Technology has permeated every aspect of modern life. Although offering many benefits, such as more efficient services and improvements in living standards, these developments come with new challenges that governments and lawmakers must face. One particular issue comes with the fact that individuals now store a huge amount of their data online, and often exchange this data with organisations for use of their services. Personal data has a huge black market value, meaning that organisations that store such sensitive information must have security frameworks in place such that unauthorised individuals do not access it and use it for malicious purposes.
Until recently, there was no EU-wide standards for data protection. European policymakers saw a clear need for new data security laws that would not only address this issue, but be robust to future technological advances. As a result, the idea General Data Protection Regulation (GDPR) was proposed in 2012. After years of consulting with industry experts, governments, and lawyers, the final form of GDPR became EU law in May 2018.
Formed of 99 articles, GDPR has changed the landscape of data security in the European Union. It is essential that all organisations that any organisation that handles the personal data of individuals is aware of its requirements in order to remain fully compliant with its stipulations. The penalties for a violation are substantial; either €20 million, or 4% of the company’s global annual turnover-whichever is higher.
This article shall give a brief overview of some of its most important requirements, but it is strongly recommended that if there is any uncertainty in the application of GDPR, that your organisation seeks legal counsel.
GDPR and Businesses
GDPR classes organisations into one of two categories; data controllers, which collects data from EU residents, or data processors, which process data on behalf of a data controller. One of the first steps of ensuring GDPR compliance is recognising which category your organisation falls into, although it should be noted that an organisation can belong to both categories. Each category has its own data protection requirements under GDPR.
One of the major misconceptions about GDPR is that it only applies to EU businesses. In fact, the scope is much larger; any organisation that collects or processes data of individuals located within the EU is required to comply with GDPR, regardless of the location of its physical headquarters. This is also true if only a branch or subsidiary of the organisation is based within the EU.
GDPR does not only protect the data of EU citizens. It applies to any data collected within the EU, regardless of the nationality of the individual. Furthermore, GDPR does not protect the data of EU citizens travelling abroad. So, for example, if a Canadian citizen travelling in Europe exchanges their data for use of a service, such giving some personal information for use of free WiFi, that data must be protected by the standards outlined in GDPR. However, a French citizen travelling in Canada would not be covered by GDPR if a similar transaction to occur, but would be protected by Canadian data laws.
Another important note is that small businesses (classified in Article 30 of GDPR as having fewer than 250 employees) are generally not required to comply with GDPR. However, some exceptions exist, such as if the small business are involved with processing data that may affect the “rights and freedoms” of an individual. These data types are outlined in Article 9, and include sensitive data such as religious beliefs and sexual orientation.
Businesses of all sizes across the world should endeavour to becoming very familiar with every aspect of GDPR’s scope to ensure they do not accidentally violate the regulations.
GDPR Lawful Basis for Data Processing
Under GDPR, individuals must give informed consent to data processing for one or more purposes, and personal data must not be processes unless there is at least one legal basis to do so. Consent must be unambiguous, informed, and not automatic; for example, an online form in which the consent check-box is ticked by default is a violation of GDPR, as in multiple types of data processing “bundled” in together in a single check-box. GDPR gives the data subject the right to retract their consent at any point in time.
According to Article 6 of GDPR, the lawful purposes of data processing are:
- (a) If the data subject has given consent to the processing of his or her personal data;
- (b) To fulfil contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;
- (c) To comply with a data controller’s legal obligations;
- (d) To protect the vital interests of a data subject or another individual;
- (e) To perform a task in the public interest or in official authority;
- (f) For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children).
GDPR’s Data Protection Requirements
Article 25 of GDPR stipulates that data protection and privacy settings must be at a high level “by default”. Technical and administrative safeguards must be in place to ensure that the levels of data protection comply with the regulation. These standards for data protection are high, and require many organisations to change the data security framework within their organisation to ensure that these standards are met.
