Definitive Guide for General Data Protection Regulation (GDPR) Compliance
What is GDPR
General Data Protection Regulation is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union. It also addresses export of personal data outside the EU.
What GDPR Covers
GDPR covers all types of personal data of European Citizens. This also include some data which other countries don’t consider as personal data like IP Addresses and system logs. This personal data is also called as Personal Identifiable Information (PII)
The objective is to minimise collection of personal data, delete personal data that’s no longer necessary, restrict access, and secure data through its entire lifecycle.
Six Privacy Principles of GDPR
Lawfullness, Fairness and Transparency
Transparency tells the User, what data will be processed and fairness is processing the data is done exactly as it described to the user.
The data must be processed in a lawful way as demanded by GDPR [article 5, clause 1(a)]
The user data is collected only for specified, explicit and legitimate purposes and is not further processed in a manner that is incompatible with those purposes it was collected for. Article 5, clause 1(b) explains more about purpose limitation.
The data collected must be limited and should be relevant to the purpose it is being collected for. If a specific data is not required for the purpose, it must not be collected. This is explained in article 5, clause 1(c)
For example, when you’re trying to collect a customer’s data for sales purposes, you might be collecting User’s name, E-mail and Phone Number. But if you’re collecting Date of Birth, you must ask yourself if this required for your purpose and if its not, Date of Birth must not be collected.
GDPR dictates that the collected data must be accurate and kept up-to date. If the available data is found to be incorrect, irrespective of the purpose the data must be corrected as soon as possible or deleted as explained in article 5, clause 1(d).
Article 5, clause 1(e) talks about how the data should not be kept longer than necessary and should be deleted once it serves its purpose.
For example, if you’re collecting user data for sales, you might use them in prospect phase and once they move to customer phase or decided not to go for your product, the personal data must be deleted as it served its purpose and should no be kept longer than necessary.
Integrity and Confidentiality
Requires the data collectors to process data in a secure manner where appropriate security is available against unlawful access of data, leak of data or loss and destruction of all the stored personal data. This is explained in article 5, clause 1(f).
What is Personal Data?
Any information directly related to any European Citizens can be Personal Data. The EU Users who fall under GDPR act are also known as “Data Subjects”. This Personal Data can be used to identify the Data Subject directly or indirectly.
The personal Data can be a Name, E-mail ID, a photo, bank account details or personal data shared in social media websites or IP Addresses etc which can be used to identify the data subject.
There is also a special category of Personal Data called as “Sensitive Data”. These sensitive data include
- Race and Ethnicity
- Political, Religious or Psycological Beliefs
- Health Data
- Sexual Life, Sexual Orientation
- Genetic and Biometric Data
- Credit Card Data
Penalities for GDPR Non-Compliance
Any Law or Regulation cannot be enforced without fines and penalities for not complying to the mandatory provisions set by the law or regulation.
In case of GDPR, if a data collector infringes on multiple provisions of the GDPR, they will be penalized according to the gravest infringement as opposed to be being individually penalized for each provision.
Lower level of the fines can Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher based on the type and impact of infringement.
Higher level of the fines can be Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher based on the type and impact of infringement.
As you can see, these penalties are enough to bankrupt small and medium companies and have a major impact on even big organizations.
Important terminologies in GDPR
A Data Controller or a ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A data processor or a ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller as described by the controller.
Guidelines for Implementing GDPR in your Organization
Organizations (Controllers and Processors) has to document what personal data they hold, where it came from, who they share it with and what they do with it.
- Controllers needs to identify where the data is stored and how long its stored for.
- Controllers has to identify lawful bases for processing data and document them.
- Controllers has to review how they ask for and record consent.
- Controllers and Processors needs to have systems to record and manage ongoing consent.
- Controllers and Processors needs to analyze what risks are associated with the data and what’s the impact of the risk.
- Controllers and Processors needs to identity solutions to avoid and these mitigate risk
- Organization/Controller needs to be registered with the Information Commissioner’s Office and report to them in case there’s a data breach
What is Consent? How to Obtain it?
The definition of consent at Article 4 (11) of the GDPR, may not initially appear to be a wholescale departure from that found within the DPD. Consent of the data subject means:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
Consent must be
Freely given: The data must be freely given, i.e. the data subject must have a genuine choice not to provide data.
