GDPR THE BIG PICTURE

WHAT IS GDPR?

The incremental divergence between the Data Protection Directive 95/46/EC and the massive world changes in all spheres,  effectively saw the obsolescence and inapplicability of the previous law, with regards to the relationship between business and consumer.

The preceding law was a directive, which is different from a regulation. The directive was implemented differently in every EU country, while a regulation applies equally across all member states of the European Union and EU economic areas.

GDPR was designed to harmonize data privacy laws across Europe.
To protect and empower all EU citizens’ data privacy.
Reshape the way organizations across the region approach data privacy.  

GDPR was officially adopted by the European Parliament in April 2016, following a two-year post-adoption period, it will become enforceable by May 25, 2018. Featuring rigid security stipulations and a robust regulatory framework regarded as one of the strictest globally,  It imposes more restrictions on businesses for what they can do with data, in order to extract financial benefits.

Operational processes and data in structural changes can cost millions. However, implementing GDPR increases customer trust and confidence since the alternative reputational risk of breaching customer confidentiality is very costly.

What is the regulation for?

To harmonise the protection for trade in Europe, its a law in every EU member state and it will be the law in all friends of the EU, i.e. the European economic area, Iceland, Norway, and Switzerland.  

What are they trying to achieve?

They wanted to strengthen the rights of the individual over their own data and they wanted to make organisations more accountable. Regulating the protection of personal data (any information related to an identified or identifiable natural person (i.e. a living human person) the opposite of a natural person is a legal person (which is an organisation). The data subject is a living human being, whose data you have.

Who is GDPR regulating?

There are two key definitions of who it applies to:

  • Data controllers: organisations that have relationships with Data subjects and “processes” their personal data.
  • Data Processors: 3rd party or organisations that work for a data controller and processes the information on its behalf.

Article 3.1

Applies to anyone processing personal data in the context of activities, of the establishment of a data controller or data processor in the union, regardless of whether the processing takes place in the union or not.

Article 3.2

The regulation applies to the processing of personal data, of subjects who are in the Union by controller or processor, not established in the union, where the processing activities are not related to.

  • An offering of goods and services irrespective of whether a payment of the data subject is required – to such subjects in the union or
  • To monitoring of thier behaviour is as far as their behaviour takes place within the Union
  • If the Data Subject moves out of the EU border and say becomes an expat, or goes on a holiday, then their personal data processed under these circumstances is not covered by the GDPR and they are no longer a Data Subject in the context of the GDPR, unless their data is still processed by an organisation “established” in the EU.

GDPR consists of two core sections

The first part of it is called the recitals, which is about how the regulation should work and what it is trying to achieve. These are 173 business requirements, processes that have to be undertaken in order to achieve GDPR compliance.  

While, the second part are the articles, containing 99 laws, or from an IT perspective, 99 CODES.

Those 99 articles are then split into a number of areas, specifically:

  • 11 general principles
  • 12 data subjects’ rights, or rights of the individuals whose data is being held
  • 20 data controller responsibilities
  • 3 information security points of law
  • 7 data security laws for outside of the EU
  • 8 remedies at law
  • 42 points on how the law needs to be administered by member states

Out of these articles, comes GDPR major requirements for compliance:

GDPR DATA SUBJECT RIGHTS.PNG

THE RIGHT OF THE DATA SUBJECTS

1. Right to information
This right provides the data subject with the ability to ask a company for information about what personal data (about him or her) is being processed and the rationale for such processing. For example, a customer may ask for the list of processors with whom his or her personal data is shared.

2. Right to access
This right provides the data subject with the ability to get access to his or her personal data that is being processed. This request provides the right for data subjects to see or view their own personal data, as well as to request copies of the personal data.

3. Right to rectification
This right provides the data subject with the ability to ask for modifications to his or her personal data in case the data subject believes that this personal data is not up to date or accurate.

4. Right to withdraw consent
This right provides the data subject with the ability to withdraw a previously given consent for processing of their personal data for a purpose. The request would then require the company to stop the processing of the personal data that was based on the consent provided earlier.

5. Right to object
This right provides the data subject with the ability to object to the processing of their personal data. Normally, this would be the same as the right to withdraw consent, if consent was appropriately requested and no processing other than legitimate purposes is being conducted. However, a specific scenario would be when a customer asks that his or her personal data should not be processed for certain purposes while a legal dispute is ongoing in court.

6. Right to object to automated processing
This right provides the data subject with the ability to object to a decision based on automated processing. Using this right, a customer may ask for his or her request (for instance, a loan request) to be reviewed manually, because he or she believes that automated processing of his or her loan may not consider the unique situation of the customer.

