The GDPR – General Data Protection Regulation – is regulation coming into effect on 25 May 2018. It has not made the news much in Canada, but it has the potential to affect every country in the world. So what is it exactly? In this article, we will be introducing what the GDPR is (do not be alarmed), the obligations of those involved (everybody), and how to be compliant (guidelines only).
We have two more blog posts about the GDPR, see here for the effect on Canada and Email blog, and here for why the GDPR is a good thing blog. If you’ve been hearing about it and been terrified about it, you might not be thinking it’s a good thing, but ultimately, this is going to protect people’s data, and give people more power when dealing with companies of all sizes.
The GDPR is a subject that many have run screaming from, as it can be overwhelming and stressful. The purpose of this article is just an introduction, condensing an enormous piece of legislation into a couple thousand words. There’s no other way about it, because the actual regulation is 99 Articles, 88 pages. Feel free to have ‘fun’ and read it all here
As it is an extensive piece of legislation, this article is long. It is not, however, a comprehensive look at the law, and this is not legal advice. Talk to a legal professional if you are unsure of what steps you must take in order to be compliant with the new law. As of 25 May, all data controlling and processing activities that are not compatible with the new rules may be penalised.
What is the GDPR?
The GDPR is legislation from the European Union regulating how companies and organisations handle personal data. It affords EU citizens many rights, which are discussed in more detail here, and requires compliance from all businesses and organisations.
Why is being compliant a big deal? Depending on what provision has been infringed, the fines can amount to a maximum of 20 million Euros, or 4% of the total worldwide annual turnover of an undertaking, whichever is higher. Thus, the consequences of non-compliance can be severe. It is up to the supervisory authorities to determine the exact amount in specific cases, and fines can be imposed on the data controller or the data processor.
It is important to clarify what is meant exactly by these terms. They will come many times, so it helps to get a grasp on them at this early stage.
Personal data is any information that can be used to identify a person. This can be their name, email, IP address, ID number, fingerprint, biometrics etc.
The data subject is the one whose data is being used. Every single person is a data subject depending on the context.
A data controller can be an individual or a company, and they are the ones who determine the purpose and the means of the personal data – they decide what happens to the data.
A data processor can be an individual or a company, depending on the circumstance, and are engaged on behalf of a controller to process the data – they cannot make decisions about the data.
It should be noted that there are special/sensitive data categories, and these have an extra layer of data protection around them. These categories include: political opinions, trade union membership information, racial or ethnic origin, sexual orientation, health information, and religious beliefs. This sensitive data needs to be stored on physical EU servers, but for most local businesses, this kind of information is not gathered anyways, which is why we won’t focus on that. Just know that all data is not created equal, and some need to be more securely processed than others.
Obligations of Data Controllers and Processors
The GDPR requires that the personal data of data subjects be obtained and used lawfully by data controllers, and processed in a lawful, fair, and transparent manner by data processors. A company can be both controller and processor, depending on the context.
For example, Google is a data controller, because they acquire data and decide how to use it, but they can also be a processor; when a company uses Google Drive to store their documents, Google has no say in how or why that data is collected, it merely processes it.
Data controllers and data processors each have obligations.
The data controller has an obligation to
- Take appropriate organisational and technical measures, and need to be able to demonstrate this if requested
- Evaluate the nature, scope, context, risks, purposes of data processing, and impact on rights and freedoms
- Demonstrate legal compliance
- Ensure security of processing
- In case of security breach, notify supervisory authority
- Assist the data subjects exercising their rights
There can be joint controllers, and in that case, they have joint liability, and need a transparent determination of responsibilities. As seen elsewhere, the best way to do this is to document the decisions.
The data processor has an obligation to
- Process data only under controller instructions
- Demonstrate legal compliance upon request
- Maintain records of processing activities
- Ensure an adequate level of security
- Obtain permission of controller to engage with other processors
- Take measures to assist controller with ensuring security of processing
- Only process what has been instructed by the controller
It should be noted that single managers are not responsible for all the activities of the company for which they work. Furthermore, a data processor shall be liable for the damage caused by processing only where it has not complied with its obligations, or it has acted contrary to the instructions of the controller.
