Welcome to the final edition of the GDPR Overview blog series where we will review everything we have covered since the beginning in an easy, question/answer-style format.
What is GDPR?
The General Data Protection Regulation (GDPR) is a new data protection and privacy law that replaced the Data Protection Act in the European Union. The regulation grants individuals more rights when it comes to the storage and processing of their personal data by data controllers and processors in an effort to increase data security and assign more accountability to those who hold it. GDPR came into full effect on May 25th, 2018, and brought with it new and stricter implications for companies found to be in non-compliance.
What are the new rights given to individuals under GDPR?
There are eight new rights given to individuals under this regulation designed to give individuals more control over what happens to the personal data they divulge to organizations. These rights are:
- The right to be informed
- The right of access
- The right of rectification
- The right to erasure
- The right of data portability
- The right to object
- The right to restrict processing
- Rights in relation to automated decision-making
What is "personal information," or "personal data?"
Personal information or data can be defined as any information that can be used to either directly or indirectly identify an individual, such as contact information, location-based information, or medical information.
What is "special category" data?
Special category data is any personal data that is deemed more sensitive than ordinary personal data. This type of data is more likely to create significant risks to a person's fundamental rights and freedoms, such as by putting them at risk of unlawful discrimination, for example. This kind of data can include (but is not limited to) any data related to an individual's:
- biometrics (where used for ID purposes)
- sex life
- sexual orientation
What is a legal basis?
The "legal basis" for processing refers to the purpose for which the organization is collecting the personal data. This includes exactly why they must provide this data, how long this data will be stored, and for what purposes it will be used. Organizations must be able to provide a legal basis to their clients in order to be compliant with GDPR. The legal basis for processing should be provided to clients in a clear and concise manner, using plain language to ensure comprehension and to enable them to make an informed decision regarding whether or not they wish to divulge this data to you.
There are six possible legal grounds your organization can claim for processing data under GDPR:
- The individual provided their consent.
- The processing is necessary to fulfill a contract with the individual.
- The processing is necessary to comply with the law.
- The processing is necessary to protect vital interests.
- The processing is necessary to perform a (lawful) task in the public interest.
- The processing is necessary if your organization has a legitimate interest for processing the data.
When can an individual request the erasure of their personal data from an organization's system?
There are a few legitimate scenarios in which an individual can submit a request for erasure. For example, if the organization no longer requires the personal data that was initially collected from the individual, an individual can request the secure deletion of this information as there is no legitimate purpose for which this data must be retained.
Additional situations where an individual can legitimately request their data be deleted can include (but are not limited to):
- The individual withdraws their consent for the processing of the data (if you are using consent as your sole legal basis for processing).
- The individual objects to the processing of the data and you are relying on the "legitimate interests" legal basis. In this case, you must erase the data if you cannot provide a legitimate interest to supersede the request for erasure.
- You have processed the data illegally.
- You must erase the data in order to comply with a legal obligation.
There are certain cases in which the right to erasure does not apply. For example, the right of erasure does not apply if the data is being processed in order to exercise the right of freedom of expression and information. A couple of other situations where the right of erasure would not apply include:
- If the data is being processed in accordance to a legal obligation.
- If the data is being processed to carry out a task in the public interest or with official authority.
- If the data is being processed for archiving purposes in the public interest or statistical/scientific research where erasure would compromise the results.
When can an individual object to processing?
An individual can object outright to having their personal data processed by an organization in a few situations. These situations include:
- If the processing is based on legitimate interests, performed in the public interest, or exercised by an official authority. This includes using personal data for profiling purposes.
- If the processing is used for direct marketing purposes.
- If the processing is done for the purposes of scientific, historical, or statistical research.
An organization is compelled to comply with an objection request made on any of these grounds. However, there are some exceptions where an objection request does not need to be complied with:
- In regard to the processing of data based on legitimate interests, if you can prove there are convincing grounds for processing the data that override the interests, rights, and freedoms of the individual or if the processing is necessary for the defense or establishment of legal claims then you do not have to comply with the objection request.
- For the processing of personal data for research purposes, if you can demonstrate that the processing being done is necessary for the performance of a task in the public interest, you can deny the objection request.
- In the case of an objection to processing personal data for direct marketing purposes, there are no grounds on which this request can be denied. Processing must be stopped as soon as an objection is received.
When does the right to data portability apply?
