The EU General Data Protection Regulation (GDPR) incorporates a lot of new definitions. The enforcement date of May 25, 2018 is now less than a year away. With this in mind, companies are scrambling to decode the 260 pages of regulation to ensure GDPR compliance within the next year. The GDPR offers 160 pages of background information to help explain its intent. From there, it delineates a series of ninety-nine articles that regulate the handling of personal data. Fully understanding the main tenets of the regulation will make GDPR compliance easier in the long run.
In reading the 260 pages of regulation, the most important first step to understanding what it means and how it applies are to understand the GDPR definitions within the regulation. With this in mind, the first of the two part GDPR introduction series will focus on GDPR definitions. This document references both the preamble paragraphs and the articles that match the definitions. For ease of reference, reference listed as “(#)” correlate to preamble paragraphs. Articles are referred to by Article # Section #.
Hopefully, reviewing the terms that cause confusion will help people better navigate the confusing legal, regulatory terminology.
What’s in a GDPR Definition?
Introduction: Seven Tenets of GDPR Compliance
Before discussing any GDPR definition, understanding the seven identified components matters. The regulation sets out the following seven components as driving the compliance purpose.
- Lawfulness, fairness, transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
In brief, GDPR compliance seeks to ensure that companies think about the data they collect, focus on what they need, ensure that customers are fully aware of the data being collected, and are held accountable for the manner through which they collect and store the data. In the preamble, the regulation notes that data processing should help mankind (6), and this requires a strong coherent data protection framework backed by enforcement (7) with a goal of consistency rule application (10). In other words, the ultimate purpose of the GDPR is to set a standard of compliance in a currently patchwork space.
Personal Data: the GDPR Definition
Personal data can be a name, ID number, location data, or online identifier but also when there are factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity that can lead to singling out an individual. (Article 4 Section 1) If the company can use the information to identify a person, the information should be protected using the latest technology and ensure that the systems are updated. (26)
According to the GDPR definition, online identifiers come from any electronic tracking measures whether they are devices, applications, tools, or protocols like IP address cookies or RFI. (30). This covers mental and physical health information required for registering for health services (34, Article 9 Section 1) Racial/ethnic data also counts as personal data while photographs may count if they can allow for a unique identification (51).
Companies need to think about the information they request and only take the data they need for their activities. (39) If a company does not have enough information to identify a person, it is not necessary to ask for more. (57) If someone wants to give more, the company should take the information but have sound authentication and protection mechanisms in place. (57) Children are a special case because they are not cognitively or psychologically mature enough to weigh the risks, so it is probably a wiser choice to not collect their information unless it is really necessary. (38)
Processing of Personal Data
The GDPR definition for controller and for processor of personal data lie at the root of compliance concerns. If identified as one of these, your organization needs to be in compliance. The problem is that these definitions seemingly apply to everyone.
Controllers in the EU
According to the GDPR definition, whether the processing happens in the EU or not, if the company is housed in the EU then you need to comply even if your data is processed elsewhere (22). For controllers, this means that management activities and processing decisions occur or central offices are located in the EU (36).
The preamble then defines the terms “undertakings.” The goal here is to think about how your business works in terms of information collection. If you have a single “undertaking” that incorporates smaller “undertakings” that concern personal data, protect the larger undertaking (37). One of the goals with this GDPR definition is to ensure that companies don’t try to outsource their responsibility and try to work around compliance. GDPR compliance wants companies to pay attention to their information gathering so that they understand the interconnection of different data collection within various business lines.
Ultimately, the GDPR wants to hold controllers responsible for reviewing their processors. In the US, SOX compliance does something similar when you are choosing vendors. GDPR compliance in this area means ensuring that your processors provide the appropriate guarantees such as expert knowledge, reliability, and resources to protect the information and security of processing. One way to do this is for them to have an approved code of conduct or certification mechanism to demonstrate compliance. The contract should clearly state the subject matter and duration of processing, nature and purpose of processing, types of data categories of data subjects, and the risks of the information. The contract should also specifically discuss what happens to the personal data upon termination of the contract. (80, Article 28 Section 1, Article 32 Section 3)
Interestingly, GDPR compliance seems to want to support industries in creating their own codes of conduct. Much the way that we have HITRUST for HIPAA here, GDPR compliance reinforces the notion that industries are the ones who can best handle their data processing needs. The GDPR states that associations or other bodies such as individual industries should work together to create codes of conduct to create a baseline of behavior for all controllers and processors within that market. Then make sure that there are visuals to indicate compliance with the code of conduct for people to see. (98, 99, 100) By giving power to the industries, this attempts to create consistency in protection while accounting for individual market idiosyncrasies.
