The General Data Protection Regulations (GDPR) are an Information Management and Process challenge, which can be implemented using techniques such as Master Data Management, Information Governance, Process Management & a Data First Culture within your organisation. An opportunity that you have until the 25th May 2018 to start getting benefit from, and everyday after.
➢ GDPR and the rising cost of ransomware
➢ The final version of GDPR
➢ Is the world ready for GDPR? Privacy and cybersecurity impacts are far-reaching
➢ Building General Data Protection Regulation (GDPR) implementation plan in 10 steps
GDPR is an Information Management challenge, not a Legal one
Legal input is also a key component, when considering Model Clauses and Binding Corporate Rules that define how data is transferred between companies, however GDPR is primarily an Information Management challenge.
This is not legal advice
This is not a definitive guide to the fine-print of GDPR or legal advice. Many people have already copied and pasted the information available on the EU Commission or ICO websites and published in articles, I'm hoping to portray GDPR in a more digestible format, after all, simplicity is the hardest thing to achieve.
|- > Legal Basic
|--- > Consent
|--- > Contract
|--- > Legal
|--- > Vital Interest
|--- > Public Interest
|--- > Legitimate Interest
|- > Principles
|--- > Lawful
|--- > Legitimate
|--- > Minimised
|--- > Accurate
|--- > Retention
|--- > Security
|--- > Accountability
|- > Subject Rights
|--- > Informed
|--- > Access
|--- > Rectification
|--- > Erasure
|--- > Restrict Processing
|--- > Data Portability
|--- > Object
|--- > Automated Decision
|- > Scope
|--- > Natural Living Person
|--- --- > Managed in EU
|--- --- > EU Citizen Global
|- > Processes
|--- > DPIA
|--- > Privacy by Design
|--- > Subject Access - > 1 month
|--- > Data Breach - > 72 Hours
|--- > Data Mapping
|--- > Data Deletion
|--- > Data Anonymisation
|--- > Data Portability Contract Management
|- > Big Fines
|--- > Principles
|--- > Rights
|--- > Transfers
|- > Transfers
|--- > EEA
|--- > Whitelisted
|--- > Adequate
|- > DPO
|--- > Large Scale
|--- > Public Data
|--- > Sensitive Data
|--- > Not Operational
|- > Sensitive
|--- > Racial
|--- > Ethnic
|--- > Political
|--- > Religious
|--- > Philosophical
|--- > Trade Union
|--- > Genetic
|--- > Biometric
|--- > Health
|--- > Sexual
Scope of GDPR
Let's start with the Scope, essentially GDPR aims to protect the rights and freedoms of You and I as EU Citizens, no matter where in the world it is being processed. Under GDPR we, people, are known as Data Subjects.
--- > Scope --- > Natural Living Person --- > Managed in EU / --- > EU Citizen Global
GDPR has global impact - do not think this is for European companies only
If you are a company based in the EU, you need to comply. If you are a company based outside of the EU and have EU customers, you need to comply. Before you delay due to Brexit, please don't as it will have no impact on 99% of what you need to do.
Your Rights as a 'Data Subject'
Under GDPR, as 'Data Subjects', we have certain rights that we must be granted by companies we provide our data too.
I've outlined these rights below in a little more detail.
The Right to be Informed, provides you with a right to know what data is being collected directly from you, or data about you provided to a company by a third party.
You must be told what data is being collected, for what purpose, what is the Legal Basis (see article coming soon) that is allowing collection, how long it will be kept for, what types of companies will receive the data and which countries the data is being kept or sent too.
You also need to be provided contact details of the Data Protection Officer (see below) and be told how you can withdraw Consent.
Under your Right to Access, companies must put in place Subject Access Request processes, that allows you to request a copy of your data. Companies must provide this service free of charge, and complete your request within 30 days, in most circumstances. Requests must be genuine and made in writing, either by post, email and even official social media accounts hosted by the company can be used.
You will need to be specific about the information you require, time periods you wish to see, and also be able to provide the necessary identification to prove who you are. Typically this will be in the format of Photo ID and Proof of Address.
Similar in nature to the Right to Access, you also have a right to have your data rectified if it is out of date or incorrect, once you have identified data that is not correct. For example should your name change, you have the right to ask for this to be updated.
