Pp4P Tip 3: Demystifying GDPR

GDPR applies to any organizations who processes EU residents personal information. Processing includes collection, recording, organizing, structuring, storing etc. Personal information is data elements that can tie back to an individual, this includes name, email, address, SIN # etc. (Chapter 1: Article 1-4)

In order to process the data, you need to establish an appropriate lawful basis which can include consent, contract, legitimate interest etc. When relying on legitimate interest, there needs to be documented evidence to support what the mutual benefit is for the data subject and the organization. Additional considerations need to be applied when processing special categories of information (e.g. health, sexual orientation) or processing personal information about a child (between the age of 13-16). Also when relying on consent, you need to ensure the consent is freely given, for a specific purpose and there is an option to opt-out at any time. Once the lawful basis is established, the data should only be processed for as long as it is required for the original purpose it was collected. (Chapter 2: Article 5-11)

Under GDPR, data subjects have 8 rights (access, rectification, data portability, erasure, right to be forgotten, restriction of processing, objection of processing and right to notice). The rights are applicable based on the lawful basis used for processing. For example, with consent, data subjects have the option to action all 8 rights. (Chapter 3: Article 12- 23)

GDPR provides requirements for both the Data Controller and Data Processor. The Data Controller is the organization who determines the purposes of the processing. The Data Processor is the organization performing the processing on behalf of the Data Controller. Data Controller's responsibility includes implementing appropriate technical and organizational measures including building data protection into the development of business processes and new systems (PbD), reviewing data processing activities (ROPAs) and demonstrating that processing is performed in accordance with the regulation, entering into a Data Processing Agreement (DPA) with all Data Processors, performing Data Privacy Impact Assessments (DPIA) on high risk processors, implementing a process to report data breaches in a timely manner, appointing a Data Protection Officer (DPO) and maintain documentation to demonstrate compliance. The responsibilities of the Data Processor includes entering into a DPA with the Data Controller and only processing the data based on what is stated in the DPA including the use of sub-processors, providing sufficient guarantees that appropriate technical and organizational measures have been implemented including PbD, notifying the data controller of a data breach without undue delay, appointing a Data Protection Officer (DPO) and maintaining documentation to demonstrate compliance. (Chapter 4: Article 24-43)

GDPR permits personal data transfers to a third country or international organization subject to compliance with set conditions, including conditions for onward transfer.  Transfers outside the EU state are allowed under certain circumstances including use of Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) and approved “European Data Protection Seal” (Adequacy Status). (Chapter 5: Article 44-50)

Under GDPR, each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’). The Data Controller and Data Processor have responsibilities to cooperate with the Supervisory Authorities (SA) including support information requests or investigation requests. (Chapter 6/7: Article 51-76)

Every data subject has the right to lodge a complaint with a SA. The SA shall inform the complainant on the progress and outcome of the complaint including the possibility of fines. Fines for a breach of the GDPR are substantial. SAs can impose fines of up to 4% of total annual worldwide turnover or €20,000,000, whichever is greater. Fines are lower if the breach was caused by control failure vs. negligence. (Chapter 8: Article 77-84)

GDPR provides further guidance around processing related to freedom of expression and information (e.g. Journalism), public interest, national identification number, religious associations and even employment. The additional rules around processing employees' personal data include specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights. (Chapter 9: Article 85-91)

Finally, Chapter 10/11: Articles 92-99 provides information around delegated acts, implementation acts, and some final provisions.

If I had to summarize the 99 articles in 3 simple steps, it would be to collect as little data as required, keep it for as short as possible and protect it as well as possible for the period you have it for.