The EU General Data Protection Regulation (GDPR) enforcement date, May 25, 2018, is now less than a year away. With this in mind, companies are scrambling to decode 260 pages of regulation to ensure that they will comply with GDPR within the next year (read Part 1 of our series here). The GDPR starts with 160 pages of background information to explain its intent. From there, it delineates a series of ninety-nine articles that regulate the handling of personal data. Fully understanding the main tenets of the regulation will make GDPR compliance easier in the long run.
Cross referencing the preamble’s background information with the formal articles, the GDPR contains four main ideas. Determining the overlap and intention of these core articles with regard to personal data processing can help you streamline your organization’s approach to GDPR compliance.
Below is a guide that organizes the GDPR by ideas, rather than articles. The guide distills a thorough reading of the regulation into four subcategories and includes references to both the preamble paragraphs and the associated articles. For simplicity, preamble paragraphs are listed by “(#)” , while articles are referred to as “(Article # Section #)”.
GDPR Compliance: Organizing the Overlaps
Consent is one of the prime directives of the GDPR; the regulation dedicates Article 7 to the issue and mentions it in Articles 12, 13, and 14.
At the very beginning of the data collection process, you need to tell people what information is being collected, why, and who else might be getting access to it. (61, Article 13 Section 1 (a) -Section 1 (f)) Moreover, if you plan to process the information further beyond the initial use, you need to provide all of the same notifications again. (Article 13 Section 3) If you think that the data subjects already know that their data is required—either by your organization or by law—you don’t need to tell them. In addition, if the data is collected for archival, you may not need to inform the subjects depending on the number of people involved, the age of the data, and pre-existing safeguards. (Article 13 Section 4)
The GDPR customer consent requirement may be fulfilled through a tick box, a choice of a technical setting, or some other affirmative statement. Silence, pre-ticked boxes, or inactivity are not considered consent. Moreover, controllers and processors need to be sure that people understand all the ways their data will be used. (32 Article 7 Section 1)
The GDPR emphasizes that power imbalances between the data subject and the controller invalidates consent, particularly when the controller is a public authority. If there is no opportunity for the data subject to control the types of personal data processed, or if the information is required as part of a contract, the collection may not be considered free consent. (43, Article 7 Section 4)
One of the main goals of GDPR compliance is to ensure that fair and transparent consent is obtained prior to the collection of personal data. Companies need to ensure that people can understand what they’re reading by avoiding overly technical language and using icons to clarify the message. If children are involved, be doubly cautious. (58, Article 7 Section 2, Article 12 Section 1) In addition, controllers and processors need to make sure data subjects are adequately educated on how and why the information is being collected, including whether the information is required and consequences if the information is not provided. Again, using standardized icons can make this visible, clear, and meaningful. This information should be machine readable as well. (60, Article 12 Section 7, Article 13 Section 2, Article 14 lays out a notice for situations in which no personal data is being collected)
Data Subject Rights
People should be able to access collected personal data at reasonable intervals and be able to check the legality of the processing. This includes health data, so medical records and diagnoses, exam results, and treatments must be available. If the controller has a lot of information, the subject can be asked to specify the information they want. (63, Article 15 Section 1) People should be able to obtain information about why their information was processed, the time period involved, and the people who received the processed information. Also, this should all be available remotely for easy access. Although considerations of intellectual property are important, they don’t outweigh the data subject’s right to their information.
