ToolsEmail Marketing | Personalize and Customize Your Messages, Contact Relationship Management Software | Manage and Store Data
7 min read
7 min read
Welcome to the final edition of the GDPR Overview blog series where we will review everything we have covered since the beginning in an easy, question/answer-style format.
The General Data Protection Regulation (GDPR) is a new data protection and privacy law that replaced the Data Protection Act in the European Union. The regulation grants individuals more rights when it comes to the storage and processing of their personal data by data controllers and processors in an effort to increase data security and assign more accountability to those who hold it. GDPR came into full effect on May 25th, 2018, and brought with it new and stricter implications for companies found to be in non-compliance.
There are eight new rights given to individuals under this regulation designed to give individuals more control over what happens to the personal data they divulge to organizations. These rights are:
Personal information or data can be defined as any information that can be used to either directly or indirectly identify an individual, such as contact information, location-based information, or medical information.
What is "special category" data?
Special category data is any personal data that is deemed more sensitive than ordinary personal data. This type of data is more likely to create significant risks to a person's fundamental rights and freedoms, such as by putting them at risk of unlawful discrimination, for example. This kind of data can include (but is not limited to) any data related to an individual's:
The "legal basis" for processing refers to the purpose for which the organization is collecting the personal data. This includes exactly why they must provide this data, how long this data will be stored, and for what purposes it will be used. Organizations must be able to provide a legal basis to their clients in order to be compliant with GDPR. The legal basis for processing should be provided to clients in a clear and concise manner, using plain language to ensure comprehension and to enable them to make an informed decision regarding whether or not they wish to divulge this data to you.
There are six possible legal grounds your organization can claim for processing data under GDPR:
There are a few legitimate scenarios in which an individual can submit a request for erasure. For example, if the organization no longer requires the personal data that was initially collected from the individual, an individual can request the secure deletion of this information as there is no legitimate purpose for which this data must be retained.
Additional situations where an individual can legitimately request their data be deleted can include (but are not limited to):
There are certain cases in which the right to erasure does not apply. For example, the right of erasure does not apply if the data is being processed in order to exercise the right of freedom of expression and information. A couple of other situations where the right of erasure would not apply include:
An individual can object outright to having their personal data processed by an organization in a few situations. These situations include:
An organization is compelled to comply with an objection request made on any of these grounds. However, there are some exceptions where an objection request does not need to be complied with:
Organizations need to make sure they can provide individuals with a copy of their personal information in a common and machine-readable format upon request. Another computer must be able to import and extract elements of the information as required. Data portability requires that the individual be able to and obtain their data and have it transferred from one system to another for their own purposes. The right to data portability only applies under certain circumstances:
The right of data portability does not apply when the organization processing the data is doing so to fulfill a legal obligation or if they're processing the information as part of a task carried out in the public interest.
Generally, you must complete the request within a one-month period. However, if the request is complex or there are multiple requests from the same individual, you can extend this deadline by an additional two months, provided you inform the individual within the original one-month period. You must also be able to provide a justification for why the extension is needed. You are also not able to charge a fee for the completion of a data request, unless you can prove the request is excessive or unreasonable. Any fee must reflect the amount of administrative effort or cost required to provide the information. A reasonable fee may also be charged for any extra copies of the information requested through the same access request.
Rights in regard to automated decision making refer to any decisions made about an individual's personal data that do not involve any human interaction or involvement. This now includes any profiling activities conducted in relation to the personal data in order to make evaluations and come to certain conclusions about an individual. GDPR introduces new restrictions for when any automated decision-making has a potential legal effect or ramification for an individual. In this case, there are only certain instances where decision-making of this nature is permitted:
If the automated decision-making falls under one of these three categories, the organization must inform the individuals whose data is being processed about the automated decision-making, as well as any profiling taking place. The organization must also put steps in place to prevent errors caused by the automated decision-making as well as to prevent any bias or discrimination that could result from it.
A DPO is a data protection officer whose responsibilities include, among others, helping an organization ensure its activities remain in compliance with GDPR; advising the organization on data protection issues and any data protection impact assessments (a process to identify data protection risks for a specific project); and being the first point of contact for those whose data is being processed as well as any necessary regulatory authority.
However, a DPO is not personally responsible or liable for an organization's data protection compliance. This is still up to the controller or processor themselves, though the DPO does play a vital part in ensuring the organization's fulfillment of appropriate data protection obligations.
A breach is considered a lapse in security resulting in the accidental (or purposeful) destruction, modification, loss, unauthorized disclosure of, or access to, personal data under the care of an organization. Breaches can include access to personal data by an unauthorized third party, the theft or loss of devices containing personal data, the sending of data to an incorrect recipient, the unauthorized modification of personal data, or the loss of availability of the data.
If the breach is likely to present a risk to the rights and freedoms of the data subjects, then the organization must report the breach to the proper supervisory authority. However, if the breach has a low risk of affecting these rights and freedoms, it does not need to be reported.
If the breach must be reported, the organization must do so "with undue delay" within 72 hours of discovery, in accordance with GDPR. If the organization takes longer than this to notify the appropriate authority or the affected data subjects, they must be able to provide a suitable reason for this delay.
For lesser offenses involving data controllers and processors, certification bodies, and/or monitoring bodies, the penalty for not complying with GDPR can be a fine of up to €10 million (roughly $11.9 million USD). Or, if two percent of the organization's worldwide annual revenue is greater than this amount over the past financial year, that would be the fine imposed.
For greater offenses committed under GDPR, the penalty can be a fine of up to €20 million (roughly $23.7 million USD), or four percent of the organization's worldwide annual revenue over the last year, whichever amount is greater. These types of infractions can include those related to:
Should an organization be deemed non-compliant in multiple aspects of GDPR, they will be fined in accordance to the greatest offense.
If you have any questions regarding any topic in our GDPR Overview series, or any about topics not covered, please reach out to us at firstname.lastname@example.org and our team will gladly help you out.