This content was originally posted as part of the Chit Chat Across the Pond podcast on 14 April 2018 but since the subject is evergreen it is repeated here as a permanent Page.
In this article, Bart Busschots explains the General Data Protection Regulation, or GDPR. This is a regulation that will take effect across the European Union starting on 25 May 2018. Bart first gives us an overview, outlining the main objectives, the 7 core principles, and explains how a regulation differs from a directive. From there he defines the terminology and concepts which are critical to understanding the regulation. He explains the legal grounds, what consent means and what rights individuals will have. Then he covers data processing objections, how automation decision making is affected, and people’s right to erasure. Finally, he goes through what kind of data breaches are mandatory to be disclosed and to whom. It’s a really impressive bit of work that the EU have done here, and Bart does a great job explaining it.
The Problem to be Solved
- Each nation in the EU has data protection laws, and they’re similar in many ways, but they’re all different.
- Many, if not most, of the existing data protection laws pre-date the modern internet, so they need to be updated to reflect developments (social media, the Facebook-style business model, the rise in identity theft, etc.).
- There’s no clear EU-wide set of data protection rights for citizens
- The penalties for breaking the existing data protection laws are not uniform, but generally considered lenient.
- The GDPR is the General Data Protection Regulation.
- The GDPR Covers all personal data processed by manual or automated means — note, not all data, just all personal data.
- The main objectives are:
- Give individuals more advanced and more clearly defined rights, and more control over how their personal data is stored and used.
- Empower individuals to seek compensation from organisation who breach their data protection rights.
- Make organisations more accountable and instil a culture of privacy awareness.
- The GDPR is built around 7 core principles:
- Collected personal data should be for a specific and legitimate purpose (if you collect data for one purpose, you can’t just use it for anything you fancy).
- Collected personal data should be adequate to meet the needs, but minimised (gather the personal data you need, but only the personal data you need).
- Stored personal data should be accurate and kept up-to-date.
- Personal data should be kept for no longer than necessary.
- Personal data should be stored securely.
- Organisations or people that hold personal data must be accountable for what happens with that data (the accountability principle).
- Use of personal data must be lawful, fair, and transparent.
- The GDPR is an EU regulation (not a directive), so it applies directly all across the EU.
- Directives are instructions from the EU to member states to draft national legislation that meets certain requirements. Every EU nation has to implement a directive, but each nation’s implementation will be unique.
- Previous EU privacy controls had been applied as directives, so each state had their own data protection laws.
- The GDPR replaces the mish-mash of different national privacy laws with a single EU-wide regulation.
- The GDPR comes into force across the entire EU (including the UK) on the 25th of May 2018.
- The penalties for breaches of the GPDR are robust — up to €20 million or 4% of the organisation’s annual turnover, whichever is greater.
- The GDPR applies to anyone in the EU processing personal data from anyone anywhere in the world, and anyone anywhere in the world processing the Personal Data of anyone physically in the EU (not just EU citizens).
Terminology & Concepts
- Personal Data: any information that could identify a living person (the dead are not protected by GDPR!). This sounds simple but it’s not, and there are lots of grey areas open to interpretation, so there’s a lot of confusion and uncertainty ATM (precedents will get set over time, so things should become clearer).
- Indirect identification is covered. The combination of multiple pieces of information that individually wouldn’t be covered could become covered if combining them allows the identity to be determined. E.g. a name alone isn’t covered (lots of people share the same name), nor is a data of birth alone, but store both and they might be covered, and add an address and they’ll definitely be covered.
- Depending on circumstances, incomplete information may also be covered. E.g. A customer ID doesn’t look like personal data, but if that links to a full customer profile, then it is. IP addresses are covered.
- Pseudonymised data is also covered — if the organisation holds the mapping between the anonymised identifier and the original identity, then it’s still personal data, no matter what it looks like at first glance. (If you don’t hold the mapping then it’s anonymised data which is not covered.)
