The Serity General Data Protection Regulation (GDPR) Primer

Release date: 2020-04-08
Topic: Data Protection
First, a point of order: data protection rules and regulations are not new! Most organisations would have had some measure of control over data processing activities in place before the GDPR came into being Although it may seem like GDPR is new to organisations, it has been around since 2016. 

What is the GDPR? 

GDPR stands for [the] ‘General Data Protection Regulation’ and is the European Union (EU) law on data protection that gives EU residents rights that allow for more control over how their Personal Data is processed. The Regulation was adopted on 14 April 2016 but only became enforceable on 25 May 2018. It replaces the Data Protection Directive (DPD) from 1995. The regulation means residents and organisations in the EU can benefit from the ever-growing digital economy whilst allowing people to have more control over. Also, this Regulation was designed to unify data protection laws across the EU. The Regulation gives protected users and residents more rights and control over how their data is processed.

Does the GDPR Apply to You? 

If you are an organisation operating within the EU then GDPR will apply to you. This includes organisations who may be based outside of the EU if they offer goods or services to customers within the EU. Under the GDPR regulation, any EU resident that has their data collected by an organisation is a data subject. The organisation that processes this data is known as the Data Controller. Generally, if a third party is involved in the handling of this Personal Data, they are the Data Processor. 

GDPR Implementation

As the core operational regulations for enabling and securing digital privacy by protecting Personal Data and affecting all EU regions, the GDPR goes far beyond just being applicable to the EU. Instead, the GDPR affects every country – for every country, organisation, and a person who interacts with, utilises services from or even looks at a website that’s hosted in the EU, GDPR means something. The implementation of the GDPR forced organisations, big and small, to comply with its regulatory framework, making GDPR compliance, not just a nice to have, but a business essential.

GDPR Definition - Data Protection Officer

Organisations must appoint a Data Protection Officer (DPO) under GDPR who, according to the ICO, “monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Supervisory Authority”.

A DPO should have professional experience and data protection law proportionate to what the organisation does. Not appointing a DPO could lead you to be non-compliant and result in a fine.

GDPR Definition - Data Controller

The Data Protection Commission (DPC) which is the Irish Supervisory Authority responsible for upholding the fundamental right of individuals in the EU to have their Personal Data protected describes Data Controllers as “the main decision-makers” stating “they exercise overall control over the purposes and means of the processing of Personal Data”. 

The Data Controller has the most responsibility when it comes to protecting the Personal Data, privacy and other rights of a data's subject. In short, the Data Controller can process collected data using its own systems without need for external help. In some instances, however, a Data Controller needs to work with a third-party or an external service in order to work with the Personal Data that has been gathered. The Data Controller should not release control of the Personal Data to the third-party. The Data Controller will remain in control by specifying how the Personal Data is going to be used and processed by that external service using a written agreement to regulate these relationships.

As a Data Controller, you could have more legal liability if you are responsible for a data breach. However, Data Subjects can claim compensation and damages against both Data Controllers and Data Processors.

Data Controller Responsibilities

You are the Data Controller as an organization, if you decide to collect the Personal Data of your customers/clients, site visitors, and other data subjects. You must have legal authority to do so. You are usually also a Data Controller if you decide:

  • what Personal Data to collect,
  • where and how to use the Personal Data and for what purpose,
  • to change or modify the Personal Data that your organisation collects,
  • whether to keep the Personal Data in-house or to share it with third parties,
  • how long the Personal Data is kept, or 
  • when and how to dispose of Personal Data.

GDPR Definition - Data Processor 

A Data Processor, according to the Data Protection Commission (DPC) “act on behalf of, and only on the instructions of, the relevant controller”. A Data Processor is the one who carries out the actual processing of the Personal Data under instructions of the Data Controller.

Data Processors don’t have the same obligations as Controllers under the GDPR but do have several direct obligations of their own. 

The Data Processor and Data Controller are legally responsible for data processing activities under the GDPR. The Data Controller determines the purpose and way of processing Personal Data whilst the Processor is responsible for actual processing said Personal Data, on behalf of the Data Controller.

It’s important to implement an audit trailing system for how and where the Personal Data is used and accessed in case of a data breach. 

