The General Data Protection Regulations (GDPR) became enforceable at the end of last month in all European Union Member States. Many areas of confusion surround this complex legislation, chief among those is the area of GDPR Recitals.
Along with the Articles of GDPR, Recitals assist organizations in being compliant with the regulations. Recitals add a layer of understanding. Like an appendix, the Recitals add information. They support and supplement the Articles. Recitals allow readers to understand Articles more completely. In the legal sense, recitals are utilized in the EU Court of Justice. Recitals establish what the regulations mean in the context of a specific case. Recitals are employed to justify or reference judgments.
The Recitals provide a mixture of additional information and supporting context, supplementing the Articles. In essence the recitals of the GDPR make it easier for the general public and businesses to relate to the regulations. Recitals provide valuable additional information to companies about how their enterprise might more easily and more effectively comply with GDPR.
For example: GDPR, Article 25 relates to how personal data files might be protected by design and default. It deals with processing data and how businesses might use such technological security measures as pseudonymisation and data minimization.
For most senior administration, these terms might as well be written in a foreign language. However, with the addition of Recitals 78 and 83, further clarification is provided. Recital 78 states that for compliance to occur, internal policies must be put in place by a company. These internal policies might include:
- Minimizing the processing of personal data
- Pseudonymising personal data as soon as possible
- Transparency of processing, enabling the data subject to monitor the data processing
Recital 83 tells Data Controllers that they should take stock of their present security measures and risks to personal data files of their EU employees and clients. Then they should consider such additional measures as encryption.
Recitals 28 and 29 deal explicitly with security and confidentiality of personal data using pseudonymisation, while Recital 77 provides valuable supplementary information on doing risk assessment.
Recitals are not just “added confusion” or “gobbledygook”. They bear strict attention. Articles read without investigation of Recitals attached to them are incomplete for the personnel of your business tasked with GDPR compliance. Recitals pad the information outlined in GDPR so that businesses learn when and how to comply with GDPR through Recitals. For example: Recitals answer questions such as “When should my company report a breach?” and “When is it necessary to report a loss of data?”
Article 31 presents the criteria for reporting data loss. However, Recital 67 gives the Data Controller and/or the Data Protection Officer detailed examples of when those data losses must be reported to the GDPR Supervisory Authorities. The Recital regarding data losses states that losses should be reported when they might “result in physical, material or moral damage to individuals such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymisation, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage to the individual concerned”.
Those in a company who are responsible for reporting or not reporting to the GDPR and for making sure your enterprise is in compliance with GDPR should never consider looking at the Articles GDPR without also looking carefully at the Recitals attached to Articles. Recitals almost always contain vital details for compliance with the Articles of the GDPR.