GDPR

What is GDPR?

What is the GDPR? Europe’s new data privacy and security law includes hundreds of pages’ worth of new requirements for organizations around the world. This GDPR overview will help you understand the law and determine what parts of it apply to you.

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

Who does GDPR apply to?

At the heart of GDPR is personal data. Broadly this is information that allows a living person to be directly, or indirectly, identified from data that’s available. This can be something obvious, such as a person’s name, location data, or a clear online username, or it can be something that may be less instantly apparent: IP addresses and cookie identifiers can be considered as personal data.

Under GDPR there’s also a few special categories of sensitive personal data that are given greater protections. This personal data includes information about racial or ethic origin, political opinions, religious beliefs, membership of trade unions, genetic and biometric data, health information and data around a person’s sex life or orientation.

The crucial thing about what constitutes personal data is that it allows a person to be identified – pseudonymised data can still fall under the definition of personal data. Personal data is so important under GDPR because individuals, organisations, and companies that are either ‘controllers’ or ‘processors’ of it are covered by the law.

“Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data,” the UK’s data protection regulator, the Information Commissioner’s Office (ICO) says. It’s also possible that there are joint controllers of personal data, where two or more groups determine how data is handled. “Processors act on behalf of, and only on the instructions of, the relevant controller,” the ICO says. Controllers have stricter obligations under GDPR than processors.

Although coming from the EU, GDPR can also apply to businesses that are based outside the region. If a business in the US, for instance, does business in the EU then GDPR can apply and also if it is a controller of EU citizens.

What are GDPR’s key principles?

At the core of GDPR are seven key principles – they’re laid out in Article 5 of the legislation – which have been designed to guide how people’s data can be handled. They don’t act as hard rules, but instead as an overarching framework that is designed to layout the broad purposes of GDPR. The principles are largely the same as those that existed under previous data protection laws.

GDPR’s seven principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. In reality, only one of these principles – accountability – is new to data protection rules. In the UK all the other principles are similar to those that existed under the 1998 Data Protection Act.

The ICO’s guide to GDPR gives a full run-down of the principles, but we’re only going to highlight a couple of them here.

What is “Personal Data” for GDPR?

  • Understanding whether you are processing personal data is critical to understanding whether the UK GDPR applies to your activities.
  • Personal data is information that relates to an identified or identifiable individual.
  • What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.
  • If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.
  • If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.
  • Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual.
  • When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.
  • It is possible that the same information is personal data for one controller’s purposes but is not personal data for the purposes of another controller.
  • Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of UK GDPR.
  • Information which is truly anonymous is not covered by the UK GDPR.
  • If information that seems to relate to a particular individual is inaccurate (ie it is factually incorrect or is about a different individual), the information is still personal data, as it relates to that individual.

Data minimisation

The data minimisation principle isn’t new, but it continues to be important in an age when we are creating more information than ever. Organisations shouldn’t collect more personal information than they need from their users. “You should identify the minimum amount of personal data you need to fulfil your purpose,” the ICO says. “You should hold that much information, but no more.”

The principle is designed to ensure organisations don’t overreach with the type of data they collect about people. For instance, it’s very unlikely that an online retailer would need to collect people’s political opinions when they sign-up to the retailer’s email mailing list to be notified when sales are taking place.

Integrity and confidentiality (security)

Under 1998’s data protection laws, security was the seventh principle outlined. Over 20 years of being implemented a series of best practices for protecting information emerged, now many of these have been written into the text of GDPR.

Personal data must be protected against “unauthorised or unlawful processing,” as well as accidental loss, destruction or damage. In plain English this means that appropriate information security protections must be put in place to make sure information isn’t accessed by hackers or accidentally leaked as part of a data breach.

GDPR doesn’t say what good security practices look like, as it’s different for every organisation. A bank will have to protect information in a more robust way than your local dentist may need to. However, broadly, proper access controls to information should be put in place, websites should be encrypted, and pseudonymisation is encouraged.

“Your cybersecurity measures need to be appropriate to the size and use of your network and information systems,” the ICO says. If a data breach occurs, data protection regulators will look at a company’s information security setup when determining any fines that may be issued. Cathay Pacific Airways was fined £500,000, under pre-GDPR laws, for exposing 111,578 of its UK customers’ personal information. It was said the airline had “basic security inadequacies” within its setup.

