Houston, Texas, USA: The European Union, EU’s General Data Protection Regulation (GDPR) applies to all businesses and organizations that are offering goods and services to EU citizens, or to those monitoring the behavior of EU citizens, or who are processing personal data. The GDPR ensures lawful use of your personal data, not the confidentiality of data. GDPR came into force on 25th May 2018.
Who does the GDPR apply to?
The GDPR applies to ‘controllers’ and ‘processors’.
A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
What information does the GDPR apply to?
GDPR applies to personal data
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
GDPR applies to Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9).
The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
The GDPR sets out seven key principles:
Lawfulness, fairness and transparency; Purpose limitation; Data minimization; Accuracy; Storage limitation; Integrity and confidentiality (security); Accountability
These principles should lie at the heart of your approach to processing personal data.
What are the GDPR principles?
Article 5 of the GDPR sets out seven key principles which lie at the heart of the general data protection regime.
Article 5(1) requires that personal data shall be:
“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Article 5(2) adds that:
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
Why are the GDPR principles important?
The principles lie at the heart of the GDPR. They are set out right at the start of the legislation, and inform everything that follows. They don’t give hard and fast rules, but rather embody the spirit of the general data protection regime – and as such there are very limited exceptions.
Compliance with the spirit of these key principles is therefore a fundamental building block for good data protection practice. It is also key to your compliance with the detailed provisions of the GPDR.
Failure to comply with the principles may leave you open to substantial fines. Article 83(5)(a) states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. This could mean a fine of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.
Lawful basis for processing under GDPR
You must have a valid lawful basis in order to process personal data.
There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
You must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time – you should not swap to a different lawful basis at a later date without good reason.
Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).
If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
If you are processing criminal conviction data or data about offences you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
What are the lawful bases for processing under GDPR?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
How do we decide which lawful basis applies under GDPR?
This depends on your specific purposes and the context of the processing. You should consider which lawful basis best fits the circumstances. You might consider that more than one basis applies, in which case you should identify and document all of them from the start.
You must not adopt a one-size-fits-all approach. No one basis should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list in the GDPR.
You may need to consider a variety of factors, including:
- What is your purpose – what are you trying to achieve?
- Can you reasonably achieve it in a different way?
- Do you have a choice over whether or not to process the data/
- Are you a public authority?
Several of the lawful bases relate to a particular specified purpose – a legal obligation, a contract with the individual, protecting someone’s vital interests, or performing your public tasks. If you are processing for these purposes then the appropriate lawful basis may well be obvious, so it is helpful to consider these first.
If you are processing for purposes other than legal obligation, contract, vital interests or public task, then the appropriate lawful basis may not be so clear cut. In many cases you are likely to have a choice between using legitimate interests or consent. You need to give some thought to the wider context, including:
- Who does the processing benefit?
- Would individuals expect this processing to take place?
- What is your relationship with the individual?
- Are you in a position of power over them?
- What is the impact of the processing on the individual?
- Are they vulnerable?
- Are some of the individuals concerned likely to object?
- Are you able to stop the processing at any time on request?
You may prefer to consider legitimate interests as your lawful basis if you wish to keep control over the processing and take responsibility for demonstrating that it is in line with people’s reasonable expectations and wouldn’t have an unwarranted impact on them. On the other hand, if you prefer to give individuals full control over and responsibility for their data (including the ability to change their mind as to whether it can continue to be processed), you may want to consider relying on individuals’ consent.
When is processing ‘necessary’ under GDPR?
Many of the lawful bases for processing depend on the processing being “necessary”. This does not mean that processing always has to be essential. However, it must be a targeted and proportionate way of achieving the purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means.
It is not enough to argue that processing is necessary because you have chosen to operate your business in a particular way. The question is whether the processing is a necessary for the stated purpose, not whether it is a necessary part of your chosen method of pursuing that purpose.
How should we document our lawful basis under GDPR?
The principle of accountability requires you to be able to demonstrate that you are complying with the GDPR, and have appropriate policies and processes. This means that you need to be able to show that you have properly considered which lawful basis applies to each processing purpose and can justify your decision.
You need therefore to keep a record of which basis you are relying on for each processing purpose, and a justification for why you believe it applies. There is no standard form for this, as long as you ensure that what you record is sufficient to demonstrate that a lawful basis applies. This will help you comply with accountability obligations, and will also help you when writing your privacy notices.
It is your responsibility to ensure that you can demonstrate which lawful basis applies to the particular processing purpose.
What do we need to tell people under GDPR?
You need to include information about your lawful basis (or bases, if more than one applies) in your privacy notice. Under the transparency provisions of the GDPR, the information you need to give people includes your intended purposes for processing the personal data and the lawful basis for the processing.
This applies whether you collect the personal data directly from the individual or you collect their data from another source.
What about special category data under GDPR?
If you are processing special category data, you need to identify both a lawful basis for processing and a special category condition for processing in compliance with Article 9. You should document both your lawful basis for processing and your special category condition so that you can demonstrate compliance and accountability.
What about criminal offence data under GDPR?
