In Part One, we set the scene for the GDPR. Here in Part Two, we will look at what’s actually inside the legislation.
Packed into nearly 90 pages, 173 recitals and 99 articles, the GDPR is around three times as long as the previous law. It is not surprising then that wrestling this legislation to the ground requires some mental fortitude.
But worry not. We divvied up the contents into three more easily consumable chunks: the legal bases for collecting data, the individual rights and the organisational obligations.
Please note that our summary isn’t exhaustive. Rather, it is meant to help you get a bead on the law. More in-depth details can be found on the website of the Information Commissioner’s Office (ICO).
I. Bases for processing
The GDPR outlines six lawful grounds for processing personal data. If your company meets any of the six criteria, that means you can go ahead and process the personal information in question. The grounds for processing personal information are the following:
When the data subject gives you explicit consent, that means you have the greenlight to process their data. Most businesses will use this as a basis to approach their customers with information about products and services. It is crucial to get consent requests right, so we’ll revisit this topic in Part Three of our series.
You can process a subject’s personal data if it is necessary for the performance of the contract. Case in point is the processing of shipping addresses and payment information by Amazon. Unless a customer provides their address and payment details to Amazon, the company cannot perform their contractual promise of delivering products to their customers.
Processing may be necessary for compliance with a legal obligation. For example, employers have a legal obligation to report employee salaries to HMRC. Processing employees’ personal data for this purpose serves as a legitimate legal ground.
If processing is necessary for the subject’s vital interest, you don’t need to ask for their consent. Just think of how a hospital may need to access and process someone’s medical history during an emergency medical event.
It is lawful to process personal data when it is used to perform a task in the public interest. Examples include certain types of academic and statistical research, such as gathering and processing information in order to chart epidemiological trends.
[it] is necessary for legitimate interests of the controller or by a third party, balanced with the interests and fundamental rights and freedoms of the individuals.
The language of this provision is a bit opaque. But think of legitimate interest as the more lenient cousin of contractual necessity. You may remember that in the case of a contractual necessity, the service cannot or can hardly be carried out without processing the customer’s personal data. With legitimate interests, the service can still be provided without collecting the data in question. However, access to that data can expedite the service or elevate its quality.
A helpful question you could ask yourself goes something like this: ‘would my customers be surprised if they found out that we are processing their information?’. For example, Amazon may recommend products to their customers in order to provide them a better customer experience. No surprises there. Or a charity may reach out to existing donors to send updates on upcoming events.
Or take ‘suppression’. Suppression is when a customer unsubscribes from your mailing list, but you retain their email address in order to know where not to send your promotional material anymore. The retention of that email address is a legitimate interest, and customers may not be surprised to find out that you store and use their personal email address so as not to bother them.
Because legitimate interests are not always straightforward, they usually need to go through a so-called three-stage balancing test. The Direct Marketing Association (DMA) released a handy guide on legitimate interests with valuable details on this balancing test.
II. The individual rights
The GDPR affords a list of rights to online users. First and foremost, these rights are vital for upholding our basic European societal values.
But from a purely practical perspective, businesses stand to benefit from visibly observing these rights. In other words, playing by the GDPR book is not only the right thing to do, it is also a valuable PR asset.
Companies who collect personal data must inform the data subject about why their data is collected, and how and to what end it will be processed. Informing the subject has to be done
in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
This is where companies need to up the ante, and so we will revisit this issue in Part Three.
If your data subject wishes to find out how their data is being processed, your business should make that information available. This means that adequate record-keeping technologies need to be in place.
Despite taking a lot of heat for their oversights, Facebook does a good job at giving easy access to its users to the data it holds on them.
If the data subject finds that the information you have of them is incorrect, and they notify you of the error, you need to remedy the issue in a flash.
Data subjects can request the removal of their personal data by the data processor.
For example, a subject may request the removal of their data from Google’s search results. Requests of this sort only qualify under specific circumstances. Case in point is when subject’s personal data is no longer necessary for the original reasons it was collected for.
According to the law, it is now up to the processor (such as Google) to evaluate whether such an erasure request is legitimate or not. This means that the processor has to carry out a balancing act between protecting the individual’s rights (removing the data) and serving the public interest (making information available).
Needless to say, this is a very exacting obligation, and has been a bone of contention for years now. Just read one of Google’s blog posts regarding a removal request.
The data subject can object to the processing of their data. This means that your business may continue to store the subject’s data, but you are not allowed to process it.
Your customers can request a copy of all the data that you hold on them. The data bundle should be made available in a “structured, commonly used and machine-readable format.”