Your right of Erasure, or "Right to be Forgotten" as it is more commonly known, allows you to request that all Personal Data held about you is deleted. If however your data is being held for a specific purpose under the Legal Basis section (see article coming soon) then the company can refuse this request, and inform you why this decision has been made.
As an example, you purchase a car from your local car dealer and they keep sending you marketing material. You can ask that your consent for receiving marketing material is withdrawn (hopefully you would have given consent), however you cannot ask for details to be removed where they are necessary for financial regulations or other laws that may apply.
Where data about you is not accurate and the company is contesting this, is being processed unlawfully, or kept longer that stated, you have the right to request that data is no longer used for any purposes.
Your Right to Portability, enables you to receive a copy of data about you, that you can send to a new service provider. This is particularly useful when you want to move services such as utility or financial service providers and many of these companies already allow this to happen. There are restrictions to this however so don't expect to just get all of your data to send elsewhere, it needs to be data you've provided under consent or a contract, and where data is processed using automated means.
The Right to Object provides you with a right to stop processing, where data is being processed using Legitimate Interests (Article on Legal Basis coming soon), Direct Marketing or Scientific/Historical Research.
With the rise in Artificial Intelligence, Big Data and advanced Analytics, more than ever we are at risk of decisions being made by a an Automated Process without human intervention. GDPR has addressed this by providing extra safe protection in these circumstances. You have the right to not be subject to a decision when the decision has a legal or significant impact, however does not apply when part of a contract, is authorised by law or you've given explicit consent.
Data Protection Officer (DPO)
If a company meets certain conditions then they need to appoint a DPO.
➢ Process personal data on a large scale
➢ Public Authority
➢ Process Sensitive Data (see next article)
This role will ensure that all GDPR regulations are met, be the point of contact for GDPR processes such as Subject Access Requests, however will not be responsible for executing these processes. The DPO role can be shared across a group, be outsourced or be appointed even if the above conditions do not apply.
DPO's cannot have conflict of interests within an organisation and are also protected under law in their role.
You've probably seen many 'scare tactics' and headline grabbing statements about €20,000,000 or 4% turnover fines. These fines will likely be rare, and the most severe fines will be kept for infringements of the Data Subject Rights, poorly managed Transfers of data to other countries or not applying the core Principles.
The ICO, and other regulators, to take a pragmatic approach to issuing fines, as this is not the ultimate goal of the regulator, it is to protect the Rights and Freedoms of individuals. If you've made little or no attempt to implement the relevant controls however or dismissed GDPR as not a big thing, then expect big fines to come your way.
GDPR fines funding parties and bonuses
A quick note here too, to dispel a few myths, the regulators such as the ICO will not be keeping the money they collect for the fines. As with fines issues today under the Data Protection Act the fines will go to the relevant treasury department. Fear not, the ICO are not looking to line their own pockets.
Lets start off with a relatively simple one, and that of transfers of data between countries, with a quick note here, when we are talking data we are talking about data in Scope.
Countries will be divided into 3 distinct groups, 4 if you include 'everywhere else' that is not in one of the first 3 lists - consider these your 'blacklist'.
Firstly, there will be all the countries within the EEA where there will be no restrictions in place on transferring of data. That is not to say it does not have to meet the Principles and still uphold the Subject Rights.
EEA: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden & the UK. Plus: Iceland, Liechtenstein & Norway
The second list is Countries that are deemed to have Adequate levels of data protection in place, that is at least equivalent to GDPR. As per the EEA countries this means it is OK to send data to these countries, whilst upholding other factors of GDPR.
Adequacy: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, United States & Uruguay
As and when Brexit is triggered, the UK will have to apply to gain Adequacy status to be included in the above list. The USA is covered today under Privacy Shield, however it is yet to be fully understood if Privacy Shield will be deemed adequate under GDPR, no doubt case law will come to answer this one over time. On a side note, if you see Safe Harbor - this no longer exists, step away from the vendor.
Finally there is the list that I've called the 'Whitelist' which will be all those countries that are deemed to have appropriate safeguards. As of yet this list is not published, but when it is I'll be sure to update the article.
For all other countries, without explicit consent and purpose you should not be transferring your data to them without looking at all other options first, and working with your regulator and DPO to take appropriate advice.
