In this 3-part series, we are going to talk about GDPR, who should really care about it, what are the key principles in GDPR, data subject rights, controller & processor responsibilities towards complying towards GDPR. In the final part of this series, we will get into things (best practices) an IT team needs to follow to comply with GDPR.
Let’s jump in to first part of this series & see what is GDPR, why it’s important, key principles & the rights of the data subject.
What is GDPR?
The General Data Protection Regulation is a European Union Regulation
At its core, GDPR is a new set of rules designed to give EU citizens more control over data that belongs to them. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
It is to protect people’s fundamental rights about their data.
It ensures a free market in the EU for goods and services.
In the last 20 years, the way we live has totally changed. We are quite connected to any form or technology right now and to a large extent our lives are dependent on technology. So it becomes very essential that we have some strict regulations to protect the data of the people.
Who should care about GDPR?
GDPR is going to change the way we design, develop & maintain our system.
GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU.
What sort of things does it say?
- Data Use is fair and expected
- Just have data that is necessary
- All data must be accurate
- Delete when finished
- Keep data secure
- Be accountable
Why should I comply with GDPR?
- Administrative fees – 20 million euros or 4% global turnover
- Liability risk
Key Data Protection Terms
The protection of natural persons in relation to the processing of personal data is a fundamental right.
Everyone has the right to the protection of personal data concerning him or her. It is important to note here that it is not “the right to the protection of personal data of natural person”. In that case, someone could walk to a loan disbursement company after taking loan amount & say: “Okay now don’t store anything related to me or delete all the data related to me”.
But that’s not how it should be right…
So, GDPR says: Everyone has the right to the protection of personal data concerning him or her. Therefore, if a data controller has a legitimate reason to have your personal data, then they can well keep it.
Natural person in GDPR means
- A living human
- Not a zombie, or a dead person or an organization
What does processing mean
Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Which basically means doing ANYTHING with data.
So, we can change the statement 1 we made here into:
This regulation lays down rules relating to protection of LIVING HUMANS with regard to doing anything with PERSONAL DATA.
What is personal data?
Any information relating to an identified or identifiable living humans.
This is not same as Personally Identifiable Information(PII) which only talks about few things like SSN or tax reference number.
Personal Data in GDPR includes any & all sort of information (which is not necessarily the direct things like SSN etc) but can be used to get the name of a person.
GDPR has rules that apply when you do anything with data about living humans.
Three Key terms in GDPR:-
The living human that data is about or relates to
An entity that determines the purposes & means of the processing of personal data.
The definition of Controller from GDPR article is bit longer: A controller is a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”
An entity that processes personal data on behalf of controller.
A processor is “person, public authority, agency or other body which processes personal data on behalf of the controller”.
Controllers decide to process (do anything with) the personal data of data subjects (living humans)
Both data controllers & data processors process (do anything with) personal data
Key Principles in GDPR
Below are few key principles in GDPR, that we (people from the IT/Software field) should be aware of
Principle no. 1: Data use should be transparent, fair & lawful
Transparency: Controllers should tell people what they are going to do with their data & why.
Fair: Properly balancing the fundamental rights & freedom of the person whose data it is, with the rights of the entity processing the data.
Lawful: Processed for one of six specified reasons:
- Legal obligation
- Vital interests
- Public interest/official authority
- Legitimate interests
Principle no. 2: Purpose Limitation
Thecontroller should only use data for the purpose they obtained it for, and not for other purposes.
Principle no. 3: Data minimization
Adequate, relevant & limited to what is necessary in relation to the purposes for which they are processed. Get the data that is needed, nothing more.
Principle no. 4: Accuracy
Data should be always kept accurate & up-to-date
Principle no. 5: Storage limitation
This principle is about how long controllers keeps the data.
GDPR says controller should keep data for no longer than is necessary. Which means once they are done with the data of a customer & if a customer chooses to leave their business, then data concerning the customer should be deleted.
A retention policy for all the data should be clear & distinct.