- Long-standing identifiers like national ID numbers, phone numbers, email addresses etc. are covered, but so are some newer data types including devices IDs (like MAC addresses), online identifiers (like IP addresses and tracking cookies), and location data.
- Special Category Data: this is the official GDPR term for what you or I would call sensitive data (criminal records are expressly not covered in this category, they’re covered separately):
- Racial or ethnic origin
- Genetic data
- Biometric data
- Physical and Mental Health data
- Sexual life (activities, orientations etc.)
- Religious or philosophical beliefs
- Political opinions
- Trade Union membership
- Data Processing: this is a broad term that covers a wide range of activities including data gathering, storage, security, analysis, transportation/transmission, and disposal.
- Data Subject: the living person the personal data is about (you!).
- Data Controller: An organisation or person who makes decisions on why and how personal data should be stored/processed (a user of personal data, e.g. a company, school, or government).
- Data Processor: A person or organisation who stores/processes data on behalf of a Data Controller (you can be a controller and a processor, and most organisations are, but many organisations also out-source to third-parties, and those third parties would be processors but not controllers).
- Data Protection Officer (DPO): A named person responsible for an organisation’s compliance with GDPR.
- DPOs are mandatory for any organisation who’s core activities include:
- large-scale systematic data monitoring, or
- large-scale processing of special category data (sensitive data), or
- processing of criminal records.
- All organisations are encouraged to appoint at DPO.
- DPOs are mandatory for any organisation who’s core activities include:
- Supervisory Authority: A national data protection authority that enforces GDPR (every EU nation will have one, e.g. in Ireland it’s the Data Protection Commissioner).
- Privacy Notice: a document data controllers are required to publish that describes what personal data they collect, why they collect it, and what they do with it, including who they share it with. Privacy notices also have to explicitly state the legal grounds on which the personal data is being collected (more on this later).
- Subject Access Request (SAR): a request from a data subject for a copy of all the personal data a data controller holds on them.
- Data Breach: under GDPR, the term data breach is very broad, it doesn’t just cover the obvious stuff like unauthorised access & data loss, but also unauthorised disclosure (not stolen but given away when it shouldn’t have been), unauthorised alteration, and unauthorised destruction.
All personal data collected needs to be justified under one of six legal grounds, and the grounds need to be specified in a person/organisation’s privacy notice.
GDPR allows the following six legal grounds:
- consent — the data subject consented to the collection and use of the data.
- Legitimate Interest — the data is collected and used in a way that would be reasonably expected. Use of this ground is limited because it can’t override a person’s rights or freedoms, and can’t be used by a public sector body.
- Contractual Obligations — the data is collected and used to fulfil a contract entered into with the data subject. E.g. if you purchase an item to be delivered, you have to provide a delivery address for the vendor to be able to fulfil their contractual obligations to you.
- Legal Obligations — the data is collected and used in order to comply with a law.
- Vital Interests — the collection and use of the data is of vital interest to the data subject. The bar is high here, you’re pretty much talking about matters of life and death only.
- Public Interests — the collection and use of the data is in the public interest. This can be used to justify the archiving of data for scientific or historical research, or the generation of statistics.
This is the most clear-cut and strongest legal ground to gather and use personal data under.
The regulation states that for consent to be valid it must be ‘freely given, specific, informed and unambiguous either by a statement or by a clear affirmative action’.
- Data subjects can’t be railroaded into giving consent, it has to be an actual choice.
- Silence, pre-ticked boxes, or inactivity do not indicate consent — the old chestnuts like ‘by using this site you agree …’ do not count as valid consent under the GDPR.
- Data subjects have to be able to withdraw their consent at a later time. Data controllers also have to explicitly inform data subjects that they have the right to withdraw their consent, and, provide a clear and simple mechanism for doing so.
- Consent can’t be inferred, the data subject has to pro-actively do something to consent, e.g. verbally state their agreement or click a clearly labeled button/checkbox.
