Defining a Winning GDPR Strategy Part 1 - Introduction to GDPR
- By Sagara Gunathunga
- 18 Dec, 2017
About this series
This article is the first in a series of four which aims to provide comprehensive insights on GDPR and practical guidelines for business organizations to plan, define, and execute a successful GDPR compliance strategy.
Read Part 2 - 7 Steps for GDPR Compliance
Read Part 3 - Identity and Access Management to the Rescue
Read Part 4 - GDPR Compliant Consent Design
What is GDPR?
The General Data Protection Regulation (GDPR) is a new legal framework formalized in the European Union (EU) in 2016 which come into effect from 28, May 2018. Organizations that cannot demonstrate GDPR compliance will be subjected to financial penalties up to 4% of their annual turnover, or €20 million (whichever is higher).
GDPR effectively replaces the previously used EU Data Protection Directive (DPD). Note that the DPD is a directive while the GDPR is a regulation:
|EU Directive||EU Regulation|
|A directive is a legislative act which sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.||A regulation is a binding legal force throughout every member state that enters into effect on a set date for everyone. It must be applied in its entirety across the EU.|
The GDPR regulation is applicable to any individual living in the EU and concerns the following two aspects:
- Processing of personal data belonging to an individual living in the EU
- Free movement of personal data belonging to an individual living in the EU within the Union
NOTE: GDPR interchangeably uses the terms natural person and data subject to refer to an individual living in the EU.
Processing or movement of data belonging to a non-human such as a legal entity, business organization, an animal, and personal data belonging to a deceased individual are not covered under the GDPR regulations.
GDPR accepts the protection of personal data and the control of processing personal data as a fundamental right of each individual. In practice, this ensures the freedom of processing personal data based on an individual’s explicit and positive consent. This will also enable individuals to engage with business organizations under a well-defined context with an assurance on consumer rights.
For organizations which process personal data, GDPR provides certainty on data processing operations and legitimized grounds for processing.
GDPR is a carefully drafted legal text and this section provides a comprehensive definition of some terms used in GDPR.
In the GDPR context, the scope of the term “processing” is extensive, and the following table summarizes activities which are inclusive or exclusive, under this definition:
|Inclusive activities||Exclusive activities|
|Collection of personal data||Any activity concerning data belonging to a legal person such as a company or public authority|
|Recording of personal data||Any activity concerning data belonging to deceased persons|
|Organizing, cataloging or structuring of personal data||Any activity which does not fall under the EU law|
|Storing of personal data||A purpose which is purely a personal or household activity|
|Adaptation or alteration of personal data||When a member of the EU carries out an activity which is categorized as “Common Security and Defence Policy”|
|Retrieval of personal data||When a public authority is carrying out an activity for the purposes of prevention, investigation, detection or prosecution of criminal offence and the purpose of prevention of threats to public security|
|Consultation based on personal data|
|Personal data disclosure by transmission|
|Dissemination or otherwise making available of personal data|
|Alignment or combination of personal data|
|Restrictions on personal data|
|Erasure or destruction of personal data|
It’s also important to understand that the definition of “processing” is applicable to any means, and not restricted to automated means. For example, collecting data by filling a form or recording/storing of personal data while ordering a takeaway are also applicable.
Although GDPR uses the term “Personal Data”, the term “Personally Identifiable Information (PII)” is more accurate and appropriate in the GDPR context. Any information that can be used to identify a natural person is considered as personal data and needs to be regulated in accordance with GDPR:
- It could be an online identifier such as a username, an email address, IRC username, Cookie, IP address, Radio Frequency Identification (RFID) tags, devices or an application
- It could be a biometric element such as facial recognition, fingerprint or something similar
Controller and Processor
Organizations processing PII belonging to an individual can be designated either as a Controller or a Processor based on the following:
- Purpose of personal data processing (Why process PII)
- Means of data processing (How to process PII)
If a particular organization is responsible for defining the purpose and means of data processing, it is a Controller. If not, the organization is a Processor.
More formal definitions for Controller and Processor are included below:
|A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data||A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller|
Who is affected?
Territorial applicability of GDPR is determined by the “establishment” of the processing organization, following the evaluation of some simple criteria:
- If the processing organization is established within the EU, GDPR is applicable for any processing of personal data regardless of whether the processing takes place within the EU or not
- If the processing organization is not established within the EU, then GDPR is applicable in the following scenarios:
- If the processing organization is established in a place where EU law is applicable
- If the processing organization processes data belonging to an EU citizen
- If the processing organization processes the behaviour of an individual when these behaviours occur within the EU (for example, diplomatic missions and consular posts)
GDPR is based on several well known privacy principles, that are already in use as best practices:
Lawfulness, fairness, and transparency
There must be legitimate grounds for collecting and using personal data. In order to become “lawful,” all processing of personal data must be carried out in accordance with the common law. In addition, the processing of personal data should be fair and provide complete transparency.
The purpose of data processing must be limited to the original purpose mentioned and must have the consent of the relevant individual at the time of data collection. To process data for purposes other than the originally listed one, fresh consent from the individual is required.