Organizations need to make sure they can provide individuals with a copy of their personal information in a common and machine-readable format upon request. Another computer must be able to import and extract elements of the information as required. Data portability requires that the individual be able to and obtain their data and have it transferred from one system to another for their own purposes. The right to data portability only applies under certain circumstances:
- To personal data provided to a data controller by the individual (any personal data an organization collects)
- To personal data processed where the legal basis for processing is the individual's consent or for the fulfillment of a contract
- To personal data processed through automated means
The right of data portability does not apply when the organization processing the data is doing so to fulfill a legal obligation or if they're processing the information as part of a task carried out in the public interest.
How long do I have to respond to a request made by an individual regarding their personal data?
Generally, you must complete the request within a one-month period. However, if the request is complex or there are multiple requests from the same individual, you can extend this deadline by an additional two months, provided you inform the individual within the original one-month period. You must also be able to provide a justification for why the extension is needed. You are also not able to charge a fee for the completion of a data request, unless you can prove the request is excessive or unreasonable. Any fee must reflect the amount of administrative effort or cost required to provide the information. A reasonable fee may also be charged for any extra copies of the information requested through the same access request.
What is "automated decision-making?"
Rights in regard to automated decision making refer to any decisions made about an individual's personal data that do not involve any human interaction or involvement. This now includes any profiling activities conducted in relation to the personal data in order to make evaluations and come to certain conclusions about an individual. GDPR introduces new restrictions for when any automated decision-making has a potential legal effect or ramification for an individual. In this case, there are only certain instances where decision-making of this nature is permitted:
- When the decision is needed to enter into or to carry out a contract
- When the decision is authorized by a governing law
- When the decision is based on the explicit consent of the individual
If the automated decision-making falls under one of these three categories, the organization must inform the individuals whose data is being processed about the automated decision-making, as well as any profiling taking place. The organization must also put steps in place to prevent errors caused by the automated decision-making as well as to prevent any bias or discrimination that could result from it.
What is a DPO?
A DPO is a data protection officer whose responsibilities include, among others, helping an organization ensure its activities remain in compliance with GDPR; advising the organization on data protection issues and any data protection impact assessments (a process to identify data protection risks for a specific project); and being the first point of contact for those whose data is being processed as well as any necessary regulatory authority.
However, a DPO is not personally responsible or liable for an organization's data protection compliance. This is still up to the controller or processor themselves, though the DPO does play a vital part in ensuring the organization's fulfillment of appropriate data protection obligations.
What constitutes a data breach?
A breach is considered a lapse in security resulting in the accidental (or purposeful) destruction, modification, loss, unauthorized disclosure of, or access to, personal data under the care of an organization. Breaches can include access to personal data by an unauthorized third party, the theft or loss of devices containing personal data, the sending of data to an incorrect recipient, the unauthorized modification of personal data, or the loss of availability of the data.
When must an organization report a data breach and within how much time?
If the breach is likely to present a risk to the rights and freedoms of the data subjects, then the organization must report the breach to the proper supervisory authority. However, if the breach has a low risk of affecting these rights and freedoms, it does not need to be reported.
If the breach must be reported, the organization must do so "with undue delay" within 72 hours of discovery, in accordance with GDPR. If the organization takes longer than this to notify the appropriate authority or the affected data subjects, they must be able to provide a suitable reason for this delay.
What happens when an organization fails to comply with GDPR?
For lesser offenses involving data controllers and processors, certification bodies, and/or monitoring bodies, the penalty for not complying with GDPR can be a fine of up to €10 million (roughly $11.9 million USD). Or, if two percent of the organization's worldwide annual revenue is greater than this amount over the past financial year, that would be the fine imposed.
For greater offenses committed under GDPR, the penalty can be a fine of up to €20 million (roughly $23.7 million USD), or four percent of the organization's worldwide annual revenue over the last year, whichever amount is greater. These types of infractions can include those related to:
- The basic principles for processing (including consent requirements)
- Rights of individuals in the processing of their information
- Personal data transfers to recipients in a third country or international organization
- Non-compliance with an order from a data protection authority
Should an organization be deemed non-compliant in multiple aspects of GDPR, they will be fined in accordance to the greatest offense.
Do you have any questions not covered in this GDPR Overview series?
If you have any questions regarding any topic in our GDPR Overview series, or any about topics not covered, please reach out to us at firstname.lastname@example.org and our team will gladly help you out.