Note: mostly taken from here.
In a nutshell
The General Data Protection Regulation (GDPR) is a privacy and security law drafted by the European Union that imposes obligations on organizations that collect data from people in the EU. GDPR applies even to organizations outside the EU, as long as they collect data from EU citizens or residents.
GDPR aims to protect the privacy of individuals by regulating how organisation use their data. This post outlines the key regulatory points of the GDPR.
|Personal data||Any information that relates to an individual and which can be used to directly or indirectly identify them (e.g., name, email, location info, gender, web cookies, etc).|
|Data processing||Any action performed on data (e.g., storing, recording, sorting, erasing, etc).|
|Data subject||The person whose data is processed (e.g., customers or website visitors)/|
|Data controller||The person who decides why and how data is collected (e.g., an owner or employee of an organization who handles data).|
|Data processor||A third party that processes personal data on behalf of a data controller (e.g., a cloud service like AWS S3 or Gmail).|
Data protection principles
If you process data, then you must follow the following principles:
- Lawfulness, fairness and transparency – Processing must be lawful, fair and transparent to the data subject.
- Purpose limitation – You must process data only for the purposes specified explicitly to the data subject at the point of the collection., you must be explicit about how subject data will be used and then process data accordingly).
- Data minimization – You should collect and process only as much data as strictly necessary for the purposes specified (i.e., don’t collect more data than you need).
- Accuracy – You must keep personal data accurate and up to date (i.e., don’t tamper with people’s data).
- Storage limitation – You may only store personally identifying data for as long as is necessary for the specified purpose (i.e., don’t store data for longer than you need to).
- Integrity and confidentiality – Processing must be carried out in a way that ensures appropriate security, integrity, and confidentiality (e.g., using encryption).
- Accountability – The data controller is responsible for being able to demonstrate compliance with all of these principles.
Accountability – Data controllers must be able to demonstrate GDPR compliance
Data controllers must be able to demonstrate that they are GDPR compliant. If you can’t demonstrate this, you aren’t GDPR compliant.
Here are some ways you can demonstrate compliance:
- Maintain detailed documentation of the data you collect, how it’s used, where it’s stored, which employee is responsible for, etc.
- Implement technical and organisational security measures (see below).
- Have Data Processing Agreements in place with third parties you can contract that process data for you.
- Appoint a Data Protection Officer (only applicable to some organisations).
Data security – You must implement technical and organisational measures
You must handle data securely by implementing “appropriate technical and organizational measures.”:
- Technical measures: Things like requiring employees to use two-factor authentication on accounts that store personal data, and using cloud providers that use end-to-end encryption.
If you have a data breach, you must notify data subjects within 72 hours, or face penalties. This requirement may be waived if you have security measures in place like encryption that can mitigate the risk of breaches.
Lawful basis for data processing: You must have a good reason for data processing
Before you can collect personal data, you must be able to justify it with one of the following reasons:
- The data subject gave you explicit, unambiguous consent to process their data (e.g., by opting into your newsletter).
- Data processing is necessary to execute or prepare to enter into a contract to which the data subject is a party (e.g., you must perform a credit check before granting an applicant a loan).
- You need to process data to comply with a legal obligation (e.g., you receive an order from a court to share personal data for a criminal case).
- You need to process data to save somebody’s life (e.g., you’re a counsellor working with someone at risk of suicide).
- You must process data to perform a task in the public interest or an official function (e.g., a private garbage collection company).
- You have a legitimate interest to process someone’s data. This is a flexible lawful basis that is valid depending on various factors. See here for more.
Once you’ve determined your lawful basis for data processing, you must document it and notify the data subject. If you ever change your lawful basis, you must document and notify the data subject again.
Consent – You must obtain consent and honour consent withdrawals
- Consent must be “freely given specific, informed and unambiguous”.
- Requests for consent must be presented in “clear and plain language”.
- Data subjects must be able to withdraw previously given consent whenever they want, and you must honour their decision.
- Children under 13 can only give consent with permission from their parents.
- You must keep documentary evidence of consent.
See the ICO web page for more.
Data Protection Officers – required under certain conditions
- You’re a public authority other than a court acting in a judicial capacity (e.g., you’re the local borough council).
- Your core activities require you to monitor people systematically and regularly on a large scale (e.g., You’re a Google or Facebook).
- Your core activities are large-scale processing of particular categories of data listed under Article 9 of the GDPR, or data relating to criminal convictions or offences mentioned in Article 10.
What happens if you break the GDPR rules?
You could be subject to harsh fines that can reach into the tens of millions of euros.
- GDPR was put into effect on May 25, 2018, replacing the previous European Data Protection Directive of 1995.