Frequently asked questions on GDPR

What is the GDPR?
The General Data Protection Regulation (GDPR) was approved by the European Commission (EC) on 27 April 2016 and became law from 25 May, 2018. It replaces the previous EC legislation which dealt with data protection which was the Data Protection Directive of 1995. One of the major differences between the GDPR and the previous law is that the GDPR is a regulation rather than a directive. This means that it automatically became law in each of the countries that make up the European Union without each of these countries needing to create their own, individual laws. This is in contrast with the previous directive where, in each of the member states, a separate Data Protection Act had to be passed by the relevant state legislative body to enact it.

While the emphasis is often on the rights of the data subject when discussing the GDPR, it’s important to remember that the EC is also trying to make it easier for organisations to share personal data and “oil the wheels” of business within the EU, so it’s not as one-sided as often thought. However, there are several important things to realise about the GDPR before we get into the detail.

It concerns the personal data of EU citizens, wherever that data is held. This means that if your organisation is not based in the European Union but has customers (or suppliers or other parties) within it whose data you hold, the GDPR applies to you.
Leading on from this, it means that if your organisation doesn’t look after that data in the way the GDPR requires, your organisation may be subject to the penalties that the regulation allows. These penalties are a step change from previous legislation and, in serious cases, they are designed to impact business.
If you do experience a breach of personal data, you have no choice but to tell the relevant supervisory authority about it. There are some caveats on that which we will come to later, but keeping a serious data breach to yourself is no longer an option.
The mainstay of what the GDPR is about is forcing organisations to take the protection of the personal data of EU citizens seriously.

The documentation
The GDPR document is 88 pages long and consists of two main parts:

Recitals – 173 numbered paragraphs that lay out the principles and intentions of the Regulation; if you like, the background.

Articles – the 99 sections that set out the detail of the Regulation – this is the part that must be complied with. Note, however, that a significant part of the GDPR is concerned with the internal workings of the various EU bodies and so the number of articles that an organisation needing to comply with the GDPR must worry about is much less than that 99 figure.

The 7 principles of the GDPR
The GDPR establishes a number of principles that underpin the legislation and are outlined using the following terms (with our quick summary given after each):

Lawfulness, fairness and transparency – keep it legal and fair; say what you’re going to do with the data in clear terms.
Purpose limitation – don’t do more with the data than you said you would.
Data minimisation – don’t collect more data than you need.
Accuracy – keep it up to date and deal with inaccuracies as soon as possible.
Storage limitation – don’t keep the data for longer than necessary.
Integrity and confidentiality – keep the data safe while you have it.
Accountability – be able to show that you’re complying with the principles above.
If you keep these principles in mind at all times, you’re unlikely to fall foul of the GDPR.

Keeping it lawful
For the processing of personal data to be lawful, it must meet at least one of a number of criteria, and an important first step in considering your processing activities is to clearly establish which of the criteria applies in any given situation.

In essence, the criteria to choose from with regard to the lawfulness of the processing are as follows:

The data subject has consented to it.
It’s needed to perform a contract between your organisation and the data subject, or to see whether a contract can happen.
You legally have to do it.
You’re protecting the vital interests of the data subject.
It’s in the public interest.
It’s for your legitimate interests – as long as it doesn’t affect the data subject’s rights and freedoms.
So, while consent is an important aspect of the GDPR, it’s not the only way in which collecting and processing personal data can be lawful. In fact, you may find that a significant proportion of the personal data your organisation holds and processes doesn’t require consent; instead it is required for lawful purposes such as providing support to customers (contractual), paying employees (contractual/legal) or dealing with the tax authority (legal). The process of obtaining and maintaining consent may involve changes to business processes and systems so it is a good idea to make sure there is no other lawful basis on which processing can take place first.

In many cases it may be prudent to go for legitimate interest as the lawful basis for processing; if you choose to go down this route you will need to carry out a legitimate interest assessment which shows that you have considered all the angles.

What about consent?
If you believe that your processing is lawful because you have the data subject’s consent, then you must be able to prove it. You can’t hide the consent wording in amongst other contractual ramblings and expect to get away with it either. It must be in an “intelligible and easily-accessible form, in clear and plain language” (GDPR Article 7, paragraph 2) otherwise the consent doesn’t count, and your processing could be judged to be unlawful.

Once given, the consent can be withdrawn at any time by the data subject and this must be as easy to do as it was to give it in the first place. A child must be at least sixteen years of age to be able to give consent (younger if a member state decides so, with a lower limit of thirteen) otherwise parental consent must be obtained.

The rights of the data subject
The GDPR establishes a set of rights that the data subject can exercise and which the controller holding their personal data must react and respond to, generally within a month.

The right to be informed – being told what data will be collected, why, by whom, for what purpose and where the data will go.
The right of access – being able to see personal data that is being held about the data subject.
The right to rectification – getting the data corrected if it is wrong or inaccurate.
The right to erasure – having personal data removed when it is no longer necessary.
The right to restrict – processing pausing the processing of the data if there are grounds to do so.
The right to data – portability obtaining the data in a transportable form and moving it to an alternative processor.
The right to object – stopping the data from being processed.
Automated decision making and profiling – having a human involved in important decisions.
These rights follow on from the principles outlined earlier and are aimed at ensuring that personal data is processed fairly and transparently, and that the data subject can do something about it if this doesn’t happen.

The data subject must be informed of their rights, along with a variety of other information about what their information will be used for and why, when the personal data is collected (or within a month if the data comes from another source). This increased granularity of information means that a layered approach to privacy notices, with the relevant information being displayed “just in time” when the personal data is collected, may be preferable to the more traditional single privacy policy seen on many websites.

