General Data Protection Regulation (GDPR)
Which businesses fall under the jurisdiction of the GDPR?
The GDPR applies to any business that stores or processes personal data of EU citizens within EU territories, regardless of whether they operate within the EU. The criteria for businesses obligated to adhere to GDPR regulations are:
Having a presence in an EU member state.
Not having a physical presence in the EU but processing personal data of European residents.
Employing over 250 staff members.
Employing fewer than 250 staff members, but engaging in data processing activities that significantly impact the rights and freedoms of data subjects, are not occasional, or involve certain categories of sensitive personal data.
This effectively encompasses nearly all businesses, since the majority of businesses retain various forms of personal data about customers – ranging from email and postal addresses to health and financial information – ensuring GDPR compliance is crucial, irrespective of your company size.
Country-specific; GDPR and other privacy laws.
GDPR is effective across the European Union, and although the UK departed from the EU (back in January 2021), UK Government confirmed that it is still considered a valid UK law.
Similar data protection laws have also been implanted in a host of other countries, and so it’s important to be aware of where your business is operating and collecting/processing data from, to ensure that you adhere to the correct policy. Although they are all concerned with the handling of data and data protection, they come with different names, so it’s also important to familiarise yourself with them and not assume the same policy encompasses all.
Going back to EU-specifics, and GDPR, it’s important to remember that member countries of the EU can be subject to change at any time; admission as a new EU member would mean a change from any current policy over to those within the GDPR. Of course, this works in reverse too - if countries leave and decide to enforce new Data Protection laws. Therefore, it’s the responsibility of each business or organisation to be aware of any such changes and act accordingly.
Understanding the terminology:
Consent: Obtaining the consent of the data subject involves acquiring a "freely given, specific, informed and unambiguous indication" that the data subject agrees to the processing of their personal data. Consent can be provided through a statement or explicit affirmative action.
Data Controller: The entity responsible for determining the purpose and legal basis for processing personal data.
Data Processor: An individual who works with the Data Controller and is responsible for processing personal data on behalf of the controller.
Data Subject: Any individual formally residing in the EU whose data is collected, stored, or processed by a controller or processor.
Personal Data: Information relating to a natural person ('data subject') that can directly or indirectly identify that individual in their private, professional, or public life. This includes names, email addresses, photos, bank statements, etc.
Processing: Any automated or manual operation or series of operations performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, etc.
The GDPR was formulated with three key objectives in mind:
Establishing and Safeguarding Fundamental Privacy Rights:
The GDPR is designed to uphold the fundamental privacy rights of individuals. It empowers data subjects by giving them control over how their personal data is accessed, utilised, and shared. This ensures that individuals have a say in how their information is handled, fostering a climate of trust and transparency between organisations and data subjects.
Harmonising Privacy Laws Across the EU:
By replacing the divergent privacy regulations of the 28 individual EU member states and the outdated 1995 Data Protection Directive, the GDPR aims to create a uniform legal framework for data protection across the EU. This harmonisation streamlines compliance efforts for businesses operating within the EU, simplifying the regulatory landscape and enhancing consistency in data protection practices.
Adapting Privacy Laws to Technological Advancements
Recognising the significant technological advancements of the past 25 years and their impact on personal data, the GDPR seeks to modernise and adapt privacy laws accordingly. It acknowledges the evolving nature of technology and its implications for data privacy, ensuring that regulations remain relevant and effective in addressing contemporary challenges posed by the digital landscape.
In essence, the GDPR represents a comprehensive and forward-thinking approach to data protection, aiming to safeguard individuals' privacy rights while promoting innovation and accountability in data handling practices.
What are the GDPR data subject rights?
The GDPR delineates eight fundamental data subject (any person formally residing in the EU who has their data collected) rights, alongside the right to withdraw consent. They are:
Right to be informed (GDPR Articles 12 to 14)
Data subjects possess the right to receive information regarding the collection and utilisation of their personal data.
Right to access (GDPR Article 15)
Data subjects retain the right to peruse and request copies of their personal data.
Right to rectification (GDPR Article 16)
Data subjects retain the right to request the rectification or updating of inaccurate or outdated personal information.
Right to be forgotten / Right to erasure (GDPR Article 17)
Data subjects retain the right to request the deletion of their personal data. However, it's important to note that this right is not absolute and may be subject to exemptions based on certain laws.
Right for data portability (GDPR Article 20)
Data subjects have the right to request the transfer of their data to another controller or to receive it in a machine-readable electronic format.
Right to restrict Processing (Article 18)
Data subjects possess the right to request the limitation or suppression of the processing of their personal data.
Right to withdraw consent (GDPR Article 7)
Data subjects retain the right to revoke previously granted consent for the processing of their personal data.
Right to object (GDPR Article 21)
Data subjects have the right to object to the processing of their personal data.
Right to object to automated processing (GDPR Article 22)
Data subjects possess the right to object to decisions made solely based on automated decision-making processes or profiling using their data.
Develop an Actionable Plan Utilising the 7 Principles of the GDPR.
Lawfulness, Fairness, and Transparency:
The GDPR mandates that personal data processing must have a lawful basis, such as consent, contractual necessity, legal obligation, vital interests, public task, or legitimate interests. Fairness requires being transparent about data collection and processing methods, ensuring users are informed about how their data is used.
