GDPR for Dummies

The need for GDPR

Before the introduction of the General Data Protection Regulations in 2018, the 1995 Data Protection Directive was the most important data privacy and security law in Europe. However, this was enforced before the age of ‘big data’, and was not robust enough to deal with the new challenges that the Internet and ‘web of things’ brought to data privacy. Nowadays, the average individual stores a significant amount of data online. European lawmakers recognised that there needed to be an update to data privacy laws to ensure that organisations kept this data safe. GDPR was created to address these concerns.

GDPR has had wide-reaching consequences. Any organisation which collects or processes data within the EU is subject to GDPR compliance, regardless of where the physical location of their headquarters. Even businesses that only collect or process data through subsidiary or branch of the leading company which is based in the EU must comply with GDPR.

Data Subject Rights Under GDPR

In addition to holding organisations accountable for the data they hold, GDPR granted new rights to individuals over their data. These include:

1. The right to be informed: organisations must inform individuals about the collection and use of their data. GDPR requires transparency regarding the use of the data which they hold. Consumers must know the purposes for processing their data, the amount of time for which the organisation holds data, and who can access their data.
2. The right to access: Organisations must give individuals the ability to access the data they hold on them. Under GDPR, individuals can request a copy of their data, including any supplementary information, using a variety of communication pathways (including social media). Organisations must respond to these requests within a month of them being received. They cannot charge the consumer for the service.
3. The right to rectification: If a business holds inaccurate data on an individual, the individual has the right to ask the organisation to change it. Businesses must respond to these requests within a month of them being received and are not permitted to charge a fee for the service. In certain circumstances, such as if they dispute the accuracy of the data, an organisation can refuse to change the information held. In such cases, a third party may be needed to mediate the dispute.
4. The right to erasure: Also known as “the right to be forgotten”, individuals have the right to request controllers erase any personal data held by them as soon as possible. The right to erasure only applies in certain circumstances, such as:
   1. if an individual’s data is no longer necessary for the original purpose for which the controller collected it
   2. if the business has unlawfully processed the information
   3. if the individual withdraws their consent and that is the only lawful reason an organisation has for holding the information
   4. if the business is holding the information for marketing purposes
5. The right to restrict processing: individuals can restrict how organisations use their data. However, it is important to note that it does prevent the organisation from holding the data. The individual must have a legitimate reason to request the restriction and suppression of their data. For example, the organisation no longer needs the data, but the individual requires them to keep it to exercise or defend a legal claim.
6. The right to data portability: Individuals have the right to obtain personal data from organisations in a secure, digital format. Under GDPR, individuals can reuse their data for personal reasons and transfer it across digital formats without its usability being affected. It also allows an organisation to transfer the data to another organisation electronically.
7. The right to object: Individuals can prevent organisations from further processing or storage of data. This only applies in certain circumstances, but individuals are always able to prevent their information from being used for direct marketing purposes. GDPR allows individuals to object if the data processing is for a task carried out in the public interest, for the business’s legitimate interest, or the exercise of an official authority vested in the organisation. Organisations may refuse the request, and a third party may be needed to settle the dispute.

GDPR-Compliant Data Processing

Data processing means the collection, handling, use, storage and destruction of information. Data processors and controllers are responsible for ensuring data security during the entire processing process.

However, GDPR does not treat all types of data the same. Some types of data are ‘high- risk’, although GDPR does not explicitly define what types of data (or data processing procedures) fall into this category. The laws indicate that the organisation should be able to determine the level of risk associated with the data or processing procedure by conducting a Data Protection Impact Assessment.

GDPR provides some guidance on what might be categories as risky processing activities, stating “such types of processing operations may be those who, in particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing”. Just because an activity falls into one of these categories does not mean that it is automatically high-risk; organisations should consider many different factors when conducting the assessment.

GDPR Privacy Principles

Eight core GDPR privacy principles underlie GDPR.

1. Notification – Organisations be transparent with individuals about when and how their data is being used and if it is being transferred to a third party.
2. Lawfulness – Organisations need to obtain consent from individuals to share private data. If consent is not required, organisations must have a clear legal basis for sharing data.
3. Limits – Personal data must only be shared if there is a legitimate reason or need to do so. However, exceptions that allow data to be used further than it was initially intended.
4. Security – Any organisation that collects, uses, and stores personal information is responsible for ensuring adequate safeguards are in place to protect data.
5. Accountability – Those who collect, use, and store personal data must comply with GDPR and its principles.
6. Downstream protection – Any party with which the initial data collector shares the information must also adhere to privacy legislation.
7. Access and Rights – Individuals should be able to access and use their data, as well as withhold permission for specific uses of their data.
8. Breach Notification – An organisation must notify an individual as soon as possible if their data has been affected by a data breach. This must be done within 72 hours of the breach’s discovery. The breach must be reported to the EU Regulator.

