you in understanding the law and determine what parts of it are applicable to your organisation. The GDPR will levy strict charges against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

With the enforcement of GDPR, Europe is signalling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).

The prime purpose of instant blog is to serve as a resource for SME owners and managers to address specific challenges they may face. While it is not a supernumerary for legal advice, it may help you to understand where to focus your GDPR compliance efforts. We also offer tips on privacy tools and how to mitigate risks. As the GDPR continues to be interpreted, we’ll keep you up to date on evolving the best practices.

If you’ve found this blog captioned as — “GDPR & Data Protection” — chances are you’re observing a crash course. Maybe, you haven’t even found the document itself yet or maybe, you don’t have time to read the whole thing. This blog is for you as a guide. In this blog, we try to clarify the GDPR and, we hope, make it less irresistible for SMEs concerned about GDPR compliance.

GDPR History

The right to privacy is part of the 1950 European Convention on Human Rights, which states, “Everyone has the right to respect for his private and family life, his home and his correspondence.” From this basis, the European Union has sought to ensure the protection of this right through legislation.

As both time and technology progressed and the Internet was invented, the EU recognised the need for modern protections. So, in 1995 it passed the European Data Protection Directive, establishing minimum data privacy and security standards, upon which each member state based its own implementing law. But already the Internet was morphing into the data hoover it is today. In 1994, the first banner ad appeared online. In 2000, a majority of financial institutions offered online banking. In 2006, Facebook opened to the public. In 2011, a Google user sued the company for scanning her emails. Two months after that, Europe’s data protection authority declared the EU needed “a comprehensive approach on personal data protection” and work began to update the 1995 directive.

Thus, the GDPR entered into force in 2016 after passing European Parliament, and as of May 25, 2018, all organisations were required to be compliant.

Key Concept & Scope

Firstly, if you process the personal data of EU citizens or residents, or you offer goods or services to such people, then the GDPR applies to you even if you’re not in the EU. We'll discuss more about this in another blog.

Secondly, the fines for violating the GDPR are extremely high. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages. We'll also discuss more about GDPR fines.

A broad array of legal terms defines GDPR at length, below are some of the most relevant ones that we refer in this blog:

Personal Data

Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are apparently properties of personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be part of personal data. Pseudonymous data can also fall under this category if it’s relatively easy to identify someone through it.

Processing Data

Any action performed on data, whether automated or manual, the examples cited in the text include collecting, recording, organising, structuring, storing, using, erasing etc. so basically anything.

Subject Data

The person whose data is processed, they are your customers or site visitors.

Data Controller

The person who decides why and how personal data will be processed. If you’re an owner or employee in your organisation who handles data, this is you.

Data Processor

A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organisations. They could include cloud servers like Amazon, Azure or email service providers like GMail.

Principles on Data Protection

If you process data, you have to do so according to seven protection and accountability principles outlined in Article 5.1-2:

• Processing must be lawful, fair, and transparent to the data subject.

• You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.

• You should collect and process only as much data as absolutely necessary for the purposes specified.

• You must keep personal data accurate and up to date.

• You may only store personally identifying data for as long as necessary for the specified purpose.

• Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality by using encryption.

• The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

• Designate data protection responsibilities to your team.

• Maintain detailed documentation of the data you’re collecting, how it’s used, where it’s stored, which employee is responsible for it, etc.

• Train your staff and implement technical and organisational security measures.

• Have Data Processing Agreement contracts in place with third parties you contract to process data for you.

• Appoint a Data Protection Officer (though not all organisations need one — more on that in this blog).

• You’re required to handle data securely by implementing “appropriate technical and organisational measures.

• Technical measures mean anything from requiring your employees to use two-factor authentication on accounts where personal data are stored to contracting with cloud providers that use end-to-end encryption.

• Organisational measures are things like staff trainings, adding a data privacy policy to your employee handbook, or limiting access to personal data to only those employees in your organisation who need it.

• If you have a data breach, you have 72 hours to tell the data subjects or face penalties. (This notification requirement may be waived if you use technological safeguards, such as encryption, to render data useless to an attacker.)

Data Protection by Design / Default

From now on, everything you do in your organisation must, “by design and by default,” consider data protection. Practically speaking, this means you must consider the data protection principles in the design of any new product or activity. The GDPR covers this principle in Article 25.

For example, you’re launching a new app for your company. You have to think about what personal data the app could possibly collect from users, then consider ways to minimize the amount of data and how you will secure it with the latest technology.

When you’re allowed to Process Data

Article 6 lists the instances in which it’s legal to process personal data. Don’t even think about touching somebody’s personal data — don’t collect it, don’t store it, don’t sell it to advertisers — unless you can justify it with one of the following:

• The data subject gave you specific, unambiguous consent to process the data. (e.g. They’ve opted in to your marketing email list.)

• Processing is necessary to execute or to prepare to enter into a contract to which the data subject is a party. (e.g. You need to do a background check before leasing property to a prospective tenant.)

• You need to process it to comply with a legal obligation of yours. (e.g. You receive an order from the court in your jurisdiction.)

• You need to process the data to save somebody’s life. (e.g. Well, you’ll probably know when this one applies.)

• Processing is necessary to perform a task in the public interest or to carry out some official function. (e.g. You’re a private garbage collection company.)

• You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data. (It’s difficult to give an example here because there are a variety of factors you’ll need to consider for your case.)

• Once you’ve determined the lawful basis for your data processing, you need to document this basis and notify the data subject (transparency!). And if you decide later to change your justification, you need to have a good reason, document this reason, and notify the data subject.

Consent

• Consent must be “freely given, specific, informed and definite.”

• Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”

• Data subjects can withdraw previously given consent whenever they want, and you have to honour their decision. You can’t simply change the legal basis of the processing to one of the other justifications.

• Children under 13 years of age can only give consent with permission from their parents.

• You need to keep documentary evidence of consent.

Data Protection Officers

Contrary to popular belief, not every data controller or processor needs to appoint a Data Protection Officer (DPO). There are three conditions under which you are required to appoint a DPO:

• You are a public authority other than a court acting in a judicial capacity.

• Your core activities require you to monitor people systematically and regularly on a large scale. (e.g. You’re Google.)

• Your core activities are large-scale processing of special categories of data listed under Article 9 of the GDPR or data relating to criminal convictions and offenses mentioned in Article 10. (e.g. You’re a medical office.)

• You could also choose to designate a DPO even if you aren’t required to. There are benefits to having someone in this role. Their basic tasks involve understanding the GDPR and how it applies to the organisation, advising people in the organisation about their responsibilities, conducting data protection trainings, conducting audits and monitoring GDPR compliance, and serving as a liaison with regulators.

Rights on Privacy

You are a data controller and / or a data processor. But as a person who uses the Internet, you’re also a data subject. The GDPR recognises a litany of new privacy rights for data subjects, which aim to give individuals more control over the data they loan to organisations. As an organisation, it’s important to understand these rights to ensure you are GDPR compliant.

A rundown of data subjects’ privacy rights:

• The right to be informed

• The right of access

• The right to alteration

• The right to removal

• The right to restrict processing

• The right to data portability

• The right to object

• The right in relation to automated decision making and profiling.

Conclusion

We’ve just covered most of the prime synopsis of the GDPR in as little as over thousands of words. The regulation itself (not including the accompanying directives) is of 88 pages. If you’re affected by the GDPR, we strongly recommend that someone in your organisation reads it and that you consult an attorney at our partner law firm to ensure that you are GDPR compliant.