Data should be deleted mandatorily beyond its retention period (whenever you are done with processing the data of that customer)
Principle no. 6: Integrity & confidentiality
Data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing & against accidental losses, destruction or damage using appropriate technical or organizational measure.
To comply with these, we can do any or all these points:-
Pseudonymise the data (controllers should not give data as-is when they are sharing it with any of their employees, stakeholders or users). Always encrypt them or pseudonymise them so that only they can make sense of it but if it goes to wrong hands, they can’t.
Save spreadsheets or PDFs as password protected files.
DATA SUBJECT RIGHTS
These are the rights that people have over the data concerning them.
Let’s look at the rights that the data subjects have as part of GDPR
1) Right to know how data will be processed
The data controller is bound to provide following information to the data subject as part of this right (article 13, 14):
- Who is the data controller? What’s the name of the organization?
- Contact details of the person responsible (DPO)
- Purpose & legal basis
- What are the legitimate interests?
- Other recipients
- International transfers
The data controller also need to provide following information:
- Retention period
- Statement of rights
- Special rights if content used
- Notification of the right to complain
- Whether obligated to provide data
- Use of automated decision-making/profiling
This information needs to be provided when you get the data from data subject. Also, this information needs to be given within 30 days of the data subject request & also it should be free of charge.
2) Tell me what you have got (article 15)
Data subject can ask for the data/information about them to the data controller
DSAR (Data Subject Access Rights)
- Is the data being processed?
- If so, a copy of all the data
- All the information you would give on collection
- Where you got the data from?
- Without affecting someone else’s privacy
3) Data subject can direct data controller to correct data about them (if inaccurate) (article 16)
Right of Rectification: Inaccurate data should be corrected at the request of data subject.
4) In specific cases, data subject can ask controller to erase or delete their data (article 17)
Right to Erasure:
- Also known as the “Right to be forgotten”
- Qualified right – not all data can be forgotten. Only data that, as a data controller, we don’t need, should be allowed to be deleted.
For instance, under below circumstances, the data should surely be deleted
- If the data controller doesn’t have any legitimate grounds to hold the data
- If the data subject withdraws the consent (which was given by him/her earlier)
- It is not lawful to hold some data of a data subject
5) Data subject can direct controller to stop doing something with their data
Right to Restrict Processing
This right gives the data subject an option to direct the controller to say: I would like you to stop everything with this data apart from storage as it might be legal obligation.
Typically, this scenario can occur if, let’s say, the data of a data subject is inaccurate. So, the data subject can tell the controller: I would like you to correct that data. Until then, please stop doing anything with my data.
This most of the times will occur during secondary processing.
6) Data subject can ask the controller to give them back the data that they had given them, in an electronic format.
Right to Data Portability
This right enables the data subject to ask for a copy of their data in an electronic format.
Or the data subject can also inform controller to have copy of their data transmitted directly to another controller.
The below 2 data subject rights are restrictive rights.
7) Data subject can object to processing (Article 21)
8) Automated decision-making & profiling (Article 22)
Right not to be subjected to automated processing & profiling which might produce legal or similar effects
Before we conclude part 1 of this series, let’s talk about the consequences that a controller might have to face if they do not comply with GDPR.
In every EU country, there will be a supervisory authority.
If a data controller doesn’t acknowledge or respond to the rights of data subject effectively, then the supervisory authority can put a hefty fine on them. And this fine can be quite large. Administrative penalties 4% of global turnover or 20 million euros.
Data subjects have the right to enforce rights in court & complain to supervisory authority. Data subjects have right to claim damages because a right wasn’t acknowledged.
In the next part of this blog series, we will discuss more about data controllers & processors responsibilities, key roles in GPDR.
Credits/References: To come up with this blog series, I have gone through pluralsight course:
But if you do not have time to read through lot of articles or to watch videos more than an hour, then sip a cup of tea/coffee & keep reading this blog series 🙂
Want to learn more about GDPR right away? Sign up for our training course: Introduction to GDPR