If you are processing data about criminal convictions, criminal offences or related security measures, you need both a lawful basis for processing and a separate condition for processing this data in compliance with Article 10. You should document both your lawful basis for processing and your criminal offence data condition so that you can demonstrate compliance and accountability.
Accountability and governance under GDPR
Accountability is one of the data protection principles – it makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance.
You need to put in place appropriate technical and organisational measures to meet the requirements of accountability.
There are a number of measures that you can, and in some cases must, take including:
- adopting and implementing data protection policies;
- taking a ‘data protection by design and default’ approach;
- putting written contracts in place with organisations that process personal data on your behalf;
- maintaining documentation of your processing activities;
- implementing appropriate security measures;
- recording and, where necessary, reporting personal data breaches;
- carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests;
- appointing a data protection officer; and
- adhering to relevant codes of conduct and signing up to certification schemes.
Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place.
If you implement a privacy management framework this can help you embed your accountability measures and create a culture of privacy across your organisation.
Being accountable can help you to build trust with individuals and may help you mitigate enforcement action.
Being responsible for compliance with the GDPR means that you need to be proactive and organised about your approach to data protection, while demonstrating your compliance means that you must be able to evidence the steps you take to comply.
To achieve this, if you are a larger organisation you may choose to put in place a privacy management framework. This can help you create a culture of commitment to data protection, by embedding systematic and demonstrable compliance across your organisation. Amongst other things, your framework should include: robust program controls informed by the requirements of the GDPR; appropriate reporting structures; and assessment and evaluation procedures.
If you are a smaller organisation you will most likely benefit from a smaller scale approach to accountability. Amongst other things you should: ensure a good level of understanding and awareness of data protection amongst your staff; implement comprehensive but proportionate policies and procedures for handling personal data; and keep records of what you do and why.
Article 24(1) of the GDPR says that: you must implement technical and organisational measures to ensure, and demonstrate, compliance with the GDPR; the measures should be risk-based and proportionate; and you need to review and update the measures as necessary.
What documentation should we maintain under GDPR ?
Under Article 30 of the GDPR, most organisations are required to maintain a record of their processing activities, covering areas such as processing purposes, data sharing and retention.
Documenting this information is a great way to take stock of what you do with personal data. Knowing what information you have, where it is and what you do with it makes it much easier for you to comply with other aspects of the GDPR such as making sure that the information you hold about people is accurate and secure.
As well as your record of processing activities under Article 30, you also need to document other things to show your compliance with the GDPR. For instance, you need to keep records of consent and any personal data breaches.
What security measures should we put in place under GDPR?
The GDPR repeats the requirement to implement technical and organisational measures to comply with the GDPR in the context of security. It says that these measures should ensure a level of security appropriate to the risk.
You need to implement security measures if you are handling any type of personal data, but what you put in place depends on your particular circumstances. You need to ensure the confidentiality, integrity and availability of the systems and services you use to process personal data.
Amongst other things, this may include information security policies, access controls, security monitoring, and recovery plans.
How do we record and report personal data breaches under GDPR?
You must report certain types of personal data breach to the relevant supervisory authority in your country, and in some circumstances, to the affected individuals as well.
Additionally, the GDPR says that you must keep a record of any personal data breaches, regardless of whether you need to report them or not.
You need to be able to detect, investigate, report (both internally and externally) and document any breaches. Having robust policies, procedures and reporting structures helps you do this.
Should we carry out data protection impact assessments (DPIAs) under GDPR?
A DPIA is an essential accountability tool and a key part of taking a data protection by design approach to what you do. It helps you to identify and minimise the data protection risks of any new projects you undertake.
A DPIA is a legal requirement before carrying out processing likely to result in high risk to individuals’ interests.
When done properly, a DPIA helps you assess how to comply with the requirements of the GDPR, while also acting as documented evidence of your decision-making and the steps you took.
Should we assign a data protection officer (DPO) under GDPR?
Some organisations are required to appoint a DPO. A DPO’s tasks include advising you about the GDPR, monitoring compliance and training staff. Your DPO must report to your highest level of management, operate independently, and have adequate resources to carry out their tasks.
Even if you’re not obliged to appoint a DPO, it is very important that you have sufficient staff, skills, and appropriate reporting structures in place to meet your obligations under the GDPR.
Do we need to use contracts under GDPR?
Whenever a controller uses a processor to handle personal data on their behalf, it needs to put in place a written contract that sets out each party’s responsibilities and liabilities.
Contracts must include certain specific terms as a minimum, such as requiring the processor to take appropriate measures to ensure the security of processing and obliging it to assist the controller in allowing individuals to exercise their rights under the GDPR.
Using clear and comprehensive contracts with your processors helps to ensure that everyone understands their data protection obligations and is a good way to demonstrate this formally.
Should we adhere to codes of conduct and certification schemes under GDPR?
Under the GDPR, trade associations and representative bodies may draw up codes of conduct covering topics such as fair and transparent processing, pseudonymisation, and the exercise of people’s rights.
In addition, supervisory authorities or accredited certification bodies can issue certification of the data protection compliance of products and services.
Both codes of conduct and certification are voluntary, but they are an excellent way of verifying and demonstrating that you comply with the GDPR.