It should be possible for people to get their information removed, for free, if they ask verbally or electronically. Any requests should be answered quickly, within a month, and you must give a good reason if you don’t plan to comply. (59, Article 7 Section 3, Article 12 Section 3, Article 12 Section 4, Article 12 Section 5) People can ask to have their information fixed, erased, and/or withdraw their consent. This is especially important if the original consent was given by a child, and even more so if done on the internet. Of course, this doesn’t apply in cases that don’t require consent. (65, Article 12 Section 3, Article 15, Article 17 Section 1)
Controllers should verify the identity of the person asking for the information. (64, Article 12 Section 6) In addition, controllers are required to inform all processors in their information stream if someone asks to have data erased or fixed. (66, Article 17 Section 2)
Restrictions should be indicated clearly in the system. Data restricting can mean moving the information, removing availability to the user, or removing data from a website. (67, Article 18)
When people have provided the information through automated means, they should be allowed to receive personal data in a structured, commonly used, machine-readable, and interoperable format so they can give it to other controllers. Data controllers are encouraged to develop these interoperable formats, though the data subject’s right to access their informationdoes not mean controllers need to adopt or maintain processing systems that are technically compatible. Basically, the goal is for people to be able to move their information from one controller to another easily and without limiting any other rights under this law. (68, Article 20)
This discussion about information portability does not apply to controllers using information for public duties. ((68) However, in the event of public duty, the organization must explain how the legitimate interest overrides the person’s rights. (69)
Profiling is expressly disallowed. (72, Article 22) In this vein, an organization cannot use collected information to make an automated decision about a person. GDPR compliance requires a live person to oversee reasons for denials of services. Mathematical or statistical procedures should meet appropriate standards to avoid discrimination. (71, Article 21)
Chapter IV talks about “audit” without stating the term explicitly. GDPR compliance requires businesses show effective implementation. (74, Article 25 Section 1, Article 32 Section 1)
To show compliance, the GDPR requires that companies evaluate risks, including discrimination, identity theft/fraud, financial loss, reputational risk, loss of data confidentiality protected by professional secrecy, unauthorized reversal of pseudonymisation, and anything that can cause economic/social disadvantage. Moreover, the regulation notes that data to consider are racial/ethnic origin, political opinions, religion/philosophical beliefs, trade-union membership, genetic data (health/sex life), and criminal convictions/offenses/security measures. Also think about whether the data involves personal aspects that analyze/predict work performance, economic situation, health, personal preferences/interests, reliability/behavior, or location/movements. (75, Article 9 Section 1)
The GDPR defines risks by nature, scope, context, and purposes of processing. (76, Article 35 Section 1) A controller’s or processor’s evaluations of risks should include measures, such as encryption, to mitigate risk. Organizations need to ensure security and confidentiality, taking into account “state of the art” and implementation costs related to risk. This means thinking about risks from accidental or unlawful destruction, loss, alteration, and unauthorized disclosure of or access to personal data that can cause physical, material, or non-material damage. (83, Article 25 Section 1, Article 32 Section 2)
Controllers specifically need to engage in data protection impact assessments to determine origin, nature, particularity, and severity of risk. This assessment defines the measures taken to protect the information. If a high risk cannot be mitigated in a cost effective manner, consult the supervisory authority before processing. (84, 94, Article 25 Section 2 Article 32 Section 1, Article 35)
When a new technology or novel kind of processing operation is involved, a data protection impact assessment is necessary. (90)
Governmental organizations, too, must conduct impact assessments because of the number of people being processed. Individual doctors who are part of a larger healthcare system do not fall under this heading. (91)
GDPR compliance requires policies/protocols such as minimizing personal data processing, pseudonymising data as fast as possible, reviewing how and where the data is processed, and establishing plans for creating and improving (implied monitoring) security. Developers need to provide documentation of how their product fulfills the data protection obligations. (78)
Records need to be retained to prove compliance. (82, Article 25 Section 3)
Notice of Breach
Once the controller is aware of a breach, the company needs to notify supervisory authority within 72 hours unless it can demonstrate that the breach is unlikely to result in a risk. If the organization is unable to notify people within 72 hours, it needs to have an explanation for the delay. (85, Article 33 Section 1) Processors are required notify controllers as soon as possible. (Article 33 Section 2)
Communication needs to be made to the data subject without “undue delay.” In clear and plain language, the controller must provide name and contact details of the data protection officer, the likely consequences of the breach, and the measure taken to address the breach or that are proposed to address the breach. (Article 34 Section 2).
There may be cases when it is not necessary to comply with GDPR notice and consent. Most governmental purposes of information collection are exempt. These cases generally involve special categories of information: employment law, prevention of disease and health threats, management of health care services to ensure quality and cost-effectiveness for claims settling, archiving for public interest, scientific or historical research or stats purposes, and court information. (52, Article 9 Section 2(b), 2(h), 2(g), 2(j), 2(f)) Health information is generally protected unless it’s being used to prevent bioterrorism or an epidemic, or to add to current research. (53) If the information is necessary to save the world, GDPR compliance—including protection of constitutional rights or international policy rights—is secondary. (54, 55)