Accountability

Accountability is the only new principle under GDPR – it was added to ensure companies can prove they are working to comply with the other principles that form the regulation. At it simplest, accountability can mean documenting how personal data is handled and the steps taken to ensure only people who need to access some information are able to. Accountability can also include training staff in data protection measures and regularly evaluating and data handling processes.

The “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data has to be reported to a country’s data protection regulator where it could have a detrimental impact on those who it is about. This can include, but isn’t limited to, financial loss, confidentiality breaches, damage to reputation and more. In the UK, the ICO has to be informed of a data breach 72 hours after an organisation finds out about it. An organisation also needs to tell the people the breach impacts.

For companies that have more than 250 employees, there’s a need to have documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place. GDPR’s Article 30 lays out that most organisations need to keep records of their data processing, how data is shared and also stored.

Additionally, organisations that have “regular and systematic monitoring” of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer (DPO). For many organisations covered by GDPR, this may mean having to hire a new member of staff – although larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers.

The accountability principle can also be crucial if an organisation is being investigated for potentially breaching one of GDPR’s principles. Having an accurate record of all systems in place, how information is processed and the steps taken to mitigate errors will help an organisation to prove to regulators that it takes its GDPR obligations seriously.

What are my GDPR rights?

While GDPR arguably places he biggest tolls on data controllers and processors, the legislation is designed to help protect the rights of individuals. As such there are eight rights laid out by GDPR. These range from allowing people to have easier access to the data companies hold about them and for it to also be deleted in some scenarios.

The full GDPR rights for individuals are: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and also rights around automated decision making and profiling.

As with the GDPR principles, we’re only going into detail on some of the rights here.

Access to your data in GDPR

If you want to find out what a company or organisation knows about you, you need a Subject Access Request (SAR). Previously, these requests cost £10 but GDPR scraps the cost and makes it free to ask for your information. You can’t make a request for anyone else’s information, although someone, such as a lawyer, can make a request on behalf of another person.

When a person makes a SAR they’re legally entitled to be provided with a confirmation that an organisation is processing their personal data, a copy of this personal data (unless exemptions apply), and any other supplementary information that’s relevant to the request. A request must be answered within one month.

People have successfully used SARs to find out information technology companies hold about them. Tinder sent one person 800 pages of information about their use of its app, including education details, the age-rank of the people they were interested in and the location of where every match happened.

SARs can be made either in writing or verbally – meaning an organisation has to determine whether what has been asked for is classed as personal data under GDPR. A SAR doesn’t have to say it is a SAR and can be made to any person in an organisation – they can even be sent through social media, although email will be the most common format for most people. As well as the information that’s asked for, an organisation has to provide details of why it was processing the personal information, how the information is being used, and how long it is due to be kept for.

Many big tech companies have their own data portals where it’s possible to download some of your information from. For instance, Facebook lets its users download all their old images, posts and pokes, while Twitter and Google also allow information associated with accounts be accessed without needing to make a SAR. In some instances these ways to access information may not contain everything a person wants. If a Subject Access Request is made and doesn’t return the results the maker wanted, they can be appealed to the ICO.

Lawful Basis for processing in GDPR

  • You must have a valid lawful basis in order to process personal data.
  • There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
  • Most lawful bases require that processing is ‘necessary’ for a specific purpose. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
  • You must determine your lawful basis before you begin processing, and you should document it. We have an interactive tool to help you.
  • Take care to get it right first time – you should not swap to a different lawful basis at a later date without good reason. In particular, you cannot usually swap from consent to a different basis.
  • Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
  • If your purposes change, you need to consider whether you need a new lawful basis.
  • If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
  • If you are processing criminal conviction data or data about offences you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.

What are the lawful bases for processing?

The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

GDPR Individual Rights

The UK GDPR provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

This part of the guide explains these rights.

Right to be informed

  • Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the UK GDPR.
  • You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
  • You must provide privacy information to individuals at the time you collect their personal data from them.
  • If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
  • There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
  • The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
  • It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.
  • User testing is a good way to get feedback on how effective the delivery of your privacy information is.
  • You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.
  • Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage.

