GDPR – All you need to know
A new regulation will apply from 25th May 2018. This regulation is called the EU General Data Protection Regulation or GDPR (EU) 2016/679. It supersedes all EU member states’ current national data protection laws, effectively replacing the Data Protection Act 1998.
It will protect EU citizens from organisations using their data irresponsibly and puts individuals in control of how their personal information is collected and processed, thus placing a range of obligations on organisations to be more accountable for data protection.
Who does it apply to ?
The GDPR applies to all companies/ organisations processing personal data of individual residing in the EU/EEA regardless of the company’s location.
In essence all companies and organisations all over the world are affected as long as they process personal data of EU citizens.
‘Controllers’ and ‘processors’ of data need to abide by the GDPR .
Controllers and processors - what is the difference?
The controller is the company requiring the data while the processor is the entity which processes the personal data on behalf of the controller. Both are responsible and need to abide by the GDPR.
What is considered personal data ?
Personal data refers to any information related to an individual and that can identify that particular person. Photos , email addresses, bank details, , IP addresses, social media post, medical information are all examples of personal data.
What are the potential penalties for not complying?
The penalty depends on the type of infringement.
Regulators will now have authority to issue penalties equal to the greater of €10 million or 2% of the entity's global gross revenue for violations of record-keeping, security, breach notification, and privacy impact assessment obligations.
However violations of obligations related to legal justification for processing (including consent…), data subject rights, and cross-border data transfers may result in penalties of the greater of €20 million or 4% of the entity's global gross
What rights will individuals have under GDPR?
There are 8 fundamental rights of individuals under GDPR. These are:
• The right to be informed - Organisations must be completely transparent in how they are using personal data.
• The right of access - Individuals will have the right to know exactly what information is held about them and how it is processed.
• The right of rectification - Individuals will be entitled to have personal data rectified if it is inaccurate or incomplete.
• The right to erasure - Also known as 'the right to be forgotten', this refers to an individual's right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.
• The right to restrict processing - Refers to an individual's right to block or supress processing of their personal data.
• The right to data portability - This allows individuals to retain and reuse their personal data for their own purpose.
• The right to object - In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
• Rights of automated decision making and profiling - The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.
One of the more challenging notions found within the EU’s GDPR includes rules on giving privacy information to data subjects in Articles 12, 13 and 14.
Companies must ensure that their privacy notices are clear, understandable and accessible. Data controllers are expected to take ‘appropriate measures’.
The GDPR says that the information you provide to people about how you process their personal data must be:
• concise, transparent, intelligible and easily accessible;
• written in clear and plain language, particularly if addressed to a child; and
• free of charge.
In a nutshell, a privacy notice should be devoid of legalese.
Use of language, adopting innovative technical means for delivering privacy information such as layered and just in time notices, and about user testing will help you to comply with the new provisions of the GDPR.
Striking a balance between the data subject and the data handler (processor/controller) under the GDPR. (EU LAW)
A new generation of data protection standards is being promulgated by the European Union. These rules were adopted on 14th April 2016 and after a two-year transition period, become enforceable on the 25th May 2018. These rules are to be followed by data collectors and /or processors.According to Article 4 GDPR, controllers and processors are defined as: -
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determined the purposes and means of the processing of personal date; where the purposes and means of such processing are determined by the Union or Member State Law, the controller or the specific criteria for its nomination may be provided for by the Union or Member State Law.
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
The distinction between them is important for compliance, even though many a time both controller and processor are vested in the same company or organization. The GDPR treats the data controller as the major party for responsibilities such as collecting consent, managing consent, revoking and enabling right to access. A data subject who requests to revoke consent for his or her personal data will therefore contact the data controller to initiate the request, even if such data is present on servers belonging to the data processor. The data controller, after receiving such request, would then proceed to request the data processor remove the revoked data from their servers.
Data controllers, i.e. customers of data processors, should only in other words choose processors that abide with the GDPR, or risk penalties themselves. As supervisory authorities enforce penalties on controllers may find themselves obliged to obtain independent compliance certifications to reassure there would be customers. Therefore, all processors are required to:
• Only process personal data on instructions from the controller (if not vested in the same organization or company) and inform the controller if it believes said instruction violates the GDPR (28.3). In other words, a data processor may not use or mine personal data, it is entrusted with for purposes not outlined by the data controller.
• Attain permission from the controller before engaging a subcontractor (28.2) and assume full liability for failures of subcontractors to meet the GDPR (28.4).
• If requested, delete or return all personal data to the controller at the end of service contract (28.3g)
• Enable and contribute to compliance audits conducted by the controller or a representative of the controller (28.3h)
• Take legitimate steps to secure data, such as encryption and pseudonymization, stability and uptime, backup and disaster recover, and regular security test (32.1)
• Data controllers should be notified without undue delay upon learning of data breaches (33.2)
• Restrict personal data transfer to a third country only if legal safeguards are obtained. (46)
A processor is further required to maintain a record of data processing activities if it qualifies for any of the following criteria (30):
• Employs 250 or more persons
• Processes data that is “likely to result in a risk to the rights and freedoms of data subjects”
• Processes data more than occasionally
• Processes special categories of data as outlined in Article 9(1)
• Processes data relating to criminal convictions
The new requirements will probably create close coordination between data controllers and processors to ensure GDPR compliance. The GDPR strikes a more even balance between the responsibilities placed on data controllers and data processors. This represents a significant change and will drastically increase the risk profile for entities, such as cloud and datacenter providers, that act as data processors. These changes are likely to take time to be implemented but both data processors and collectors should act early in order to identify, review and where necessary revise their processing agreements to guarantee that they are GDPR- compliant. Consider mechanisms for resolving disputes regarding respective liabilities to settle compensation claims, given the new provision allowing for joint liability for data protection breaches. Also, they must ensure that that they have clear documentation and recording procedures in place to prove that they meet the required standards.
Many times, data processor and data controller can be one and the same company meaning that in some situations, an entity can be a data controller, a data processor or both. For example, a brewery has many employees. It signs a contract with a payroll company to pay the wages. The brewery tells the payroll company when the wages should be paid, when an employee leaves or has a pay rise, and provides all other details for the salary slip and payment. The payroll company provides the IT system and stores the employees’ data. The brewery is the data controller and the payroll company is the data processor.
Should you require any more information regarding privacy notices kindly contact us on firstname.lastname@example.org