The introduction of the General Data Processing Regulation (GDPR), on 25 May, 2018, will regulate the way different member states of the EU deal with the protection of personal data of individuals in the EU. The GDPR will lead to a new level of uniformity in regard to the protection of rights and freedoms of living individuals in the Union (EU). Living individuals are referred to as data subjects in the regulation.
It is important to note that GDPR does not only apply to companies and organizations based within the EU, but also to companies and organizations that have offices outside the EU however process the personal data of people located within the EU. The scope of the GDPR is summarised in Articles 3(1) and 3(2) below.
Article 3 (1) states: “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
Article 3 (2) states ‘’This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
the monitoring of their behaviour as far as their behaviour takes place within the Union.”
The GDPR in Article 3 details processing by a controller or processor. A “Controller” under GDPR is the organisation or company which determines the purposes of the processing of personal data where a “processor” carries out the processing of the personal data on behalf of the “Controller”. A “processor” can further engage “sub-processors” and the “Controller” would have visibility and approval rights over these “sub-processors”.
What Categories of Personal Data does the GDPR detail
The GDPR details a definition of personal data in Article 4 which is extensive, in short Personal data are any information which are related to an identified or identifiable natural person. To process this personal data, processing’ means any operation or set of operations which is performed on personal data or on sets of personal data’ a legal basis is required. With regard to this legal basis the GDPR in article 6 lists those legal bases which are (1) Consent of the data subject, (2) processing is necessary for the performance of a contract, (3) processing is in compliance with a legal obligation, (4) processing is necessary for protection of the vital interests of the data subject or other natural person, (5) processing of personal data is being carried out in the public interest and (6) and processing is carried out for the legitimate interest of the controller or by a third party.
The GDPR in Article 9 has additional requirements for Special categories of personal data. Special Categories of personal data are “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
These Special Categories of personal data have extra safeguards around their processing also detailed in Article 9. For supporting of special category personal data consent now becomes explicit consent ( a signed form for example). The legal bases for processing Special Category personal data are as listed in Article 9
- the data subject has given explicit consent to the processing of those personal data for one or more specified purposes
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
- processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
- processing relates to personal data which are manifestly made public by the data subject;
- processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
- processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3 of Article 9;
- processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
This Special Category data is more high risk data and it comes with extra safeguards. The special category data are often areas which may be or have been used in the past to discriminate against individuals or data subjects. Financial data is not listed here as special category data however it would have specific protection around its processing under financial regulations, and financial fraud would be an area that poses a high risk to the rights and freedoms of data subjects.
Companies need to ensure that they process personal data in line with the new regulation. This will involve the completion of a Data Protection Impact Assessment (DPIA) examining the various items of personal data they hold and their processing procedures.
Risk assessments are a mandatory step under the GDPR, which notes “the likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk”.
Identifying data processing that is high risk
The GDPR details high risk processing as processing which leads to a high risk to the rights and freedoms of natural persons by virtue of the nature, scope, context and purposes of the processing. The Guidance from the European Data Protection Board (EDPB), is that when high risk processing takes place a DPIA or Data Protection Impact Assessment should be carried out, before the processing starts.
The EDPB advises that high risk processing areas that may necessitate a DPIA are processing that involves new technologies or AI, genetic or biometric data, decisions made which are based on automated processing including profiling of data subjects, any large scale processing or combination of data from different data sources, data which is obtained from third party sources, data which may be used to target children and where processing could potentially bring harm to the data subject.
This is not by any means an exhaustive list and EU data protection authorities would advise carrying out DPIA’s also on areas outside the above.
One Key area when dealing with high risk processing therefore is to perform a DPIA. The DPIA should examine whether or not prior consultation is necessary with the Data Protection authorities before processing takes place. The DPIA should examine safeguards to lower any identified risk by the DPIA, Recital 90 of the GDPR states “That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation”
Codes of conduct are also mentioned in Recital 98 as a mechanism to calibrate controllers and processors.
Other guidelines around high risk in the GDPR
Regarding Data Breaches where a data breach in a company or organisation poses a high risk to the rights and freedoms of data subjects then the breach must be disclosed to the appropriate data protection authority and also to the data subjects who have had their data breached.
Recital 75 and Recital 76
Recital 75 of the GDPR addresses the risk to the rights and freedoms of natural persons or data subjects
“The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subject”
Recital 76 covers risk assessment
“The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. 2Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.”
Recital 77 goes on to state that risk guidelines can be from certifications, codes of conduct and that the European Data Protection Board will also give guidelines.
Data protection by Design and by Default
Article 25 of the GDPR addresses certification mechanisms as a means to keep data safe and secure alongside the controller or processor taking the appropriate technical and organisational measures to safeguard personal data.
Security of Processing
Article 32 of the GDPR covers Technical and Organisational measures to safeguard personal data in line with the risk and suggests using encryption and pseudonymisation of personal data, it highlights the importance of confidentiality, integrity, availability and resilience of processing systems and services. Article 32 also covers the ability to restore data in the event of a loss of data and a process for testing the technical and organisational measures around the processing. Appropriate levels of security must be undertaken in accordance with the data processing taking place.
Risk and High Risk Extensively Covered
Risk and High risk is a key concept under GDPR and there are widespread references under GDPR. Indeed the regulation is risk based, companies and organisations are given guidelines on areas such as DPIA’s, Technical and Organisational Controls and Breaches. However it is the company or organisation who must decide when to carry out a DPIA, what controls to implement and when to communicate breaches to the Data Protection Authorities and affected Data subjects. Records to justify decisions should be documented and maintained.
The GDPR is very clear on the difference between personal data and the special categories of personal data and processing of the special categories have additional safeguards.
There is guidance available from the EU concerning what may be considered as risky processing activities under the GDPR. This can be sought from the European Data Protection Board, a Board created by the GDPR itself in order to facilitate compliance. Individual supervisory authorities are also required to create and publish lists of data processing activities that will require DPIA’s.
Companies should pay attention to this guidance and the information it provides about the harm that could result from high risk and very high risk processing activities. In doing so, they may come across best practices or other relevant information that will help them to complete their DPIA’s as efficiently and as thoroughly as possible.
High risk processing cannot be specifically defined overall, but it can more easily be identified though consideration of a set group of criteria, including security of data, potential for a security breach, assurance of privacy, limitation of purpose, and the fairness of the processing involved. Large scale data processing and processing of sensitive data may also present higher risks. It should be noted that merely using new technology should not be classified as a high risk on its own; it needs to be considered in conjunction with other areas.
Each piece or area of data should be considered in its own context, as what might be considered high risk in one area might not be in another area. Once the assessment has been completed, companies are required to mitigate the risks that have been identified. If mitigation does not seem possible, then they must consult the relevant Data Processing Authority (DPA) before any unmitigated high risk processing is attempted.
As far as the GDPR is considered, identifying high risk and very high risk processing is all about considering areas such as scope, reliability and security, as well as potential harm that could result from problems due to the nature of the data or the amount being used.
Companies then need to take steps to mitigate these risks as much as is reasonably possible in order to ensure they meet GDPR requirements.
It will be important to document the findings of any DPIA, as well as the corrective or mitigating actions that the organization has taken. This documentation will be a key factor in the group’s ability to demonstrate to authorities that it is complying with the GDPR.