Data Processor Responsibilities

You are the Data Processor if you are instructed by a Data Controller to carry out some of the following:

  • Use tools and strategies to gather Personal Data.
  • Design, create, and implement processes and systems that would enable the Data Controller to gather Personal Data.
  • Implement security measures that would safeguard Personal Data.
  • Store Personal Data collected by the Data Controller.
  • Transfer data from the Data Controller to another organisation.

GDPR Definition - What Is Personal Data?

The Data Protection Commission (DPC) defines Personal Data as “information that relates to an identified or identifiable individual”. Personal Data is any data that can be used to directly or indirectly to identify an individual. Some examples of Personal Data are name, picture, phone number, address, as well as IP address, genetic and biometric data. All of which could be processed to identify each unique individual.

GDPR Definition - What Is Consent?

Organisations must identify a legal basis for each data processing activity. Consent is one of the 6 legal bases outlined in Article 6 of the GDPR. While consent is important in many circumstances like direct marketing scenarios, we must note that the GDPR does not usually require an organisation to obtain consent from people before using their Personal Data for business purposes. 

GDPR sets a standard for consent which includes offering Data Subjects a choice and allowing them to be in control of their consent with a positive opt-in. In order to determine whether the consent you collect is valid consent as per GDPR requirements, your first step should be to look at your existing consent practises and refresh consent if they don’t meet GDPR standards. 

When obtaining consent, ensure you do not have any pre-ticked boxes or a default consent. You must name any third party controllers who rely on consent and allow people to easily withdraw consent at any time. It’s also important to keep evidence of the consent including information that would satisfy questions about ‘when’, ‘how’ and ‘who’.

GDPR Personal Data Breach 

Unfortunately, a data breach is somewhat inevitable. Information gets lost or potentially falls in the hands of those who were never intended to see it. With this in mind, you are expected to put in place comprehensive governance measures, as suggested by the Data Protection Commission. These measures should minimise the risk of a data breach and are often the responsibility of an individual (in a small organisation) or a department (in a larger organisation). Consider the need for budgets, systems and personnel that will be needed to enforce these. 

It’s important to implement appropriate measures across the organisation, such as staff training or internal audits. These provisions will promote accountability and it’s important to keep documentation of these activities. 

Organisations need to report certain types of data breaches to the relevant authority and, in some cases, inform the individuals affected. This is usually done through a data breach notification, delivered directly to the victim in one-to-one communication when needed. Data breaches that organisations are obliged to report involve those that are likely to result in a risk to the rights and freedoms of the individuals. This may lead to reputation damage, discrimination, financial loss or social disadvantage. 

Data breaches must be reported to the relevant Supervisory Authority within 72 hours of the organisation becoming aware of it. This must include the approximate number of individuals compromised, the categories of information and a description of the potential consequences. This may include identity fraud or theft of money. The Data Protection Officer or main point of contact dealing with the breach must include their contact details in the report.

Fines and Penalties

If you don’t comply with GDPR you could receive a fine, the value of which is dependent on the severity of the breach and whether the organisation is thought to have taken regulations and compliance seriously enough. 

The maximum fine of 20 million euros, or 4% of the organisation’s worldwide turnover (whichever is greater), is for breaches of the rights of data subjects, unauthorised international transfers of Personal Data and failure to put the correct procedures in place. Other fines will be applied if organisations mishandle data, for example, the failure to report a data breach or to ensure data protection in the first instance.

How to Start Being GDPR Compliant

There is no single ‘right way’ to approach GDPR as all organisations are different. It’s important to know what needs to be done to be compliant and who their Data Controller is for each data processing activity so there is someone to manage the responsibility and ensure it happens. To be compliant, you must capture data legally and ensure consent is obtained where it is needed. Once captured, personal data must be managed and used in a way that meets compliance requirements also. To ensure your organisation adopts good GDPR compliance mechanisms, and every data process is legislatively robust, we recommend:

  • A comprehensive audit: A full assessment and audit of your organisation’ data practices, from end to end. 
  • Minding the gaps: We’ve yet to find an organisation that was fully compliant, off the bat. The gaps between theory and practice are often larger than you realise, but they can be closed.
  • Finding the most reliable route: Yes, the distance between two points is often a straight line. Sourcing and hiring a GDPR consultant who knows their stuff, and can back up your data processes with technology, is your most reliable route. 
  • Keeping up with the monitoring: Constant monitoring of the processing activities within your organisation and compliance checks are essential.