As with most legal texts, technical specifications remain open to interpretation and subject to industry standards. That said, the Article 29 Working Party (the EU’s data protection advisory board) released a guide on data portability. They advise on using open formats such as XML, JSON and CSV.
The provision says that the data subject can refuse to have their data processed for direct marketing and for profiling purposes.
In plain language, this means that you may only send marketing material to customers (or build their digital blueprint using their data) if you have their consent. There may also be other legal bases to do so, but we’ll cover this in Part Three.
The provision says that when data processing decisions are entirely automated, the data subject has the right to oppose being included in that decision.
Believe it or not, this provision goes back all the way to 1981. It was a stand-alone treaty and went by the pithy and memorable name of ‘Convention for the protection of individuals with regard to automatic processing of personal data’. You may know it as ‘Treaty No.108’.
The notion that individuals have, or should have, control over what happens to their personal data is called ‘informational self-determination’. A popular view is that the GDPR enables informational self-determination in an environment that many people see as a tug of war between organisations and customers.
Some believe that this concept cannot elevate beyond theory. Others contest that if privacy is a social value, then individuals shouldn’t be allowed to wield control over their data to begin with. Whatever the case may be, the GDPR has made great strides towards bolstering individual data privacy protection, which is worthy of celebration in and of itself.
III. The organisational obligations
This section tallies the obligations that the GDPR sets out for organisations. Admittedly, the requirements are exacting and span everything from communication to technology. Which means that most businesses are and will be compelled to roll up their sleeves and make some changes.
Here, too, we must note that our list isn’t exhaustive. For instance, we do not touch upon data transfers. Rather, this list was compiled with the intention of helping our readers and clients come to grips with the fundamentals of the GDPR.
The GDPR says that data protection principles should be implemented by default and by design. In other words, privacy should be a foundational building block of any business.
What this means in technical terms depends on the state of modern technology. The GDPR proposes security measures such as anonymization and pseudonymisation, but one could argue that these are quite generic. In fact, best practices are in a constant state of flux, so today’s security measures may not even make the cut tomorrow.
There is also a clear gap between the legal intentions of the GDPR and the technical practices it recommends. Vice versa, there is a lack of privacy and human rights related discussions in the most commonly used engineering textbooks. So, it seems that both legal and technology professionals could benefit from better collaboration.
Until then, we recommend keeping abreast of the latest security practices, hiring security professionals, and making sure that the handling of all personal data is kept under close and strict supervision.
The GDPR requires both controllers and processors to keep a record of all their activities.
Companies with more than 250 employees must document all their processing activities.
Record-keeping requirements do not apply to all SMEs. For smaller firms, documentation will only be necessary for continual (non-occasional) processing; when processing pertains to special kinds of data such as criminal and offence data; or when processing of personal data poses a risk to the rights and freedoms of data subjects. The ICO offers further guidance on record keeping here.
Defined in a single sentence, this article states that,
The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.
Businesses must implement appropriate technical and organisational measures for the protection of personal data.
Rather than recommending specific technologies, the GDPR necessitates a case-by-case risk assessment. The ICO has released a guide for small businesses here, and further guidance is in the hopper.
If a data breach occurs, businesses must notify the Data Protection Authority within 72 hours of having become aware of the breach. If that timeline isn’t feasible, the notification should be accompanied by an explanation of the delay.
In addition, if the breach presents a risk to the rights and freedoms of data subjects (e.g. the exposure of credit card information), then the individuals should be notified immediately as well.
Data protection impact assessments (DPIAs) are a set of tools and processes that can help organisations find the best ways to comply with the GDPR.
DPIAs should be carried out if your business employs new technologies, or the processing of personal data exposes the data subjects to a high risk. These high-risk processing scenarios include systematic and extensive processing activities, large scale monitoring of public areas (CCTV), and large-scale processing of data that are related to criminal convictions or offences.
In certain cases, businesses need to hire a dedicated Data Protection Officer (DPO).
The DPO’s job is to keep all employees up to date on their obligations, to monitor the company’s overall compliance, and to act as a point of contact with the data protection authority.
The appointment of a DPO is mandatory for public authorities, for businesses carrying large-scale monitoring of individuals, and for businesses carrying out large-scale processing of data that relate to criminal convictions or offences.
You may find the Article 29 Working Party’s guidance on DPOs here.
Part Three will provide some business advice and clear the air on a few thorny issues.
Should you have any questions in the meantime, do not hesitate to get in touch with us. We’ll do our best to answer your questions, or point you to the most appropriate resources.