For example, passwords are not considered a sufficient security measure on laptops or mobile phones which store data. Although these measures may be costly, all organisations covered by GDPR are expected to encrypt the devices to ensure that the data is protected. GDPR specifies that encryption and decryption operations must be carried out the organisation locally, and not by a remote a remote service, as both keys and data must remain “in the power of the data owner” if a high level of security is to be achieved.
GDPR also refers to pseudonymisation as a method of ensuring the integrity of sensitive data is maintained. Pseudonymisation is a data management technique in which personally identifiable information (PII) is transformed in such a way that the resulting information cannot be attributed to a specific data subject without the use of additional information. Encryption may also be used to this end. Pseudonymisation offers the advantage that with the correct key, the data can be restored to its original state. If anonymisation were to be used instead, the data can never be fully restored.
GDPR Data Protection Officers
A data protection officer (DPO) must be appointed to assist controllers or processors in monitoring their internal compliance with GDPR. The DPO is expected to be an individual with expert knowledge of data protection laws and practices. The designated DPO may be a current member of staff, or a third-party contractor, depending on what suits the organisation’s specific capabilities and needs. However, the DPO may not hold a conflict of interest, and must be impartial in carrying out their role.
The appointment of a data protection officer (DPO) is only a requirement for large businesses under GDPR. However, if a small business is processing sensitive information, as described in Article 9 of the GDPR, it may be a requirement for them to do so.
The DPO’s roles include educating staff members on subject data rights, advising the organisation on data management and GDPR compliant, assessing IT networks and data security systems on their effectiveness, monitoring internal data compliance and cooperating with the Lead Supervisory Authority.
GDPR’s Data Breach Requirements
Article 33 of GDPR requires data controllers to notify the supervisory authority of a data breach within 72 hours of its discovery unless they have determined that the risk of harm to the individuals affected is minimal. Data processes are required to inform data controllers that a data breach has occurred without “undue delay”.
Article 34 stipulates that the organisation is required to notify individuals that their data has been compromised if it is possible that they are at heightened risk of fraud or having their data used for nefarious purposes. However, they are not required to notify individuals of a data breach if the breached data was “unintelligible to any person who is not authorised to access it”, such as through encryption.
Individual Rights Under GDPR
Under GDPR, new rights are granted to individuals over their data. For example, should an individual request that a business erase all data that they hold on them, the business is required to do so. This “right to be forgotten” is outlined in Article 15.
Article 20 outlines data portability rights. This means that individuals may also request that an organisation transfer their data to another, competing service provider. Under GDPR, the organisation is required to comply with this request.
Summary: How to Become GDPR Compliant
1) Become familiar with GDPR
A thorough awareness of the new regulations is essential in ensuring that the processes and procedures of the business are such that they meet with GDPR requirements.
2) Perform an audit on their data
All organisations covered by GDPR are required to know the details of what data is being held, where it is being held, why it is being held, and who is responsible for managing it. Performing a comprehensive audit on the data the organisation currently holds is critical.
3) Check processes and procedures
Organisations must ensure that they have the capability to have processes and procedures in place to enable compliance with these requirements. They also need to fully document these processes and procedures so that they can prove they are acting in compliance with the regulation.
4) Check consent processes
Under GDPR, businesses will need to ensure that they have consent to process personal data, except if there are certain other valid legal reasons for them to process the data. Businesses must obtain the consent of the individual for each specific reason for processing. As described above, organisations using pre-checked boxes or consent-as- default in violation of GDPR.
5) Recognise high risk data and processes
Article 9 of GDPR covers “high risk” data. Businesses need to assess whether aspects of their data processing might also present a high risk. Every business needs to adjust for these risks by producing detailed plans and procedures to follow. If the business does not have the capability to properly adjust its practices, the business should seek advice from the relevant Data Processing Authority (DPA) before any processing of the data can be attempted.
6) Plan for a data breach
Businesses must have a contingency plan in place to ensure that if a data breach were to occur, they can meet this strict deadline and enact damage control procedures.
7) Consider hiring a data protection expert
It is recommended that organisations consult with third-party data security experts to ensure that they have robust security frameworks in place to comply with GDPR’s data protection requirements.