European Union General Data Protection Regulation (GDPR)
Jul 12, 2017
The European Union’s General Data Protection Regulations (GDPR) will be applicable as of 25 May 2018. The changes would introduce a whole range of rights and obligations. It applies to all businesses and public body that handles (including collecting, processing) personal data of EU residents regardless where the entity is based. Especially with high penalties for non-compliance, corporations, in particular, are urged to re-examine their policies and ensure compliance with this new structure.
The reform package came about from the Digital Single Market Strategy which aims to break down the online barriers between countries in the same manner the EU has worked for years to break down barriers ‘off-line’. The new system is wide-ranging and will affect nearly all organizations based in the EU; operates in the EU; or targeting EU consumers.
The GDPR aims to consolidate the data regulations across the EU into one set of rules with one single data protection authority only to:
- simplify obligations (in particular notification to national agencies) for businesses;
- create consistency in standards and procedures across the EU;
- update rules regarding new concepts such as big data;
- empower individuals by providing access to their personal data and transferability;
- increase accountability by giving data protection authority stronger investigative and enforcement powers.
Consequences of Non-compliance
It is important for corporations to note that the GDPR is serious and non-compliance can have signification consequences. Although the fines would be determined by the circumstances, breach of technical measures such as impact assessments, breach notifications and certifications can result in fines that are the greater of €10 million or 2% of the global annual turnover of the corporation in breach.
More serious breaches can attract penalties that are the greater of €20 million or 4% of global annual turnover.
Key New Concepts to Understand
“Personal data” – Art.4(1)
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
It is important to note that internet cookies, tracking and similar identifiers now fall under this new definition.
“Pseudonymous data” – Rec.26, 28-29, 75, 78, 156; Art.4 (5), 6(4)(e), 25(1), 32(1)(a), 40(2)(d), 89(1)
Some sets of data can be amended so that no individual can be identified without a “key”. A good example of pseudonymous data is coded data sets used in clinical trials. Under the GDPR, pseudonymous data is still personal data. However, provided that the “key” that enables re‑identification of individuals is kept separate and secure, the risks associated with pseudonymous data are likely to be lower, and so the levels of protection required for those data are likely to be lower. GDPR encourages this practice as a security measure for data protection.
“Consent” – Rec.25; Art.4(11)
The consent of the data subject” means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.
The process of obtaining valid consent is now more difficult as it requires “unambiguous indication” by a “clear affirmative action” from the subject matter that consent is given.
What Corporations Should Do Now
The GDPR requires corporations to maintain records of processing activities and be able to show how they are complying with data protection principles. Therefore, it has been recommended that companies perform the following tasks as part of its preparation.
Perform an Information Audit
Corporations should document what personal data they hold, where it came from and to whom the information is shared with. Implement procedures to verify the accuracy of data and notify 3rd parties any inaccuracies.
Update Privacy Notice
One of the aims of the GDPR includes empowering individuals over their personal data and personal data must be processed fairly and lawfully. GDPR requires data controllers/collectors to inform data subjects about the way they process personal data. Privacy Notice should be transparent, easy to understand and provided free of charge.
Corporations should be aware that nowadays, personal data is collected in many ways. Often data is collected directly from the data subject (eg. when a customer fills in a form with his contact details). However, personal data can also be collected indirectly through tracking people online or by smart devices; deriving information from combining other data sets; or analyzing a person’s social media, location data and records of purchases.
The following is a table created by the UK Information Commissioner’s Office listing the information that must be supplied to data subjects.
What information must be supplied?
Data obtained directly from data subject
Data not obtained directly from data subject
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer
Purpose of the processing and the lawful basis for the processing
The legitimate interests of the controller or third party, where applicable
Categories of personal data
Any recipient or categories of recipients of the personal data
Details of transfers to third country and safeguards
Retention period or criteria used to determine the retention period
The existence of each of data subject’s rights
The right to withdraw consent at any time, where relevant
The right to lodge a complaint with a supervisory authority
The source the personal data originates from and whether it came from publicly accessible sources
Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data
The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.
Re-examine and Implement Rights to Individuals
The GDPR includes the following rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
Corporations should consider practical aspects of how they can respond to individuals’ requests such as access and erasing personal data previously provided. The format of personal data should be in a commonly structured and machine-readable form. Corporations will have a month to answer requests and cannot charge unless the request is manifestly unfounded or excessive. Any refusal should include the reasons and inform the requester his right to complain to supervisory authority and to a judicial remedy.
Consider performing a “Privacy Impact Assessment” (PIA) also referred to as “Data Protection Impact Assessment” (DPIA)
An impact assessment has always been considered good practice. Under the GDPR, such an assessment is mandatory where data processing is likely to result in high risk to individuals. Examples are situations where:
- a new technology is being deployed;
- a profiling operation is likely to significantly affect individuals; or
- there is processing on a large scale of the special categories of data.
Corporations should, therefore, consider whether it will be necessary to conduct a DPIA and the practical steps involved.
Re-examine Consent Procedures
Corporations should re-examine how consent is currently obtained and adjust accordingly if it does not comply with the stricter definition of consent under GDPR. Record of consent should be verifiable and corporations are encouraged to time stamp consent records.
Consider Personal Data of Children (ie. persons under the age of 16)
GDPR has special protections for children’s personal data, particularly in the context of commercial internet services such as social networking. Corporations should consider whether it should implement new systems for age verification and obtaining parental or guardian’s consent.
Consider Appointing a Data Protection Officer
Larger corporations may find it necessary to appoint a data protection officer for managing compliance and record keeping of personal data if no such a role already exists.
Under the GDPR, it is mandatory that a Data Protection Officer is formally designated under certain circumstances. One of which is when an entity “carries out the regular and systematic monitoring of individuals on a large scale”. Although key phrases such as “regular and systematic monitoring” and “large scale” are not specifically defined, one can infer from the European Commission publications that “regular and systematic monitoring” would include all ongoing/periodic forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. Examples of “large scale” data collection include:
- processing of patient data in the regular course of business by a hospital
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
- processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
- processing of customer data in the regular course of business by an insurance company or a bank
- processing of personal data for behavioural advertising by a search engine
- processing of data (content, traffic, location) by telephone or internet service providers
Identify Its Data Protection Supervisory Authority
For compliance purposes, corporations that operate in more than one EU country should identify the relevant lead data protection supervisory authority according to where the corporation’s main establishment is located. For corporations that do cross-border processing, the main establishment is the central administration or where decisions about the purposes and means of processing are taken and implemented. Depending on the corporation structure, it may be necessary to map out where the decision-makers, the processors and data collectors are located in the determining the main establishment.