All aboard the GDPR train


    Designed to harmonise data privacy laws across Europe, the General Data Protection Regulation (GDPR) changes the way organisations will be able to collect, use and transfer ‘personal data’. 

    Personal data includes any information which can be used to directly or indirectly identify a person, whether in the form of their name, a photo, an email address, bank details, posts on social networking media sites, medical information or a computer IP address. 

    The wording of the regulation refers to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

    In other words, the meaning of personal data is wide in scope.

    Data controllers and processors

    The data controller determines the purposes, conditions and means of processing personal data.

    The data processor processes data on behalf of the controller.

    The GDPR places additional onerous obligations on data controllers to implement data protection by design and by default, including measures such as data minimisation and pseudonymisation. Pseudonymisation involves the separation of data from direct identifiers, so that linkage is impossible without additional information held separately.

    Data processors also have more to think about. Processing by a processor needs to be governed by a contract or ‘other legal act’ which sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.

    Consent

    Consent must be given by a clear affirmative verifiable act establishing a freely given, specific, informed and unambiguous indication of the individual’s agreement to the processing of his or her personal data. This could include a written statement or the ticking of a box on an internet website.

    Silence, pre-ticked boxes or inactivity does not constitute consent under the GDPR.

    It must be as easy to withdraw consent as it is to give it.    

    Individuals’ rights

    The GDPR creates some new rights for individuals and strengthens others:    

    The right to be informed – Organisations must be transparent about how they use personal data. When supplied to an individual it should be in a clear and concise format, in an easily accessible form such as by letter and provided free of charge. The time at which it should be made available depends on how the data was collected.

    The right of access – Individuals must be able to access their personal data and be able to verify the lawfulness of the processing. Data controllers will need to be able to provide information without undue delay and within one month of receipt of the request. That period may be extended by two months where requests are complex or numerous, but the individual must be informed within one month of receipt of the request should an extension be necessary.

    The right to rectification – Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If the personal data in question has been disclosed to third parties, they must be informed of the rectification where possible. Organisations must respond to a rectification request within one month.

    The right to erasure – Also known as the right to be forgotten, individuals have the right to have personal data erased under specific circumstances, including when the personal data is no longer necessary in relation to the purpose for which it was originally collected.

    The right to restrict processing – Organisations must restrict processing when an individual contests the accuracy of the personal data. If the personal data has been passed on to third parties, they must also be notified of the restriction. 

    The right to data portability – Individuals may reuse and transfer their personal data for their own purposes. Organisations must provide the personal data in a structured, commonly used and machine readable format.

    The right to object – An individual has the right to object to processing on the grounds of his or her particular situation. Objections could also be raised concerning the processing of data for the purposes of scientific/historical research, or for it being used for direct marketing purposes for example.

    Data breaches

    In the event of a personal data breach, leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the data controller must notify the supervisory authority not later than 72 hours after having first become aware of it.

    Penalties

    The cost of GDPR non-compliance is severe. Organisations can be fined up to the higher of 4% of annual global turnover or EUR20 million.

    Five key action points

    • Establish a GDPR plan incorporating privacy impact assessments, internal audits and ongoing training for staff, so that everybody understands the principles of compliance and their obligations.

    • A Data Protection Officer (DPO) must be appointed if an organisation conducts large scale monitoring of individuals or processes large amounts of sensitive personal data. Public authorities have to engage a DPO and, whilst not obligatory, it may be an appropriate appointment for other organisations too, especially in a business perhaps with multiple sites or offices where communication and common procedures are more difficult to enforce.

    • Prepare for a data breach so that procedures are in place should the worst happen and to ensure the 72 hour deadline can be met.

    • Check the content and wording of any Letters of Engagement, Terms of Business and any other client facing policies to test they are clear and concise and easily understandable, with no jargon and technical wording kept to a minimum.

    • Make sure any new services or products have privacy and design embedded early in the development process.


    For further information regarding the GDPR, please contact the author of this article, our Head of Technical Research Guy Smith.