Request a Proposal
Compliance Council Location

GDPR Definition

The new digital world has connected us all together via electronic devices. We are sharing our personal data with organisations more than ever, sometimes willingly and other times without even realising it. In this era, we need more privacy and protection for our data. The European Union (EU) has taken a big step towards data protection by creating the biggest privacy law that influences not just EU organisations, but any organisation around the world that works with the EU individuals.

GDPR or General Data Protection Regulation is a set of data regulations that aims to protect personal data of EU residents by giving them more power and control over the data that is personally related to them. As of 25th May 2018, GDPR came into effect.

Does GDPR apply to your business? What is it really about? Perhaps these are the first questions you might ask but before, you need to know some key terms of GDPR.

Data Subject

Every living person who is an EU resident

The Scope of GDPR

It applies to organisations that process the personal data of EU individuals, whether the organisation is physically located inside the EU or not

Material Scope

It includes personal data that is processed wholly or partly by automated means, or as a part of a filling system

Personal Data

Any information that directly or indirectly reveals the identity of someone is considered as personal data. It could be name, email, address, or online identifier such as IP address or cookie

Controller

An organisation that sets the purpose and makes the main decisions about personal data processing

Processer

An organisation that acts on behalf of a controller

Data processing

It includes any activity related to personal data, such as collection, use, storage and transfer

If you are a company inside or outside of the EU, that provides services or products to EU individuals, you must comply with GDPR regulations. These regulations grant people eight rights over their personal data and set seven principles to make sure companies put the data subject rights at the heart of their data processing efforts.

What are the data subject rights?

According to GDPR, every data subject has 8 rights when it comes to personal data. In this section we briefly explain these rights.

The right to be informed

This is one of the most important concepts of the GDPR, and if you can successfully provide people with this right, you are much closer to GDPR compliance. That means, you need to tell people that you are collecting their data, what is your purpose of collecting it, who you will be sharing the data with and for how long you want to keep it.

You should use a clear and easy to understand language to convey this information to the data subject.

The right of access

This right, commonly known as subject access, enables individuals to see their personal data anytime they want, and organisations have one month to give them the access. In fact, individuals have the right to ask for a copy of their personal data that is being processed by an organisation and that organisation should respect this right, even further, the company should provide a mean on its website to help people easily make their access requests.

The right to rectification

Data subjects can ask for correction of any inaccurate or incomplete personal data and you have to take appropriate actions to respond to their demand and rectify the data if you cannot justify keeping the data as it is.

It is a good practice to make sure you are collecting the accurate data and avoid facing future possible challenges

The right of erasure

GDPR gives data subjects the right to ask for erasing their personal data, also referred to as the right to be forgotten. You have one month to provide them with the appropriate answer. However, this right doesn’t apply in all circumstances. Here is a list of situations that you need to act upon the data subject request for having their personal data erased:

  • You no longer need the personal data for your processing
  • You don’t have a valid lawful basis for keeping the personal data
  • You have consent as your lawful basis
  • There is a legal obligation
  • You have collected the data from children
  • You are using the subject’s personal data for direct marketing

The right to restrict processing

Data subjects own the right to restrict the processing of their personal data, which makes you responsible to do so. Although, this right, similar to the right of erasure, only applies to certain situations including:

  • You are in the process of verifying the accuracy of someone’s personal data
  • There is no valid lawful basis for processing the data
  • Individuals need their data for some reason while you don’t need it for your purpose anymore
  • Data subjects have questioned your legitimate interests as a reason for processing their personal data

You have one month to provide the data subjects with an answer to their requests.

The right to data portability

With so many companies that offer different services to individuals, being able to transfer the data between different organisation is a great option and GDPR recognises this by granting data subjects the right to data portability.

This right applies when:

  • You have chosen consent as your lawful basis
  • It’s necessary for a contract between you and the data subject
  • You are processing the data electronically

This right does not apply to the data that has already been anonymised. In the case of pseudonymised data, if it is still traceable to the individual, it is within the scope of this right

The right to object

In some situations, when you are processing the personal data based on legitimate interests or public tasks, you have to stop the processing upon the data subject request. Although, in case of direct marketing, data subjects have absolute right to object to the data processing.