- Requests for consent have to be clearly labeled and separated out, you can’t just mush them into the middle of the small print.
Children get extra protections under GDPR:
- Parental consent is needed before digital services (like social networks) can process a child’s personal data, and reasonable efforts have to be made to verify that consent.
- Outside of digital services data controllers have to assess whether or not a child has the competency to understand and consent on their own behalf.
- Privacy notices that children are expected to consent to have to be written in language that children can reasonably be expected to understand.
Note that the GDPR defines as child as anyone under 16, but does allow individual countries to re-define that ages down to a lower-limit of 13.
The GPDR grants data subjects the following rights when it comes to their personal data:
- Information — people have a right to be informed about how their personal data will be processed. The mechanism here is the privacy notice that data controllers must publish.
- Access — people the right to see all personal data a data controller has stored on them.
- Rectification — people have the right to correct any mistakes in the personal data a data controller has stored on them. The data processor has to fix erroneous data ‘without undue delay’, and definitely within one month, and they have to make sure the correction is propagated to any third-party data processors they share data with.
- Erasure — citizens have a right to request their personal data be deleted by a data controller, but it’s not an absolute right, there are caveats.
- Objection — data subjects have a right to object to certain uses of their personal data, and when that happens, the data controller has to stop processing the data unless there is a compelling reason not to. Data subjects can object to their data being used for direct marketing or research.
- Restrict Processing — when there are disputes, a data subject can demand the processing of their personal data be restricted until the dispute is resolved. E.g. the data subject and data controller disagree about whether or not a piece of data is accurate, or the data subject challenges the legal grounds for the processing.
- Data Portability — when technically feasible, data subjects have a right to request their personal data be copied or moved to another data controller, including to a competitor. The idea is that people shouldn’t be needlessly locked in to suppliers.
When these rights are violated, data subjects have standing to sue data controllers for compensation.
The primary function of a privacy notice is to let citizens know what personal data is being collected, why it’s being collected, and how it’s going to be used. A big part of how it’s going to be used is who it will be shared with.
Privacy notices don’t just have to be easy to find, they actually have to be highlighted for attention.
Privacy notices also have to be clear and easy to understand — no obfuscations, and no hiding important stuff deep in the small print! A privacy notice that’s not clear would be considered a violation of the right to be informed.
You’d imagine it would go without saying, but privacy notices have to be available free of charge. You can’t charge citizens for a privacy notice.
A privacy notice should be:
- Concise — it should contain all the information it needs to, but no more. Overloading citizens with so much superfluous information that they can’t find the important stuff is not OK!
- Transparent and Intelligible — it should be written in clear, plain language. No using legalese to try confuse citizens!
- Supplied in Context the privacy notice should be available when consent is given and/or the personal data is collected, or, if the data is acquired indirectly, the data subject needs to be provided with the privacy notice within a reasonable time.
Privacy notices must contain:
- Contact details for the data controller’s DPO.
- The legal grounds for the data collection (from the list above).
- A list of the data processors that will process the personal data.
- A retention policy for the personal data (how long will it be kept).
- An explanation of a person’s rights regarding the processing of their personal data including their right to withdraw consent, to object to certain kinds of data processing, and to complain to the relevant supervisory authority.
The notification of a person’s rights has to be clearly separated out from the rest of the notice so it’s easy to find.
The notification also has to include the right to have their personal data moved or copied to another organisation, even when the other organisation is a competitor. That’s not an absolute right though, it has to be technically feasible.
SARs (Subject Access Requests)
Since citizens have a right to access, data controllers have to provide a mechanism for data subjects to submit so-called Subject Access Requests, or SARs. In general there shouldn’t be a a fee for submitting a SAR, but there are exceptions. If the data is returned electronically, it has to be in a commonly used format.
When a data controller receives a SAR it has to be passed to their DPO promptly, and they are then responsible for processing it.
Generally speaking, SARs need to be processed within a month.
