General Data Protection Regulation (GDPR)
Today marks the start of the implementation of the General Data Protection Regulation (GDPR), a regulation which intends to strengthen and unify data protection laws and regulations for all individuals within the European Union (EU).
GDPR is designed to protect personal information and give citizens greater control over the information. It is arguably the most important change in data privacy regulation in 20 years. This regulation applies to all organizations that are established in the European Union (EU) that process personal information in the context of that establishment and all organizations outside of the EU that process personal information on EU citizens when offering them goods and services or monitoring their behavior.
Protection of personal information is not just an ethical responsibility, but a legal one, too. Privacy laws around the world are emerging to mandate that personal information is processed in an accurate, safe, secure, and lawful manner. Increasingly, privacy laws are becoming even stricter, with penalties for non-compliance.
What is GDPR?
- New regulation that requires compliance from companies doing business in the EU
- Homogenizes data privacy law across member states
- Protects the privacy, fundamental rights, and freedoms of citizens
- Strengthens the obligations of those processing personal information
The main objectives of GDPR include:
- Protecting fundamental rights and freedoms of EU citizens
- Giving Data Subjects full control over their personal information
- Strengthening the level of compliance with focus on policies and procedures
- Increasing exposure of weak practices and security
- Putting more emphasis on safe dataflows
- Introducing a new punishment regime with heftier fines
- Personal Information: Any information relating to an identified or identifiable natural person.
- Special Category of Data / Sensitive Personal Information: Personal information that reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientation, including also genetic data and biometric data. It requires a higher level of protection.
- Data Processing: Any operation performed on personal information. This could either be manual or automatic processing.
- Data Subject: The person that the information is about (Remember, we are all Data Subjects!)
- Data Controller: The natural or legal person, public authority, or other body that determines the purpose and means of processing the personal information.
- Data Processor: The natural or legal person, public authority, or other body that processes personal information on behalf of the Data Controller. Data Processors do not determine the purpose or means of processing personal information. They must only process personal information in the way determined by the Data Controller.
Legal Basis For Processing
You must have a valid lawful basis to process personal information. Under GDPR, there are six available legal bases for processing. Which legal basis is most appropriate will depend on your processing purpose and the relationship with the Data Subject. The applicable legal basis must be determined before you begin the processing of personal information.
The Data Subject gives consent to the processing of personal information for a specific purpose. For Consent to be valid it must be:
- Freely given: The Data Subject must not be under undue pressure to consent. They must be able to refuse or withdraw consent at any time. Consent is not freely given if it is a pre-condition of a service.
- Informed: The Data Subject must be provided with sufficient information to allow them to understand what they are consenting to. Data Subjects should be made aware—using clear and plain language—of the purposes for which their personal information will be used, and with whom it will be shared.
- Unambiguous: Consent must be given by a statement or clear affirmative action, like checking a box to opt-in. Silence, pre-checked boxes, inactivity, or failure to opt-out does not constitute valid consent.
- Specific: Consent must be given for each purpose separately. For processing activities for multiple purposes, consent should provide granular options. Consent must be distinguishable from other T&Cs. Sensitive personal information (or Special Category of Data (SCD), a subset of IBM’s SPI under GDPR) requires explicit consent. Consents given under current data protection laws may be further used under GDPR if they are in line with GDPR provisions
- Contractual Necessity
The processing is permitted if it is necessary for the performance of a contract with the Data Subject, or to take steps at the request of the Data Subject before entering into a contract. For example, entering into an employment agreement would entail processing personal information such as payroll information. Employees’ consent is not needed in order to properly process such personal information.
- Legal obligationThe processing is necessary for the Data Controller to comply with a legal obligation (not including contractual obligations). The legal obligation must follow from EU law or member state law to which the Data Controller is subject.
- Vital interestThe processing is necessary to protect someone’s life.
- Public interest
The processing is necessary for the Data Controller to perform a task in the public interest, or for official functions. The task or function must have a clear basis in law.
- Legitimate interest
The processing is necessary for the legitimate interest of the Data Controller or of a third party. Legitimate interest legal basis cannot be applied when such interests are overridden by the interests and fundamental rights and freedoms of the Data Subject, which require protection of their personal information. It is essential to identify the legitimate interest of the Data Controller or the third party and balance it with the interests of the Data Subject.