You will have one month to answer to the data subject request. You either stop processing their personal data or justify the reason why you can’t do that.

Rights in relation to automated decision making and profiling

This specific right applies to the situation that your organisation has a completely automated decision-making process or profiling in place. For example, you might be a financial institute that evaluates clients’ eligibility for a line of credit by an automated process without any human engagement.

Data subjects are able to question your process when it has a significant negative impact on them, and you have to provide them with an answer.

You are allowed to have a solely automated decision-making process when it is required by law, there is a contract between you and your client, or your client has given you his or her explicit consent

At any stage of processing personal data, from collecting to destroying it, these 8 rights should be the basis for everything you do. For that, the GDPR sets 7 principles for controllers which breaching any of them equals to violating the GDPR regulations.

Before going into more details about each one of these principles, the below picture can give you a general overview on how these principles apply throughout the lifecycle of data in your organisation.

You need to keep these principles in mind, no matter where you are standing regarding your data processing procedure.

A closer look at 7 GDPR principles

Now that we are clear on the importance of principles, let us review them briefly.

Lawfulness, fairness and transparency

This principle includes 3 elements that you need to consider all of them in your process. You must make sure that:

  • you have a lawful ground for processing personal data
  • people are aware of what you are doing with their data
  • your actions are aligned with what they expect form you
  • and lastly, your data processing dose not have any negative consequences for data subjects

This principle is tied to the right to be informed

Purpose limitation

Declaring your intention(s) of processing personal data right from the beginning, in a clear and concise manner, is a vital step you need to take to become GDPR compliance.

Records of purpose(s) must be a part of your documentation and privacy information for individuals

In fact, you need to inform people about why you are collecting their data and what you want to do with it in the future. This is critical to know your exact purpose at the beginning because you cannot easily change it in the future, unless your new purpose is compatible with what you have declared in the first place.

Data minimisation

Being asked for so much unrelated information is a familiar scenario that most of us have come across before. GDPR wants to make sure you are only collecting the information that you need, nothing more or less.

GDPR does not recommend a specific data limitation; instead, your purpose should be your guide on how much data is enough for your particular intent. This is another reason why you need to be clear about your purpose right from the start.

You cannot collect information that you might one day use or need. You must collect the minimum amount of data that is related to your purpose

Collecting data less than what you need to fulfil your purpose makes that data inadequate and you should not process it as it might violate the subject’s rights

Accuracy

As the name implies, this principle asks you to make sure the personal data you have collected is accurate. In addition, you have to update the information when it is necessary. Otherwise, individuals can use their right to rectification.

Storage limitation

This principle is perfectly linked to other principles such as data minimisation and accuracy, also the subject right to erasure. At its core, storage limitation principle needs you to declare and justify for how long you want to keep the data.

Data Retention:

GDPR does not accept storing the data forever or for some new purposes in future. You need to have a clear lifecycle for the personal data you collect

When you no longer need the data, you have to make sure to delete it or use other techniques including anonymising or pseudonymising.

Pseudonymisation

This refers to the data that has been transformed into some sort of key or code, but you are still able to identity individuals using that data. This process does not justify keeping data for longer than it is necessary for your purpose

Anonymisation

You can keep the data as long as you want, if it is not personally identifiable. Anonymising is considered a valid solution to keep the personal data forever or for a long period of time

Integrity and confidentiality (security)

This principle is all about the security of the personal data you hold. You need to have adequate technical mechanisms as well as the right organisational processes in place to be able to keep the data safe against any harm or damage.

The GDPR does not mention a specific method for safeguarding the data. It depends on your organisation’s conditions and what makes sense for you in term of applicability and financial aspects. Pseudonymisation and encryption are two methods that are currently available, and you can use either one of them that suits you.

Accountability

You should be able to demonstrate that you are responsible for the whole lifecycle of processing the personal data in your organisation. Accountability is about showing your compliance to the GDPR and all the previous principles.

The GDPR does not introduce any fixed framework for demonstrating your compliance, and this gives you the freedom to act based on your unique circumstances and update your mechanisms when necessary. Although, you must be able to document the process in a way that proves you comply with the GDPR.