Data Processing Objections
- Data subjects have a right of objection. What that means is that they can object to some uses of their personal data, and data controllers should stop processing the data unless there’s a compelling reason not to. Data subjects can object to their personal data being used for:
- Direct Marketing — this is the most clear-cut type of objection. If a person objects to being direct marketed at, there are no grounds to refuse to stop.
- Research & Statistics Generation — this is much less clear-cut, the public interest could out-weigh the individual’s rights, or, the individual might not have grounds on which to object, depending on the circumstances.
- Processing on the grounds of legitimate Interests, public interest, or the exercise of official authority — if the legal grounds for processing are the data controller’s legitimate interests, or, the public interest, then data subjects have a right to raise an objection, and then a judgement will need to be made on whether or not the processing is legal under the GDPR.
If a data controller decides to reject an objection they have to inform the data subject that they have rejected their objection, and, that they have the right to complain to the relevant supervising authority.
Profiling & Automated Decision Making
Data subjects can also object to the outcomes of any kind of automated decision making algorithms or profiling. Profiling is defined as ‘any form of automated processing used to evaluate, analyse or predict personal aspects of an individual’.
Individuals have a right to ask for an explanation of any kind of automated decision or profile, and they can challenge the outcome.
The GDPR gives people the right not to be subject to a decision based solely on automated processing if it significantly affects them. This right isn’t absolute though, objections can’t be raised if the profiling is required to fulfil contractual obligations, authorised by law, or based on explicit consent (though consent can be withdrawn).
Right to Erasure (AKA Right to be forgotten)
In many circumstances, data subjects have a right to demand their personal data be deleted, this includes:
- When the data is no-longer required for the original purpose.
- Consent is withdrawn and the data doesn’t need to be retained for legal reasons.
- The data is unlawfully processed.
- The data subject objects to the data processing, and there’s no legitimate overriding interest.
- There’s a legal obligation to delete the data.
- The data relates to the offering of information services to a child.
There are also valid reasons for denying deletion requests, including:
- The public interest
- Legal obligations
- Freedom of expression
Note that children have a stronger right to deletion, and the definition of a child’s data is based on the age they were when they signed up, not their current age. So a delation request from a 21 year old who signed up for something when they were 13 must be treated as a request from a child, even thought they’re not a child anymore.
Data Security & Data Breaches
Before GDPR just about all the responsibility rested with data controllers, and it was up to them to supervise their data processors. GDPR changes that, in a few important ways:
- Under GDPR, both data controllers and data processors are responsible for the security of data while it transfers between them (under previous data protection directives it was just the controller who was responsible).
- If a data processor becomes aware of a data breach they must inform the data controller ‘without undue delay’. They also have a responsibility to report the breach to the supervisory authority.
- Data processors can be sued by data subjects for damages caused by a breach of data they were processing.
Mandatory Reporting of Data Breaches
In order to protect people’s right to be informed, the GDPR includes mandatory reporting of notifiable data breaches. To avoid anything slipping through the cracks, all organisations involved in data processing have a duty to report any such data breaches they discover to the appropriate supervisory authority, not just data controllers.
A breach is considered notifiable if it’s ‘likely to infringe the rights and freedoms of individuals’. That includes reputational damage, financial loss, and loss of confidentiality. These kinds of breaches need to be reported within 72 hours of the data controller becoming aware of them.
For breaches where there’s a high risk to individuals, there is also a responsibility on the data controller to inform affected individuals, either directly, or via a public announcement.
Failing to report a notifiable breach is a serious offence and can result in fines up to €10M or 2% of global turnover, which ever is greater! Note that these fines are in addition to any fines imposed for the breach itself! That means that an un-notified serious breach could cost an organisation up to €30M or 6% of global turnover!
If you’re an employee in an organisation that’s subject to GDPR and you discover a data breach you need to immediately inform both your manager (if you have one), and your employer’s DPO (if they have one).