7. Right to be forgotten
Also known as right to erasure, this right provides the data subject with the ability to ask for the deletion of their data. This will generally apply to situations where a customer relationship has ended. It is important to note that this is not an absolute right, and depends on your retention schedule and retention period in line with other applicable laws.

8. Right for data portability
This right provides the data subject with the ability to ask for transfer of his or her personal data. As part of such request, the data subject may ask for his or her personal data to be provided back (to him or her) or transferred to another controller. When doing so, the personal data must be provided or transferred in a machine-readable electronic format.

Data-Subject-Rights-Blog-legalytech.png

OBLIGATION OF THE DATA CONTROLLER

1. Data Collection & Processing

Whenever you process people data it needs to be lawful, fair and transparent
what you are doing with the data should be expected by the person whose data it is

2. Privacy by Design

This calls for an inclusion of data protection from the onset of designing systems, implementing appropriate technical infrastructural measures.
Legal basis for processing information

3. Data Storage

Data minimization, only have just enough data to do what your biz org needs to do
Keep accurate data, only for as long as you need (obligation, retention policies) etc…but the basic principle is to desist holding unto information where there is no justifiable need to process that information.

4. Data Protection Officers

  • Depending on the size and type of data being dealt with, a data protection officer would have to be appointed. Article 37, 38 and 39
  • Professionally qualified offices, must be appointed in all public authorities, or organisations that engage in large scale  (>250 employees) systematic monitoring or processing of sensitive personal data.
  • Process in such a way that allows for appropriate security of the data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage (integrity and confidentiality)
  • If you are not in the EU you have to appoint a rep if you are a certain type or size of company

5. Accountability

  • Demonstrate that you are compliant with regulation and be able to demonstrate that you are compliant within your organisation (the principle of accountability)
  • If you have a breach, you have to tell your local regulator (in every country the data protection regulatory body would be different, it would also differ for certain sectors). In the US, that exists, (DATA BREACH NOTIFICATION REGULATIONS DBNR). in Europe, this is the first time its coming into effect with GDPR,  (In the Uk information commissioner, in France its)
  • Keep accurate records of processes which can be accessible to the regulator at any time
  • In the event of a data breach, data processors have to notify their controllers  and if the risk is high, you also need to tell data subjects about the breach within 72 hours

6. Due Diligence

  • Take good care when using third party processes
  • steps in place to verify the age of site visitors and users
  • you need to do security well

7. Security

  • privacy, impact assessments & data privacy risk assessment
     

To expound a bit further about security, one has to look at article 32, which address information security

Article 32 – Information Security

gdpr data security.jpg
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.”

  • The pseudonymization or masking and encryption of personal data. Pseudonymization is a method to substitute identifiable data with a reversible, consistent value. Anonymization is the destruction of the identifiable data. Pseudonymization and Anonymization are two distinct terms that are often confused in the data security world. With the advent of GDPR, it is important to understand the difference, since anonymized data and pseudonymized data fall under very different categories in the regulation.
  • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
  • Risk assessment from the data subject’s perspective
  • When risk assessment is done, it should be the impact on data subjects, not risk assessment based on the impact of the organisation (Example: breach of hospital appointment setting system)
  • Recovery – how quickly can we get the information up on running, the event of a crash or hack

Compliance Spending

If you fail to comply with the core principles, someone can complain to your local supervisory or regulatory authority and you can be subject to an administrative fine of 20 million euros or 4 % of your global annual turn over.  

If you fail to adhere to any of those data subject rights, you can achieve an administrative fine as the same above and if as an organisation, and you fail to uphold does data controller responsibilities, you can receive an administrative fine of up to 10 million euros or 2% of annual turnover.

It is unlikely that general (rather than malicious ) breaches of GDPR will result in the top level of penalties. It would be proportional to the scale and level of the breach. In the long term, GDPR is a necessary step to safeguard customer privacy rights in a digitized world.

Terms and privacy policies should be separate from other consent, therefore, there should be two separate checkboxes. For instance, in a lead form on a website, there should be one box that says, fill out your personal information to subscribe, and simultaneously a separate box that allows you to subscribe to the terms and conditions of the website.

There should be an explanation of why the information is being collected.  Consent must be easily withdrawn (example websites must make it easy to change email settings, what you receive in your email and the ability to opt out of anything).

The withdrawal mechanism should be simple and effective. There should be a way for users to download their data so that the data becomes portable. So let’s imagine you can export or download your Amazon purchases and then import it to another webshop, so you go to the other webshop where you see all your purchases

Provide a way to delete all personal data. For instance, this makes more sense when a user deletes their account.

Necessary steps toward GDPR according to organisational department

Human Resources – click here

Legal – click here

Marketing – click here

Finance – click here

Information Technology – click here

Procurement – click here

Sales and Marketing – click here

CERTIFICATION

Article # 42 is called certification: see certification recommendations here!