6 Lawful bases for processing

In the principle section, we talked about how your data processing must have a lawful ground. The GDPR introduces 6 lawful bases that allow organisations to process personal data. Based on your specific purpose, you can select a lawful basis that is best for you. You should find and document your lawful basis before beginning to process the personal data.

If you carry out this step right, you gain the trust of your clients and build a long-lasting relationship with them.

At least one of these 6 lawful bases should apply when you are processing the personal data. Here are the lawful bases at a glance:

Consent

In this case, individuals give you permission to process their personal data. This only works when you are giving clear information about your data processing and data subject is in full control over the process and can withdraw the consent any time she or he wants.

When there is not a balance of power, such as employer-employee relationship, using consent as the lawful basis should be avoided as long as possible

Contract

This could be your lawful basis when there is a contract between you and the data subject; therefore, processing the personal data is necessary to proceed with the contract, or to enter the contract.

Legal Obligation

When you have to comply with a law and processing personal data is required, you can set legal obligation as your lawful basis. For example, employers need to keep the records of employees’ payroll for tax purposes.

Public Task

This applies to the situation in which you are entitled to an official authority or you are carrying out a task with the public interest. Either way, performing a specific public task must be required, if not, you should find a more appropriate lawful basis for your purpose.

Vital Interests

This lawful basis is limited to the situations that you have a life or death matter in your hand, mostly in medical cases. Otherwise, you cannot use vital interests as lawful basis for processing personal data. You must be sure that no other ground is more eligible, for example, you cannot use consent as your lawful basis.

Legitimate interests

When you or your third parties need to process personal data for a reasonable interest that is justifiable within GDPR regulations, you can choose legitimate interests as your lawful basis.

You can benefit the flexibility of this lawful basis as long as you make sure that you are not overwriting any personal interests or freedom of data subjects and do not use their data for anything that might have a negative impact on them.

Why GDPR Compliance Is Important?

There are various reasons why you need to comply with GDPR and how it can influence your business. We try to explain couple of the most crucial ones here:

Avoid penalties and fines

Penalties for non-compliance are significant, with large fines for those in breach of the regulation: the maximum fine for a single breach is €20 million or 4% of annual worldwide turnover, whichever is greater.

No matter you are a large Tech company like Google or a sole trader, GDPR regulations are applicable if you process the EU individuals’ personal data.

Clients and third parties’ expectation

The GDPR regulations apply to a large portion of companies around the world and could be considered the first global Data protection law. The range and severity of these regulations has led to a high awareness among people who share their personal data with you and the companies that want to work with you. In such an environment, compliance to GDPR is a must for the success of your organisation.

Effective business process

Preparation for GDPR and compliance might not be easy for you at first, but the result could help you to develop a simplified and organised workflow. Since data is one of the main assets of any organisation you can expect to save money and time in long term as a result of having effective work processes.

Competitive advantage

You can be among the trusted companies for your end users as well as a reliable partner for companies who want to work with you. The sooner you comply with GDPR, the better you can position yourself as a trustworthy organisation among others.

The amount of work you need to dedicate to become GDPR compliance, depends on your specific organisation characteristics, complexity and resources, but the result is always achieving effective data process and stronger data governance that encourage trust.

Data Inventory and Data Flow Mapping

Article 30 of the GDPR asks controllers and processers to maintain a record of their processing activities. For organisations with more than 250 employees, having documented processes is mandatory. In the case of smaller organisations, there is no obligation unless you are processing personal data regularly, your processing puts data subject rights and freedom in high risk, or you are processing the special categories of personal data.

Special categories of data include:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Genetic data
  • Biometric data
  • Health data
  • Data concerning sex life or sexual

orientation of data subject

Documenting your data processing, even if you are not obligated to do so, is a great way to initiate or demonstrate your compliance to GDPR, because it helps you to identify the gaps between your current process and what GDPR expects.

One way to gather all the personal data processes in your organisation is by building your data inventory. A data inventory includes every data processing activities with related details in one place.

You can use a technique called data flow mapping to create your data inventory. A data flow pictures the entire lifecycle of data in your organisation in a clear and concise manner. It shows what data you hold, where it comes from and how it transfers inside or outside the organisation. Your data flow maps demonstrate the current flow of information and reveal where the gaps are. At this point, it will be easier to know what needs to be done to fill the gaps.

There are many elements that you can include in your data flow maps, but these are among the key elements that you need to consider adding them to your data flow:

  • What kind of information you have collected?
  • What is the format of the data you are collecting?
  • How do you move this data internally or externally?
  • Where this data comes from and where do you store it?
  • Who is the data subject?
  • Who receives this data?
  • What is the purpose of collecting the data?
  • What is the lawful basis?
  • What security measures are in place?

This list can go on as much as you want, the important point to bear in mind is that this is not a onetime activity and you need to keep your data maps up-to-date. You might need to add some new elements to your data flow to make sure you can satisfy clients, third parties or regulatory officers’ demands.

The best way to approach creating your data flow maps depends on your organisation’s structure or preference. Some companies prefer to create a data flow for every process that they have inside their organisation, such as sales, customer service, performance evaluation, while for others creating a data flow for each department makes more sense.

All these data flow maps that you create shape your data inventory. If you do this step successfully, you will be able to address some major concerns of GDPR including:

  • Data subject rights
  • Information security
  • Breach notifications
  • Third party relationship

Using a data inventory as a mean for documenting data processing in your organisation puts you in the position of power and control over your data processing procedures.

Data Security Breaches: How ISO 27001 Standard Can Help

GDPR describes a personal data breach as:

“…a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

This definition shows that data breaches have a wider rang under the GDPR.

As a controller, in the event of a data breach, there are some phases you go through as follow:

  • Confirmation - First, you need to make sure there has been a data breach, via your IT department, third parties or clients’ reports or any other possible sources.
  • The risk is minor and data breach is not significant and there is no need to report it.
  • The risk is high, and you need to report it to the supervisory authority.
  • The risk is significant and could cause harm to data subjects, so you have to report the breach to both data subject and supervisory authority.

A processer must immediately notify any personal data breach to the controller

You have only 72 hours to notify the supervisory authority when there has been a significant breach to the personal data. That being said, you need to already have the appropriate mechanism in place to be able to identify the data breach, confirm it, and perform the risk assessment in a short amount of time, otherwise you would suffer considerable fines.

In fact, the GDPR expects you to be proactive and take appropriate steps to make sure you are keeping personal data safe. Therefore, it might not be the best option to wait around until a data breach happens and then try to find a solution for the situation. You have to find a way to show you take the data governance seriously and you have the mechanisms in your organisation to demonstrate it.

Having an ISMS (Information Security Management System) in your organisation could be a very powerful tool for managing risks and data security. ISO 27001 is a globally accepted and approved standard that provides the requirements for the ISMS.

Just like the GDPR, ISO 27001 takes a risk-based approach regarding to data protection. ISO 27001 framework guides you through:

  • Identifying all the data related processes and related parties in the organisation
  • Achieving top management commitment
  • Determining and managing risks
  • Assigning data owners and allocating responsibilities
  • Documenting the data protection activities

ISO 27001 standard goes one step future by providing 114 security controls that each of them helps you to address a data security issue.

Certification to ISO 27001 standard does not mean that you automatically comply with the GDPR, but it goes a long way towards GDPR readiness and creates a very useful base for your documentation. You can find more information about ISO 27001 standard here

Where to start

GDPR is a very strict law that has a huge impact on the way that personal data privacy is treated and how organisations approach the data privacy and data governance. It is about putting customers’ rights in the center of what you do and try to achieve customer trust.

Implementing GDPR needs the commitment and constant engagement of the entire organisation. But, like any other big change that happens in an organisation, it requires the top management to be involved and start the compliance process form the higher level of organisation. Senior manager should show that data protection is one of the organisation’s top priorities by allocating the appropriate support and resources.

Next step is providing awareness and training for employees in all departments that touches personal data in any possible way. Besides, there should be a person or a team in your organisation who are clearly responsible for data protection activities and issues.

From there, building your data inventory could be a smart move. It helps you to identify all the data processing activities, and the gaps between your reality and the ideal state you want to reach to become GDPR compliance.

You can seek external help to make the process easier and smoother. Here at Compliance Council, our team of consultants can accelerate and simplify your compliance process. For more information you can fill out our contact form or talk to our general manager Jason O’Grady.