Controller and Processors Inside and Outside the EU
GDPR compliance hopes to try to create a sense of shared values for those handling data processing. If you’re processing the data of people who live in the EU for sales of goods and services, the GDPR definition of processor applies to your company. (23) Understanding the broad reach of the internet, the preamble notes that in determining whether the regulation applies you can look at the language of the website and the currency accepted to determine whether the target demographic is an EU resident. (23) If a company is collecting personal data with the intent of selling to a person even if it is not located in the EU, GDPR compliance may apply. (24)
Some companies outside the EU obtain information transmissions about EU residents. GDPR compliance requires meeting data protection standards in this case. Some third countries or internationals organizations may be banned from transferring EU. For those who fall under the GDPR definition of controllers or processors dealing with a third country, GDPR compliance requires taking measure to protect information such as creating corporate rules or including standard data protections clauses in contracts. In these cases, liability lies with the controller or processor to ensure that the data subject can obtain compensation in the event something happens to their information. (101-116)
If the GDPR definition of controller or processor applies to an organization outside the EU but connected to offering goods/services to or monitoring of EU residents, GDPR compliance requires that you have a representative in the Union. Of course, if your activities are occasional or small leading to low risk, this may not apply to you. The GDPR suggests that these companies officially name a representative that is located within the EU. The representative acts on behalf of the controller and supervisory authorities talk to this representative. The representative is explicitly designated and acts as the person subject to enforcement proceedings in the event of noncompliance. They’re responsible for fixing any problems even though the controller/processor are still the ones ultimately responsible. (80, Article 27)
The GDPR definition of pseudonymization means processing personal data and keeping data pieces separate so that they cannot be tied to a particular person without additional information. Separation can be accomplished through technical and/or organizational methods. (5, Article 4) Keeping personal data separate means collecting the information but segregating the bits so that they cannot be combined to create a clear identity of the individual. (29)
Legitimate Interest/Permitted Collection
The regulation focuses all of Article 6 on creating a GDPR definition for legitimate interest and permitted collection. One of the most basic features of GDPR compliance lies in asking controllers and processors to analyze their reasons for collecting information.
When determining the relationship with the data subject, a company should think about whether the subject is a client or in service of the controller. Organizations should do risk assessments regarding whether people can expect data processing to be collected. For example, collecting data to prevent fraud is always legitimate but processing for marketing may or may not be legitimate. (47, Article 6 Section 1(b), 1(c)) Marketing may be a legitimate reason for collection, but the organization needs to give reasons for the collection and make the information available upon request. (70)
A company that is a controller and part of a larger data collection or “undertaking” transmitting data for internal administrative purposes is a legitimate reason for collecting the personal data. This area also includes a vague discussion of information sent to a third non-Member country. (48)
Processing personal data in the interests of information security is legitimate. This includes information involved with protecting against intrusions that included public authorities, computer emergency response teams, computer security teams. If you’re trying to investigate an attack, GDPR compliance affords wiggle room. (49)
Once information is collected, it can only be used for the reasons provided at collection. Companies should do risk assessments when thinking about information usage. GDPR compliance requires that if there is a link between the original purpose of collection and further processing there might be a reasonable expectation by the data subject for the additional processing. Companies need to ensure that they are assessing the types of information and the harms further processing could have for the data subjects as well as the safeguards. In addition, people should have the right to object to this additional use. (50, Article 6 Section 1(a))
As long as safeguards are placed on the data, collection for electoral purposes are legitimate. (56, Article 6 SEction 1(e))