The principles should all be part of your Business Analysis process, feeding into your Privacy by Design process.
Processed lawfully, fairly and in a transparent manner
Ensure that you have legitimate grounds for collecting and using the personal data, that it will have no unjustified adverse impact on the data subject, be transparent and lawfully processed. This relates closely to the Right to Be Informed, where in your Privacy Notice you are informing the Data Subject how their data will be used.
Collected for specified, explicit and legitimate purposes
In essence, ensure that you are explicit at the point of capturing the data on how it is to be used, you have a legitimate use for the data and understand that you cannot be vague with your privacy notices.
Adequate, relevant and limited to what is necessary
When deciding what data to collect, at every step you should be asking "Why do I need it", Gender is a good example where people collect this information but often struggle to justify why it is actually needed. You cannot collect information for which you do not have a legitimate purpose, and that you have not explicitly declared in your Privacy Notice.
Accurate and, where necessary, kept up to date
You have a responsibility to keep data up to date and accurate. If you record employee names in multiple places without processes in place to update for example Surnames, then you will be keeping inaccurate data.
Age is another, where if you collect Date of Birth and Age, and have reason for doing so, ensure you have a process to ensure Age is updated to maintain it is accuracy.
Retained only for as long as necessary
Personal data should be kept for no longer than is necessary to fulfil the defined purpose. If for example you are booking a restaurant for a customer and collecting any allergies for this purpose, once this event has taken place you have no need to keep this data, and therefore it should be deleted.
An interesting challenge here, is putting in place a process if you are to restore data from backups, and making sure you re-delete all data you've previously deleted, make it rules driven and automated where possible.
Processed in an appropriate manner to maintain security
Ensuring that you have appropriate levels of security in place, depending on the nature of the data and potential harm its loss could cause to a Data Subject. Anonymise and encrypt personal data by default, and ensure that you have relevant Information Security policies in place. This covers both technical and physical security, and there is no point having Two Factor Authentication and then letting every user dump data to Excel and USB sticks.
Encryption and strong security will likely reduce fines if and when a breach occurs
Technically not a principle in its own right, more like the Primacy of Principles, or as somebody described it to me last week:
The Six Principles wrapped in a Blanket of Accountability
I can only apologise for not having a reference to this quote as I think it is great. Essentially however, companies are Accountable for applying all Principles, not just a select few.
Relating to the first Principle of data being processed Lawfully, Legal Basis is the Companies method to record under which method they are processing the Data Subjects data.
Consent is given for the defined purposes at the time of data collection.
Specific data is required to fulfil contractual obligations. If for instance it says in your contract you will be paid your salary into a bank - then of course you will need to provide your bank details, and this can be collected using Contract as the Legal Basis.
There are overriding legal reasons for collecting the data, based on EU or Member State Law. This will be a potential Brexit challenge, when the UK leaves and is no longer a Member State, where UK companies are using this Legal Basis for collecting data.
Where it is necessary, in the Vital Interest of the Data Subject. This will apply to very few circumstances, as it is deemed to be in life of death situations such as in Accident & Emergency departments.
Can be used by public authorities or private companies acting in the public interest. Areas such as justice, or for exercising statutory, governmental, or other public functions.
The Right to Object will be able to be executed against data collected under Public Interest.
Legitimate Interest, covers actions where Consent is not in place, however to enable the Company to act in their own interest they need to share specific and accurate data to a third party.
An example would be providing details to a debt collection agency, where the data subject has moved home or is refusing to make payments.
A small section for a very big subject, as I will not go into every section in the image and outline what each of these areas are.
However if you are collecting any of the data that is deemed sensitive, you must meet one of the Legal Basis categories above in ADDITION to an extra justification from the list below.
➢ Explicit Consent has been granted by the Data Subject
➢ To comply with Employment Law
➢ To protect the rights of the Data Subject, where consent cannot be given
➢ Processing by a non-profit, where data is not disclosed to a third party
➢ The Data Subject has already made the data public knowledge
➢ Necessary for legal proceedings
➢ Exercising justice, statutory or government functions
➢ Medical treatment undertaken by health professionals
➢ Ensuring of public health
If you are processing any of the above categories of Sensitive Data, I would strongly advise that you ensure you have taken the appropriate advice from your regulator or DPO, to ensure you are doing so in the correct manner.