Data collected and stored is only what is required to fulfill the purpose of current processing. Additional data is not to be obtained.
Ensure all data processed is accurate. If the data is inaccurate, the data processing organization must take immediate actions to either rectify or delete incorrect data.
Personal data is stored during the validation of the original purpose, following which it has to be deleted from storage or retained after removing uniquely identifiable details.
Integrity and confidentiality
Processing organizations must ensure that only authorized people have access to data, use strong passwords, and follow best practices for password policies.
The processing organization should able to demonstrate that it complies with accountability principles, which explicitly states this as the organization’s responsibility.
GDPR defines six legitimate means for personal data processing by an organization. Personal data processing must be supported by one or more of these six means:
The rights of individuals
GDPR defines a very strong set of rights for individuals. It is important for both individuals and personal data processing organizations to understand these rights:
The right of transparency and modalities
All processing activities based on personal data must be transparent to individuals. It’s the responsibility of processing organizations to make these processing details available for individuals in a clear, concise, and intelligible manner. Additionally, this information must be easily accessible and should use plain language.
The right to be informed
Each individual should be given an adequate level of information regarding the data processing organization, which includes name and contact details of the organization, purpose of data processing, legal basis for the processing, intended period of personal data storage, whether an automated decision making system is in place, other recipients of data including third parties, and rights of individuals (such as right to access their data at anytime, right to withdraw previous consent, right to lodge a complaint, etc.)
The above details need to be provided when collecting personal data from individuals directly or indirectly. Typically, commercial organizations use privacy notices to provide these details.
The right of access
GDPR facilitates individuals to request information about data processing from a processing organization by sending a Subject Access Request (SAR). This information includes what personal data has been processed, purpose of processing, and which data is stored within the system.
GDPR states that it’s mandatory for processing organizations to respond to SARs at latest within one month of receipt. If the processing of SAR is complex, organizations can further extend this period by another two months, subject to notifying the individual about the extension.
The right to rectification
An individual should have the right to require that the processing organization correct any errors in personal data processed without any delays.
The right to be forgotten
An individual should have the right to request the processing organizations to erase personal data without any delays. When a processing organization makes personal data public, the individual can request to erase any links to copying and/or replication of personal data.
The right to restrict processing
An individual can request a processing organization to restrict his/her personal data processing. In such cases, the processing organization may continue to store the data, but the purposes for which the data can be processed are strictly limited.
The right for notification obligation
In circumstances listed below, a processing organization should communicate the following to the individual in a concise manner:
- Personal data rectification
- Personal data erasure
- Personal data restriction
The right to data portability
An individual has the right to obtain his/her personal data stored in a processing organization in a structured, commonly used, and machine-readable format. This facilitates easy transmission of the the data obtained to another organization. If technically feasible, an individual can request to transfer his/her personal data from one processing organization to another directly.
The right to object
An individual can object to processing of his/her personal data at any time. In such cases, the processing organization should stop the processing of affected data unless they can demonstrate legitimate grounds for continuing with the processing of the affected data.
Rights in relation to automated decision making and profiling
An individual has the right not to be subject to decisions based solely on automated processing which significantly affect him/her. Examples of solely automated processing include online credit application, e-recruiting or e-evaluation of performance without any human intervention.
GDPR pays special attention to the processing of personal data belonging to children. To summarize:
- Organizations offering services for children should pay special attention when designing privacy policies and consent pages, to ensure that the intended audience is of an age where they can understand these policies/consent required before opting for data processing. Organizations are encouraged to explain consent and policies using graphics/animation in an understandable manner.
- Organizations offering services for children and process children's data should employee age verification mechanisms, and must take appropriate measure to obtain approval from parental responsibility holders.
Data Protection Officer (DPO)
GDPR introduces a special role called the Data Protection Officer (DPO) to provide necessary advice to processing organizations and act as the point of contact for individuals and supervisory authorities. DPO can be a staff member or an external contractor and must possess professional qualifications and expert knowledge to perform tasks associated with the role.
According to GDPR, the appointment of a DPO is required in the following cases:
- Processing is carried out by a public authority except a court of law
- The nature of data processing requires regular monitoring from individuals
- Data processing involves large amount of data or proceeding data related to criminal convictions
- Other conditions according to the EU/Member state laws
Data Protection Impact Analysis (DPIA)
GDPR recommends processing organizations to carry out a data protection impact assessment (DPIA) depending on the nature of data processing, especially when using new technology. The DPIA needs to be conducted prior to any data processing and if the DPO is present, the organization can seek for advice.
Following are cases that GDPR mandates to conduct a DPIA:
- Systematically and extensively evaluate personal data using automated processing including profiling
- Large scale processing of personal data belonging to a special category
- Large scale systematic monitoring of publicly accessible area
- Supervisory authorities can mandate a list of such cases
Data breach procedure for processing organizations
One of the important aspects of GDPR explains the procedure which organizations must follow in the event of a data breach. To summarize, the processing organization must communicate about the data breach to the supervisory bodies within the first 72 hours with adequate details about the incident and proposed mitigation actions.