The General Data Protection Regulation (GDPR) is a long and complicated read. Get the essential information from the regulation you need to put your best foot forward towards GDPR compliance here.
This is the first installment of a two-part series. In this first part, you will be introduced to:
- The seven principles of the GDPR
- Six tasks that your organization must master to comply with the regulation
- The governance structure and new roles the regulation introduces
In the next article you will learn how to realize the six tasks and integrate the needed changes into your organization’s architecture ensuring a viable GDPR compliance.
The seven GDPR principles
The GDPR is built on seven principles that set the frame for how to handle individuals’ personal data with care.
The seven principles, which are depicted in the above figure are:
1) Lawfulness, Fairness and Transparency: You must either have consent from the relevant individuals to process their personal data, or process the data for one of the reasons described in article 6 of the regulation. For example, it wont be necessary to get consent from employees to have their personal data stored. This is because the data is necessary for the employer to uphold the employment contract made with the concerned individual. However, you still need to comply with the GDPR in how you handle the personal data – regardless if consent for processing is needed. To ensure the basis for consent is valid, you should get assistance from your legal team to review article 6 of the GDPR and interpret it to your specific situration. You should then document how you comply with this principle and make the information accessible to the relevant parties on request.
2) Purpose Limitation: You must specify and document for what purpose the personal data is stored and processed. You must ensure that the data is not used for any other purpose (except for the purpose of archiving for public interest, scientific or historical research, or for statistical purposes).
3) Data Minimization: the personal data must be limited to what is necessary in relation to the purpose for which it is collected. So, no excess data for ‘just in case’!
4) Accuracy: the personal data must be accurate and, where necessary, kept up to date. All reasonable steps must be taken to ensure that inaccurate personal data (with regard to their processing purposes) are erased or rectified without delay.
5) Storage Limitation: the personal data should not be kept in a form where the data subjects are identifiable for longer than necessary for its processing purposes.
6) Integrity and Confidentiality: the personal data must be appropriately secured against processing that is unauthorized (by the organization) or unlawful (where the reasons for processing are not valid). Appropriate technical and organizational measures must also be used to secure the personal data against accidental loss, destruction or damage.
7) Accountability: the organization controlling the personal data is responsible for demonstrating compliance with the above six principles. The responsibility for compliance cannot be moved from the controlling organization to the processing organization. The controlling organization (i.e. the organization that has determined the purpose for processing) must ensure, for example by contract, that the processing organization lives up to the GDPR requirements.
To comply with these seven principles, I have identified the following six tasks that your organization must master:
- Handle and document consent
- Respond to inquiries
- Document and continuously update business rules, data processing agreements and affected processes to ensure compliance
- Prove compliance through audits
- React to (possible) data breaches (within 72 hours)
- Continuously evaluate risk and take appropriate measures to ensure integrity and confidentiality of the data and that the organization remains compliant with the principles of the GDPR.
These six tasks will be further expanded upon in the follow-up article, where you will learn how complying with the GDPR can be integrated into your organization’s architecture.
The roles in the GDPR
The Regulation introduces five new roles:
- The Data Protection Officer (DPO)
- The data controller (a data controlling organization)
- The data processer (a data processing organization)
- The Individual
- Supervising Authorities
It also differentiates between personal data and sensitive data:
- Personal data is defined as any information relating to an identified or identifiable individual, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual (GDPR, Article 4).
- Sensitive data is characterized as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data to uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation (GDPR, Article 9).
You must hire a Data Protection Officer (DPO) if your organization is a public authority, if there is a need for regular and systematic monitoring of individuals (e.g. online behavior), or if one of the core activities of your organization is to process sensitive data on a large scale. Otherwise hiring a DPO is voluntary.
The DPO functions as the Individual’s representative in your organization and is the main point of contact for individuals with inquiries about their personal data as well as supervisory authorities. It is the responsibility of both the controller and the processor to ensure that the DPO is involved in all issues relating to the protection of personal data. The DPO must not be given instructions by the controller or processor regarding how to perform his or her tasks. The tasks of the DPO, aside from the above mentioned, is to advise the organization of how to comply with the regulation, to monitor compliance and to advise when to make Data protection impact assessments.
The data controller is a role an organization can have in relation to an individual or a data processor. The data controlling organization is responsible for defining the scope and purpose for processing. It must take the risks of a possible data breach for the Individual into account, when implementing data protection policies and appropriate technical and organizational measures to ensure GDPR compliance. If the data is sent to a 3rd country for processing or otherwise, the controller must inform the individual of the data transfer and still ensure the regulation is complied with. The data controlling organization must also adhere to codes of conduct that are drawn up by local supervisory authorities.
The data processing organization must provide sufficient guarantee to implement appropriate technical and organizational measures for GDPR compliance to be eligible and may not outsource the processing of personal data without the knowledge and accept of the controller. If the processing is outsourced, the new data processor must live up to the same requirements as the original processor. The processing must be governed by a legal contract that stipulates the scope and purpose for processing. The contract must define the duration of the processing as well as the type of personal data and the obligations and rights of the controller. If the processing organization infringes the regulation by determining the scope and purpose of processing, it will be considered a controller in respect of that processing.
The Data Subject, here also referred to as the Individual, has new rights regarding their data. They can demand:
- Rectification of personal data when it is incorrect,
- Erasure of personal data
- To be ‘forgotten’ – meaning the controller should contact all recipients and processors of the data and ask them to erase all links to or copies of that personal data.
- Restrictions on how the data can be processed – for example to limit the use of personal data for profiling.
- To receive a copy of the personal data – meaning it must be portable.
There are exceptions to complying with these demands, if for example the controlling organization evaluates the claim to be unreasonable. The Individual then has the right to make a complaint of the decision to the supervisory authority.
To hold your organization accountable and to investigate individuals’ claims against organizations regarding their treatment of personal data, EU has a Data Protection Supervisor that will be supplemented with local supervisory authorities. It is the responsibility of the supervisory authority to establish and publicize which kinds of processings require a Data Protection Impact Assessment. They may also define adequate codes of conducts for the organizations and establish certification mechanisms to help demonstrate compliance. If an organization infringes the regulation, the supervisory authority can fine the organization up to either 20.000.000 EUR, or up to 4% of their total annual turnover of the preceding financial year – which ever is higher.
The cost of not complying can be detrimental for an organization. Therefore it is paramount that compliance is thoughtfully implemented so it is effective and maintainable. I will in the next installment explain how your organization can integrate complying with the GDPR into its architecture so it becomes a natural part of your organization.