Purpose Limitation:
Data should only be collected for specific, explicit, and legitimate purposes, clearly communicated to individuals through a privacy notice. Any deviation from the original purpose requires explicit consent unless legally mandated.
Data Minimisation:
Collect only the necessary data required for the intended purpose, avoiding unnecessary or excessive data collection. For instance, when gathering email newsletter subscribers, only request relevant information for newsletter distribution.
Accuracy:
Organisations are responsible for ensuring the accuracy and currency of the data they collect. Implement mechanisms to correct or update inaccurate or incomplete data and conduct regular audits to maintain data accuracy.
Storage Limitation:
Data should not be retained longer than necessary for the purpose for which it was collected. Establish data retention periods and anonymise or delete data that is no longer required.
Integrity and Confidentiality:
The GDPR mandates maintaining the integrity and confidentiality of collected data to prevent unauthorised access, processing, loss, destruction, or damage. Robust security measures are necessary to safeguard data from internal and external threats.
Accountability:
Organisations must demonstrate compliance with GDPR principles through appropriate measures and records. Supervisory authorities may request evidence of compliance at any time, underscoring the importance of comprehensive documentation and accountability measures.
Create a Processing Register for Article 30
To comply with GDPR Article 30, organisations must maintain accurate records of their processing activities. This entails conducting data mapping exercises to generate a central inventory of the organisation's data flows.
Create a Data Protection Impact Assessment (DPIA); meet the Data Protection by Design and Default requirement
Implement a systematic approach to conducting Data Protection Impact Assessments (DPIAs) and integrating privacy considerations into the design of data processing activities.
Establish a Framework for Consent Management
Adopt robust consent management practices to ensure compliance with GDPR consent requirements. Consent must be specific, clear, and provided in an easily understandable format.
Ensure EU Privacy Cookie Compliance
Adhere to EU privacy cookie compliance requirements by obtaining informed consent from users before deploying cookies or similar technologies on your website. Provide clear information about the purpose of cookies and allow users to make informed choices.
Develop a Data Subject Rights (DSAR) Request Portal
Facilitate data subjects' exercise of their rights by implementing an automated portal for handling Data Subject Access Requests (DSARs). Ensure compliance with GDPR Articles 12 to 21, which outline data subjects' rights and obligations.
Review and Mitigate Processor Risks
Assess and mitigate risks associated with third-party data processors to ensure compliance with GDPR requirements. Implement robust contractual agreements and monitoring mechanisms to hold processors accountable for data protection.
Establish an Incident Reporting & Breach Management Workflow
Develop a systematic approach to incident reporting and breach management to meet GDPR notification requirements. Ensure timely (within 72 hours) reporting to supervisory authorities and affected data subjects in the event of a data breach.
Evaluate Cross-Border Data Transfer Mechanisms
Review and implement appropriate mechanisms for transferring personal data outside the European Economic Area (EEA) in compliance with GDPR requirements. Consider adequacy decisions, standard contractual clauses, and other safeguards to ensure data protection during international transfers.
Implement GDPR Compliance Training
Provide comprehensive training to employees on GDPR principles, data protection obligations, and compliance requirements. Maintain records of training activities to demonstrate compliance with GDPR Article 39.
Appoint a Data Protection Officer (DPO)
Designate a Data Protection Officer (DPO) to oversee GDPR compliance efforts, particularly in organisations with significant data processing activities. The DPO is responsible for monitoring compliance, providing guidance on data protection matters, and serving as a point of contact for data subjects and supervisory authorities.
By following these steps, organisations can navigate the complexities of GDPR compliance and establish robust data protection practices to safeguard individuals' privacy rights.
Summary and key points GDPR.
In conclusion, the General Data Protection Regulation (GDPR) stands as a cornerstone of privacy legislation, aiming to safeguard the personal data of individuals within the European Union (EU). The GDPR introduced comprehensive measures to enhance data protection, reshape the data landscape, and empower individuals with greater control over their personal information.
At its core, the GDPR embodies seven fundamental principles that guide the lawful processing of personal data. These principles include lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Through adherence to these principles, organisations can foster trust, transparency, and accountability in their data processing practices.
The GDPR imposes obligations on a wide range of entities, including data controllers, data processors, and businesses of varying sizes. Regardless of a company's presence within the EU, if it processes personal data of EU residents or operates within EU territories, it must comply with the GDPR.
To achieve GDPR compliance, businesses must undertake a series of steps, including creating actionable plans aligned with GDPR principles, generating processing registers, operationalising data protection impact assessments (DPIAs), and implementing robust frameworks for consent management and data subject rights. Additionally, organisations must review and mitigate processor risks, establish incident reporting, and breach management workflows, and ensure compliance with cross-border data transfer mechanisms.
Moreover, GDPR compliance necessitates ongoing efforts, including GDPR compliance training for staff members and the appointment of a Data Protection Officer (DPO) in certain cases. By prioritising GDPR compliance, businesses can mitigate risks, enhance data security, and build trust with their customers and stakeholders.
Overall, the GDPR represents a significant step forward in data protection regulation, reinforcing individuals' rights to privacy and data protection. As businesses navigate the complexities of the digital landscape, adherence to GDPR principles and compliance requirements remains essential to fostering a culture of data privacy and accountability.