Understanding whether you are impacted by GDPR is a key first step. A survey, carried out at RSA 2017 by Imperva, found that just 43% of companies are preparing for GDPR, 29% were not preparing, and 28% were unaware of any specific preparations being made.
Even if you have no base in one of the EU’s 28 countries, you can still be held accountable if you mishandle the personal data of EU residents.
Here is some further reading on GDPR.
In Part Two of EU GDPR demystified we will focus on how the GDPR legislation defines personal and sensitive data.
We’ll also look at the new requirements facing those that control and process personal data belonging to European Union residents.
Think of all the user data your organization collects, stores and transmits: web forms, cookies, user preferences, etc. Under GDPR, all personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
GDPR provides guidance on what constitutes personal identifiers. It is designed to align better with today’s technologies, services and how firms collect and use personal data.
In the GDPR legislation, personal data is defined as:
‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity” (See Article 4)
GDPR has also created special categories of personal data, which includes highly sensitive data such as genetic information, political beliefs, and trade union memberships. Special rules apply here. (See Article 9)
According to Whitecase, companies need to think carefully about what they are collecting:
“For some organisations, the explicit inclusion of location data, online identifiers and genetic data within the definition of “personal data” may result in additional compliance obligations (e.g., for online advertising businesses, many types of cookies become personal data under the GDPR, because those cookies constitute “online identifiers”).
GDPR is quite strict on what the data controller and processor must do in order to process personal data. Here are the main rules:
And the processing of personal data can only lawfully take place if
It is likely that many companies, upon considering what is personal data and what are the responsibilities under GDPR to collate and process it, will consider measures to reduce the amount of personally identifiable data they store, and only store what is necessary for only as long as necessary for fulfil the specific purpose.
One of the big challenges for organizations is to understand how they must revamp their consent procedures in order to leagally process personal data.
GDPR is clear that consent must be a specific, informed, unambiguous free given agreement from the EU data subject. It must clearly indicate acceptance of the proposed data processing. Pre-ticked boxes or inactivity will not constitute consent.
“This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. (See Article 32)
Data however that is already anonymized – where the European subject cannot in any way be identified from the data – falls outside the scope of this legislation. The GDPR is all about identifiable personal data.
“The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.” (See Article 26)
Both data controllers and processors are mandated to implement “appropriate and organisational measures to ensure a level of security appropriate to the risk.” This includes encryption and – a new concept for European data protection law – pseudonymization.
‘Pseudonymization’ refers to the practice of processing personal data in such a way that the data cannot be tied back to a specific individual. This is effectively an additional privacy wall, where information that directly identifies an individual is separate and unattributable to the personal and sensitive data.
Pseudonymization might indeed reduce the risks associated with data processing without negatively impacting the data’s utility; however it is not designed to replace other security measures:
“The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.” (See Article 28)
Under GDPR, both the controller will be responsible for ensuring a “level of security appropriate to the risk.”
The controller will need to ensure and demonstrate that processing is performed in accordance with this regulation. This means that the controller will be responsible for selecting data processors that provide sufficient technical and organisational measures to meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Security considerations include:
Failure to do so puts your organization at risk of steep penalties, including a fine of up to 20 million Euros or 4% of the previous year’s turnover.
Your first task, outlined in our previous article in this series, was to determine whether you are impacted by EU-GDPR.
Now that we’ve got a better understanding of how the GDPR defines personal and sensitive data, we recommend an information audit of any system that might collate or process personal data of European subjects.
It is wise to consider bringing in outside help for this task. For one, internal resources always develop a few blindspots which can be much more easily seen by an expert unfamiliar with the system architecture. Second, having external readiness assessments experts can radically speed up the process, saving you both time and money.
Plus, this information will be invaluable when you meet with your senior stakeholders, decision makers, lawyers, data managers and cybersecurity experts to flesh out all the implications – if any – that GDPR may impose your operations.
In our next GDPR post, we will provide you with a curated checklist of issues for you to consider to aid your journey to compliance with the new European GDPR regulation, coming into effect in May 2018.
Here is some further reading on GDPR.
If you need help getting your head around EU-GDPR, get in touch. We’re experts on compliance and we’re here to help.