Specific: Consent must be specific and the requirements must be easy to understand.
Informed: The data controller must be made aware of how the data will be used, and must have free access to information describing data use.
Unambiguous: There should be a clear affirmative action to signify consent.
Explicit: If the data being processed is is Sensitive data, then explicit consent is required. For example, when you provide your data to join a competition,sensitive data you understand you want to win and need to be contacted if you do, and that is the reason you provide your details.
Explicit consent is a more pro-active means, directly asking you to consent to specific use of your data, such as a checkbox next to a description of how your data will be used.
With an unambiguous consent, it is understood you need to provide a data for one reason or another. With explicit consent, you are given exact description of what your data will be used for.
Lawful Basis For Processing
In this type, the user or the data subject gives explicit persmission to use their data.
If you a contract with the individual or User on what needs to be processed then it can serve as Consent.
In some cases, there must be legal requirements for you to process the data. These legal obligations can act as the consent in these cases.
Processing the data is allowed under Vital Interests if the data can save someone’s life.
Processing is necessary for you to perform a task in the public interest.
If you have a reason to process the data to save your legitimate interests such as running a business, then as long as well that data is processed in accordance with the principles of GDPR, it can substitute consent.
Individual Rights under GDPR
GDPR empowers the data subject or EU Citizens by giving them the right for them to dictate how their needs to be processed.
These rights are
Right to be Informed
GDPR Requires the Data Controller to clearly communicate why the data subject’s data is being processed.
The Data Controller has to communicate who are the Processors who will be processing the data on their behalf and also tell them where the user data is saved and how long it is saved for by giving a justification.
Right to Access
GDPR requires the Data Controller to provide the data subject a copy of their data free of charge.
GDPR does allow a reasonable charge when the request is unfounded, excessive, particularly if it is repetitive.
The data controller may also charge a reasonable fee for further copies of the same information.
Data controller may not charge for subsequent request. The fee must be based on the administrative cost of providing the information.
The main intent is that a person has full rights to his or her data, without abusing the data holders.
Right to rectification
One of the main principles of the GDPR is that the data needs to be accurate.
If the Data Subject identifies that the available data is inaccurate, they have the right to rectify the data so its accurate.
Right to Erasure
If the data is no longer required for the purpose it was originally provided for it should be erased.
The data should be erased if the individual requests the data to be erased.
The data should also be erased if it is used illegally or in breach of GDPR.
If the individual objects to processing, and there is no overriding legitimate reason to process the data – it should be erased.
The data should exist in data controller’s hands only for purposes it was given for, and as long as it is required for those purposes.
Right to Restrict Processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right to Data Portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller.
Right to Object
If the Data Subject objects the processing of their personal data, the controller must comply and must not process the user’s data.
Unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, the data must not be processed.
Right not to subject to automated decision-making including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Putting GDPR Principles into Action
The main principle of GDPR is: Data protection by design and by default
Practicing data minimization
What data do we actually need?
For example, When signing up for a website, do we need a person’s birth date? We may need it to verify the person is above a certain age, but we don’t need to store it for perpetuity
How long do we store the data for?
For example, If the person is singing up for a competition, why store the information after the competition has ended? A data controller is obligated to remove no longer needed data under GDPR.
How many locations/systems does that data need to exist in?
Is that data being used solely for the purpose it was provided for?
Pseudonymisation means transforming the data to an extent where the person can no longer be identified, without additional information.
Effectively, GDPR advocates for separation of person’s general data, and the data that can identify the pearson.
Ways to pseudonymize the data:
- Encryption at rest and in transit.
- Aggregation (reporting on large data sets, rather than individuals).
- Indirect references.
The above actions are important when the authorities determine the amount of fine levied against a company in case of a breach.
Data Protection Impact Assessment
- Under the GDPR, Data Protection Impact Assessment (DPIA) is mandatory.
- The DPIA helps you to identify risks and accept risks in your process.
- DPIA helps you to communicate to individuals incase of a data breach.
- DPIA helps to plan for the implementation of any solutions to risks identified.
Communication with Customers
Remember transparency and consent freely given (no pre-selected checkboxes, or assumption of consent)
What do you need to state?
- Who you are
- What information is being collected?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?