Do we need a data protection officer?
Depending on your organisation and what it does with personal data, you may or may not need a data protection officer. You will have to designate one if:

You’re a public authority or body.
You monitor data subjects on a large scale.
Large volumes of special category data are involved.
Data protection officers may be part-time, may be shared across organisations and may be external resources or services. They must remain independent and their contact details must be freely available, especially to data subjects. The data protection officer is the main contact with the supervisory authority and is likely to get involved when key issues of data privacy and protection are addressed within the organisation, such as during data protection impact assessments. The data protection officer will need to know a reasonable amount about data protection law in order to fulfil the role (but there’s no “official” qualification that is required).

Contacts between controller and processor
The GDPR is very specific that it wants to see a contract in place between data controllers and processors that protects personal data and it defines the areas that this should cover. Basically, this involves detailing the purpose and duration of the processing, the personal data categories involved and the data subjects it affects. The processor has to contractually commit to a set of minimum terms related to data protection and existing contracts will need to be changed to include them.

What we’re seeing from the big players such as Google, Amazon Web Services and Microsoft is that they will make a pre-signed Data Processing Addendum to their current terms and conditions available to their customers, which in principle may save everyone a lot of time.

International transfers
Sending the personal data of European citizens outside the European Union raises questions over how well the data will be protected, and the GDPR places restrictions on how this may be done. To be helpful, the European Commission regularly decides which countries it trusts to look after EU personal data and publishes a list of those deemed to be acceptable (called an “Adequacy Decision”). Currently, it’s a small list so you may need to look at the other ways to meet the GDPR if you need to do international transfers.

Other ways to get approval are:

A legally binding agreement (public bodies only).
Binding corporate rules.
Using standard clauses in your contract.
Signing up to an approved code of conduct or certification scheme.
If you’re going to use binding corporate rules, be aware that they have to be approved by the relevant supervisory authority and that can take a while. There are a few get-outs (or “derogation” as the GDPR calls them) for small, infrequent transfers so it may be worth checking the list in Article 49 if time is not on your side.

Remedies, liabilities and penalties
And so we come to the teeth of the regulation; the fines that can be levied for non-compliance with the GDPR are certainly larger than those for the directive it replaces. The actual amounts demanded will depend upon a wide variety of factors, including the personal data involved, how hard the culprit organisation tried to protect the data, how much they co-operated with the investigation and, most importantly, the specific article(s) of the GDPR they are judged to have contravened.

Fines allowable are up to 2% of global turnover or ten million euros for lower level infringements and up to 4% of global turnover or twenty million euros for more serious cases.

Data subjects can lodge a complaint with the relevant supervisory authority directly themselves or may use the services of a not-for-profit body active in the field of data protection.

Glossary: A few definitions
The regulation provides a definition of 26 of the relevant terms, including the following (GDPR Article 4 – Definitions):

(1) ‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2) ‘Processing’ means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(7) ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8) ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

(11) ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Who does it affect?
Although it’s an EU law, it actually applies to anyone that holds or processes personal data about EU citizens, so if you thought you don’t need to know about it because you’re outside the EU, not (necessarily) so. It places responsibilities on both controllers (the ones collecting the data) and processors (who may process the data on the controller’s behalf).

What sort of data does it cover?
It’s all about “personal data” which is basically data about living people from which they can be identified. Anything from name and address through to religion or marital status. If the individual can’t be identified, either directly or indirectly, then it doesn’t apply so one of the things to consider is whether the data you hold need to be as specific as they are currently.

What are the main changes from current legislation?
The new law holds the same basic principles as existing law but goes further in some areas. The rules for obtaining consent to collect and hold personal data are stricter, you may need to appoint a Data Protection Officer, you’re expected to consider privacy from the very start of new projects, most data breaches must now be notified (and the fines have gone up) and you will need to be more careful about the countries you transfer the personal data you hold to.

What rights does a data subject have?
Quite a few, eight in fact. These are:

The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling.
Some of these will involve you reacting to a request from a data subject within a specified period of time (in many cases one month) so you’ll need to be ready.

Do we have to tell someone if we have a breach?
In the main, yes. You will need to tell the Supervisory Authority in your country within 72 hours of becoming aware of a breach that is “likely to result in a risk to the rights and freedoms of individuals” and , depending on what’s happened, you may need to tell the data subjects affected as soon as possible too.

What are the penalties for not complying with the GDPR?
There is a range of fines increasing up to 4% of annual worldwide turnover or 20 million Euros (whichever is the higher). This is a lot more than previously and the actual amount will depend on the seriousness of the infringement.

What is Privacy by Design?
When creating new systems or making big changes to existing ones, you will be expected to “design in” privacy controls from the very start. This will involve thinking about what data you need to hold (i.e. don’t hold more than you really need) and how you need to hold it (i.e. do individuals need to be identifiable). You’ll also need to conduct privacy impact assessments.

What is a Privacy Impact Assessment?
In many respects a PIA shares much common ground with a risk assessment and treatment process as required by the ISO/IEC 27001 standard. It involves assessing the risks to individuals of holding and processing their data and identifying ways to address these risks using controls.

What should we be doing now?
You now have less than a year to prepare (until 25 May 2018) so the first step will be to understand what the GDPR means for your organization and then to create a plan to work towards compliance. This will almost certainly involve reviewing the personal data you hold and how it is collected (e.g. consent issues), getting procedures in place to handle the types of requests you may receive (e.g. rectification and erasure requests) and checking that any data transfers you do to other countries will still be allowable under the new rules. Will you need a Data Protection Officer?

Contact: vijay 0-9440089341

Email: moc.snoitulosdnimartceps|ofni#moc.snoitulosdnimartceps|ofni

Other websites:

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License