The EU’s General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) came into effect in May 2018 and has been an essential step in strengthening European citizens’ fundamental rights in the current Digital Revolution, and monitoring businesses, and preventing these companies from misusing data for their capital gains which puts the user at risk.
Who does the GDPR data protection law apply to?
The GDPR applies to:
- a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
- a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.
If your company is a small and medium-sized enterprise (‘SME’) that processes personal data as described above you have to comply with the GDPR. However, if processing personal data isn’t a core part of your business and your activity doesn’t create risks for individuals, then some obligations of the GDPR will not apply to you (for example the appointment of a Data Protection Officer (‘DPO’)). Note that ‘core activities’ should include activities where the processing of data forms an inextricable part of the controller’s or processor’s activities.
What is a data controller or a data processor?
The data controller determines the purposes for which and the means by which personal data is processed. So, if your organization decides ‘why’ and ‘how’ the personal data should be processed it is the data controller. Employees processing personal data within your organisation do so to fulfill your tasks as data controller.
Your organization is a joint controller when together with one or more organisations it jointly determines ‘why’ and ‘how’ personal data should be processed. Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the GDPR rules. The main aspects of the arrangement must be communicated to the individuals whose data is being processed.
The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking.
The duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract must indicate what happens to the personal data once the contract is terminated. A typical activity of processors is offering IT solutions, including cloud storage. The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorization from the data controller.
There are situations where an entity can be a data controller, or a data processor, or both.
What data can be processed and under which conditions?
The type and amount of personal data a organization may process depends on the reason for processing it (legal reason used) and the intended use. The organization must respect several key rules, including:
Lawfulness, fairness and transparency: personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data is being processed.
Purpose limitation: there must be specific purposes for processing the data and the organization must indicate those purposes to individuals when collecting their personal data. A organization can’t simply collect personal data for undefined purposes.
Data minimisation: the organization must collect and process only the personal data that is necessary to fulfill that purpose.
Accuracy: the organization must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it is processed, and correct it if not.
Compatibility: the organization can’t further use the personal data for other purposes that aren’t compatible with the original purpose.
Storage limitation: the organization must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected.
Integrity and confidentiality: the organization must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technology.
There is no quick fix for GDPR compliance, but what will really help is to create a records management capability and embed record-keeping into day-to-day operations of an organization. This will go a long way into creating a framework for compliance.