Right of access

  • Individuals have the right to access and receive a copy of their personal data, and other supplementary information.
  • This is commonly referred to as a subject access request or ‘SAR’.
  • Individuals can make SARs verbally or in writing, including via social media.
  • A third party can also make a SAR on behalf of another person.
  • In most circumstances, you cannot charge a fee to deal with a request.
  • You should respond without delay and within one month of receipt of the request.
  • You may extend the time limit by a further two months if the request is complex or if you receive a number of requests from the individual.
  • You should perform a reasonable search for the requested information.
  • You should provide the information in an accessible, concise and intelligible format.
  • The information should be disclosed securely.
  • You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.

Right to rectification

  • The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
  • An individual can make a request for rectification verbally or in writing.
  • You have one calendar month to respond to a request.
  • In certain circumstances you can refuse a request for rectification.
  • This right is closely linked to the controller’s obligations under the accuracy principle of the UK GDPR (Article (5)(1)(d)).

Right to erasure

  • The UK GDPR introduces a right for individuals to have personal data erased.
  • The right to erasure is also known as ‘the right to be forgotten’.
  • The right is not absolute and only applies in certain circumstances.
  • Individuals can make a request for erasure verbally or in writing.
  • You have one month to respond to a request.
  • This right is not the only way in which the UK GDPR places an obligation on you to consider whether to delete personal data.

Right to restrict processing

  • Individuals have the right to request the restriction or suppression of their personal data.
  • This is not an absolute right and only applies in certain circumstances.
  • When processing is restricted, you are permitted to store the personal data, but not use it.
  • An individual can make a request for restriction verbally or in writing.
  • You have one calendar month to respond to a request.
  • This right has close links to the right to rectification (Article 16) and the right to object (Article 21).

Right to data portability

  • The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
  • It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
  • Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
  • The right only applies to information an individual has provided to a controller.
  • Some organisations in the UK already offer data portability through midata and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe.

Right to object

  • The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
  • Individuals have an absolute right to stop their data being used for direct marketing.
  • In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so.
  • You must tell individuals about their right to object.
  • An individual can make an objection verbally or in writing.
  • You have one calendar month to respond to an objection.

Rights related to automated decision making including profiling

  • The UK GDPR has provisions on:
    • automated individual decision-making (making a decision solely by automated means without any human involvement); and
    • profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
  • The UK GDPR applies to all automated individual decision-making and profiling.
  • Article 22 of the UK GDPR has additional rules to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them.
  • You can only carry out this type of decision-making where the decision is:
    • necessary for the entry into or performance of a contract; or
    • authorised by domestic law applicable to the controller; or
    • based on the individual’s explicit consent.
  • You must identify whether any of your processing falls under Article 22 and, if so, make sure that you:
    • give individuals information about the processing;
    • introduce simple ways for them to request human intervention or challenge a decision;
    • carry out regular checks to make sure that your systems are working as intended.

GDPR data protection by design and default

  • The UK GDPR requires you to put in place appropriate technical and organisational measures to implement the data protection principles effectively and safeguard individual rights. This is ‘data protection by design and by default’.
  • In essence, this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle.
  • This concept is not new. Previously known as ‘privacy by design’, it has always been part of data protection law. The key change with the UK GDPR is that it is now a legal requirement.
  • Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the UK GDPR’s fundamental principles and requirements, and forms part of the focus on accountability.

Data protection impact assessments (PIA)

  • A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.
  • You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use our screening checklists to help you decide when to do a DPIA.
  • It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
  • Your DPIA must:
    • describe the nature, scope, context and purposes of the processing;
    • assess necessity, proportionality and compliance measures;
    • identify and assess risks to individuals; and
    • identify any additional measures to mitigate those risks.
  • To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
  • You should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you.
  • If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.
  • If you are processing for law-enforcement purposes, you should read this alongside the Guide to Law Enforcement Processing.
  • The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, we may issue a formal warning not to process the data, or ban the processing altogether.

Data protection officers

  • The UK GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities.
  • DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO). 
  • The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
  • A DPO can be an existing employee or externally appointed.
  • In some cases several organisations can appoint a single DPO between them.
  • DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.

More details

Guide to the General Data Protection Regulation (GDPR)

https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf

Original Clause

https://gdpr-info.eu/art-1-gdpr/

Find Us immediately for the Security Assessment in Hong Kong, United Kingdom, Europe, Estonia, Singapore…

Case Reference: