What Is GDPR?
Having come into effect on May 25th 2018, GDPR is considered to be one of the world's strongest set of data protection rules, which set out expectations on organisations about how they can handle data, while also enhancing the way in which people can access data about themselves, ensuring it is up to date, correct and only used for the purpose for which it was collected in the first place.
The original GDPR documentation is incredibly daunting for a lot of readers, with a full 99 chapters to attempt to get through, most business owners have opted for the simple translation approach provided by many organisations. But are they all the correct???
For the most part yes, while different GDPR consultants have different approaches to compliance, the most important factor is to get to compliance.
The regulations were originally created as a framework for laws across Europe and were approved by the European Parliament and European Council in April 2016, shortly after which the regulations were published.
Each member country was given the opportunity to make their own small changes to suit individual circumstances, Hence the release of The Data Protection Act 2018 which superseded the previous 1998 Data Protection Act.
What is a Lawful Base?
GDPR categorises data processing into 6 lawful bases, to comply with the regulations you must be able to identify which bases you use for each data processing activity.
The 6 legal bases are:
Legal Obligation - If processing personal data is required to comply with a common law or statutory obligation under UK or EU law then this is considered a lawful basis providing that:
· The organisation’s overall purpose in processing is to comply with the legal obligation
· The legal obligation is identifiable in a specific provision or official guidance document
· Processing is necessary
Vital Interest - If the data processing is in the Vital Interests of the data subject then this is a lawful basis. This basis is likely only to apply in emergency medical situations where processing medical data is required to protect a person’s life or the life of another person, but the individual is unable to give consent.
If it is possible to protect the person’s vital interests in an alternative and less intrusive way, then this basis does not apply.
You cannot rely on this basis for health or other special category data (see GDPR Article 9) if the individual is capable of providing their consent, even if they refuse to provide their consent.
Public Task - If processing personal data is required ‘in the exercise of official duty’ or to perform a specific task in the public interest that is set out in law then this is legal.
· This basis is mostly used by public authorities, however, it can also apply to private organisations that carry out duties ‘in the public interest’ (such as a college).
· Processing must be necessary.
· In this case, individuals do not have the right to erasure or data portability
Contract - Data can be processed if the data is necessary to perform a contract with the data subject. It is acceptable to process the data before the contract is entered into (e.g. providing an insurance quote) provided the information has been requested by the data subject.
· Processing must be “necessary”. The processing must be a reasonable and proportionate way of achieving the purpose
· If the data subject is less than 18 years old, then an organisation must ensure the individual is sufficiently competent to enter into the contract
· The individual’s right to object does not apply if the Contract is identified as the legal basis for processing. Similarly, the individual’s right not to be subject to a decision based solely on automated processing does not apply
Legitimate Interest - Legitimate Interest is arguably the most flexible lawful basis, but organisations using it must be able to demonstrate a balance between their interest to process an individual’s data and the individual’s reasonable expectations for you to do so.
Whenever legitimate interest is used as a basis then a three-part balancing test should be applied to justify doing so. In conducting the balancing test the following should be considered:
1. Establishing a legitimate interest (Purpose test):
· What are the benefits for the company/individual/wider society?
· How important are the benefits?
· Is the interest ethical and lawful?
2. Establishing necessity (Necessity test):
· Is the processing reasonable and proportionate?
· Does the processing benefit the legitimate interest?
3. Individuals’ interests v legitimate interest (Balancing test):
· Do the individual’s interests outweigh the legitimate interest?
Only where it can be demonstrated that there is a balance of the interests between the data subject and the organisation can legitimate interest be considered a lawful basis for processing.
Consent - For an organisation to use consent as a lawful basis, data subjects must agree to their personal data being processed. They must have a free choice over whether or not they have to provide their consent.
· Consent requests must be clear, unambiguous and separate from
· Individuals must actively opt-in by ticking a box, signing a document, providing an affirmative response to a verbal statement etc.
· If a new purpose for processing arises, new consent must be
requested from individuals
· Consent must be as easy to withdraw was to give
· Evidence of consent must be recorded (when, where and how it
Who Does GDPR Apply To?
Personal data is at the core of GDPR, Broadly speaking it involves any data that can be used to directly or indirectly identify a living person. There are several obvious categories such as name, location data or an online username, sometimes it can be a bit less obvious, such as IP Addresses and Cookie identifiers which are both considered personal data.
Therefore, any business, individual or organisation that collects such data is required to comply with GDPR and The Data Protection Act 2018.
Under GDPR there are also categories of data that can be defined as special category, these include such things as race, ethnic origin, political opinions, religious beliefs and many more.
The critical thing about what makes up personal data is that it allows a living person to be identified. Businesses, individuals and organisations who handle data are categorised as either Controllers or Processors. Both are covered by the regulations. most small businesses can easily fall into both categories.
"Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data," the UK's data protection regulator, the Information Commissioner's Office (ICO) says. It's also possible that there are joint controllers of personal data, where two or more groups determine how data is handled. "Processors act on behalf of, and only on the instructions of, the relevant controller," the ICO says. Controllers have stricter obligations under GDPR than processors.
Although GDPR is an EU legislation it applies to any business, individual or organisation around the world that works with EU citizen data.
Any use of personal data must be defined by one of the lawful bases.
What About Individal's Rights?
Individuals or data subjects have certain rights under GDPR that must be adhered to in order to be compliant. However, there are some circumstances where these rights do not apply.
Every data subject has the following rights:
The Right to be Informed - Organisations need to tell individuals what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties. This information must be communicated concisely and in plain language.
The Right of Access - Individuals can submit a subject access request, which obliges organisations to provide a copy of any personal data they hold concerning the individual. Organisations have one month to produce this information, although there are exceptions for requests that are manifestly unfounded, repetitive or excessive.
The Right to Object - Individuals can object to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority. Organisations must stop processing information unless they can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the individual or if the processing is for the establishment or exercise of defence of legal claims.
The Right to Erasure - Individuals can request that organisations erase their data in certain circumstances, such as when the data is no longer necessary, the data was unlawfully processed or it no longer meets the lawful ground for which it was collected. This includes instances where the individual withdraws consent.
The right to erasure is also known as ‘the right to be forgotten’.
The Right to Rectification - If an individual discovers that the information an organisation holds on them is inaccurate or incomplete, they can request that it be updated. As with the right of access, organisations have one month to do this, and the same exceptions apply.
The Right to Restrict Processing - Individuals can request that an organisation limits the way it uses personal data. It’s an alternative to requesting the erasure of data and might be used when an individual contests the accuracy of their personal data or when they no longer need the information but the organisation requires it to establish, exercise or defend a legal claim.
The Right to Data Portability - Individuals are permitted to obtain and reuse their personal data for their own purposes across different services. This right only applies to personal data that an individual has provided to data controllers by way of a contract or consent.
Rights in Relation to Automated Decision Making and Profiling - The GDPR includes provisions for decisions made with no human involvement, such as profiling, which uses personal data to make calculated assumptions about individuals. There are strict rules about this kind of processing, and individuals are permitted to challenge and request a review of the processing if they believe the rules aren’t being followed.