Informed Consent and GDPR

GDPR’s new rules regarding individual consent made headlines when many organisations were assessing whether their mailing lists complied with the new legislation. GDPR

requires organisations to obtain informed consent from data subjects to use their data for a pre-defined purpose. Only organisations that can produce a legitimate legal reason for the personal data to be held or processed are exempt from this rule.

This ruling means organisations can no longer use pre-checked tick boxes to obtain consent; data subjects must deliberately give consent. This is particularly important for organisations with websites that use plugins and cookies to collect user data; the user will need to consent to these being used.

Organisations may need to conduct an audit on their data to see if they need to re-obtain consent for any of the information they hold.

GDPR states that individuals under the age of 16 are unable to give informed consent, and a parent or guardian must give consent. However, GDPR allows individual EU states to lower this age of consent to 13 if they wish.

There are some specific cases—such as a national emergency or criminal incident—for which the above rules do not apply, and consent is not needed for data collection to take place.

GDPR Summary: Best Practices

1) Carry out an audit: Audits help organisations assess whether the data they hold meet GDPR’s requirements. The audit should assess what data the organisation holds, how it is stored, and for what purposes it is used. The audit allows organisations any particular issues which may need to be addressed to achieve full compliance.

2) Data management systems: Data management systems allow organisations to keep a record of what personal data they hold and process, where that data is stored, how they obtained it, whether or not the need for the retention of the data still exists. The organisation should appoint a member of staff should be responsible for the management of the data. Developing data management processes allows businesses to comply with GDPR efficiently.

3) Deleting data: Businesses should only keep data if they can still use it for its original purpose. The organisation should safely delete the data if this is no longer the case. Organisations should have a valid legal reason for keeping the data and processing it if the original purpose no longer exists. It is a good practice to regularly delete data, as the less data an organisation holds, the less damaging a breach of that data would be.

4) Compliant reporting processes: Businesses must be able to prove to authorities that they are compliant with GDPR. Keeping detailed records of their policies and procedures allows them to prove that they follow GDPR’s requirements efficiently. If businesses fail to present the regulatory authority with sufficient evidence, they may be subject to a fine.

5) Data Protection Impact Assessments: Data Protection Impact Assessments (DPIAs) allow businesses to assess the risk level of different types of data they hold. They also allow businesses to identify data that would be particularly dangerous if compromised. Businesses are responsible for ensuring that all risks are identified and mitigated.

6) Train staff in GDPR best practices: GDPR requires all employees to undergo training. The amount of training that an employee depends on their specific role. Many data breaches occur due to employee negligence, such as leaving a laptop in a location in which it can be easily stolen. Furthermore, employee ignorance about basic IT safety practices may result in employees accidentally falling for phishing emails, which may result in millions of files being stolen by a hacker.

7) Employee training should be held regularly, in short sessions. Employees should be engaged during the training course, and tested on their understanding of their responsibilities under GDPR. Certain aspects of GDPR, such as the rules surrounding data processing are more applicable in a day-to-day setting and should be allocated more time. Employees should be served regular reminders on issues such as IT best practices and the dangers of cyber attacks.

As employee training is a requirement of GDPR, auditors may need to see proof that training occurred, so it is essential to keep a record of all GDPR training events.

8) Data breach response plan: GDPR introduced strict requirements that organisations must follow in the event of a data breach. Organisations should plan for a potential data breach well in advance and ensure an efficient response to the incident. GDPR requires data controllers to notify the supervisory authority of a data breach within 72 hours of its discovery unless they have determined that the risk of harm to the individuals affected is minimal. Data processes are required to inform data controllers that a data breach has occurred without “undue delay”.

Organisations must notify individuals that their data has been compromised if it is possible that they are at heightened risk of fraud or having their data used for nefarious purposes. However, they are not required to notify individuals of a data breach if the breached data was “unintelligible to any person who is not authorised to access it”, such as through encryption.