Consent is VITAL
Consent is the most important aspect to take away from all this. Consent underpins everything to do with personal data. GDPR is not saying you cannot process personal data, lest you be subject to millions of euros of fine, rather there needs to be explicit consent from data subjects for having their data used. And they can withdraw consent at any time, and not be penalised for it.
Data processing is considered lawful if data subjects provide consent to this processing – but only for the specific purpose it was intended for. When giving consent, the data subject needs to be given the following information:
- The name of the controller
- Purposes of the processing
- Types of processing activity
- Notification of easy withdrawal
For more on email marketing and consent, see here. For non-email marketing use of personal data, how can you prove consent? What can be done about it now? Review if you can how/when/why you obtained the personal data, and delete anyone you know did not give explicit consent, or are unsure about. Then make it easy to withdraw consent, should anyone ask to use that right. There is no unlimited data hoarding with the GDPR, if someone wants their data back, that request must be complied with.
How to Be Compliant
While information about GDPR aimed at businesses might not be the friendliest, the GDPR is meant to be user-centric, and beneficial to the public. Compliance is not necessarily difficult, it is just time-consuming and takes some effort. Taking a comprehensive look at how your company processes personal data cannot be a bad thing. It may even identify some security risks that are better fixed sooner rather than later. Conduct a “data cleanse” so that you are not unnecessarily holding onto personal data.
Here are some questions to think about
- Who deals with personal data in your company or organisation?
- What is the nature of the data and the purposes for which they are collected or processed?
- How is data safeguarded? What can be done to secure it?
- What is the bureaucracy that is likely to arise when changing the ways how people work?
- How can it be addressed?
Recording Processing Activity
As explained earlier, consent underpins the entire thing. Make sure that you are getting explicit consent to process your customer’s data.
The other vital thing to note is to keep records of all data processing activities. Technically, this only needs to be done by organisations with more than 250 people, unless the organisation is involved in the processing of sensitive data (medical, political, religious etc), or processes data more than occasionally. What does “more than occasionally” mean? Good question. Like many laws, there are vague sentences and things open to interpretation. It would be more prudent therefore to document all data processing. The Information Commissioner’s Office (ICO) for the UK offers a template, so take a look for an idea of what is required.
The record of data processing activity should include
- Name and contact details of the controller
- Purposes of processing
- Categories of data subjects
- Categories of personal data
- Categories of recipients
- Information regarding data transfer outside the EU
- Envisaged time limits for erasure
- General description of technical and organisational security measures
One of the crucial aspects of the GDPR is the Principle of Accountability, which means that data controllers are responsible for complying with the GDPR, and need to be able to demonstrate this compliance.
Data controllers need to show that their processing activities are in line with the GDPR. It may be necessary, particularly for larger organisations, to appoint a Data Protection Officer. A DPO is responsible for advising controllers and processors of the best practice for processing personal data, and ensures that the controller remains compliant.
Controllers and processors should adopt and follow a code of conduct. This will ensure that the GDPR is complied with, thus eliminating stress and guesses about what is and what isn’t allowed.
In addition, the ICO recommends:
- Adopting and implementing data protection policies
- Taking a ‘data protection by design and default’ approach
- Putting written contracts in place with organisations that process personal data on your behalf
- Maintaining documentation of your processing activities
- Implementing appropriate security measures
- Recording and, where necessary, reporting personal data breaches
- Carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests
GDPR Makes Sense!
This has been a very quick introduction to a subject that some businesses have taken two years to properly implement. Being compliant is going to be a perpetual ongoing process that everyone is going to have to deal with.
To summarise, this is part of what is necessary to help you be compliant. Again, to reiterate, this has not been legal advice.
- Have clear Terms & Conditions as well
- Keep records of all data processing activities
- Be able to easily show it should there be any complaints
- Obtain explicit consent from your clients and website visitors
- Be able to demonstrate this explicit consent
- Do not use the data for anything other than the intended use for which it was gathered
- If possible, and necessary, re-obtain consent from the data subject
If this article has not completely horrified you to run away screaming blocking all mention of GDPR lest you panic, and you would like to know more about it, see here for a post about why it’s a good thing (because it is really!) and here for the effects for Canada and email marketing.