The General Data Protection Regulation (GDPR) is almost upon us. May 25th, 2018 is the auspicious day that begins the enactment of the regulation. In a survey carried out earlier this year by TrustArc (1), 61% of companies were not ready to implement GDPR. Research carried out a little later in the year by IAPP (2) did find that things were progressing, but still, only 40% of U.S. firms had begun GDPR implementation.
One of the reasons for the lagging movement in achieving GDPR compliance is the poor understanding of what the regulation expects you, as a business, to do. GDPR is many things, but one thing that’s universal about it is the regulation is all about the data.
In this article, I’ll look at 10 areas that touch on the data requirements of GDPR.
Consent to process data
Consent is the legal basis upon which the GDPR pivots. Consent is not about ownership, but it is about choice – choice for the user (data subject) when you collect their data and what you do with it afterward. You should look at how to take consent when you collect data. You need to show the user a plain language explanation of what you are collecting and why you are collecting it. You also need to ensure the user gives an ‘affirmative’ action when giving their consent. Opt out, in most circumstances, won’t cut it with the GDPR.
Data choices – what to, and what not to, collect
Think about what data you really need to run your business. Take only that data and nothing more. If you don’t need to know the prefix of a person’s name or their gender, don’t ask for it. When you do process the data, especially when sharing data, if you can minimize the data processing, then do so. For example, you could ask for confirmation the user is over 21 as opposed to collecting their actual date of birth. This isn’t a panacea to GDPR, but it all helps.
Recognize that certain types of data are deemed as ‘special’ under the GDPR. These data include lifestyle choice type information such as religion, trade union membership, political beliefs, and several others. (See Article 9) (3)
Moving data between organizations – data portability
The GDPR has a number of data rights that allows EU citizens to place some controls over the use of their data. One of these is the ability to request that whoever collected their data can provide them with access to these data and they can share it with another party without your company making it difficult to do so – this is even if they wish to share it with your competitor. You may also be required to share it directly with that other party where there are no technical barriers to doing so. (See also Article 20) (4)
Erasing data – right to be forgotten
The right to be forgotten has been a contentious issue in privacy circles for many years and the GDPR has finally added some weight to the argument. This part of the GDPR gives the data subject the right to request that any data you hold on them is ‘erased’ without delay. This right, more than any of the others, has caused worries among organizations of all sizes on how to achieve it. The fact is, there are a number of caveats and restrictions around this subject right, including that “…the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed”. However, the fact remains that your organization will need to show evidence, that if required, you can meet this request. (See also Article 17) (5)
Accessibility of data is a fundamental part of the GDPR. This subject right is about ensuring the data subject is able to have access to and to find out the whys and wherefores of their collected data. You need to allow the user to access their data and also to let them know the types of processing being carried out and the type of category the data falls into. The article specifically states that you need to provide a “…copy of the personal data undergoing processing” and “the information shall be provided in a commonly used electronic form”. This subject right also has the expectation that your organization will have in place processes to handle complaints from your user base too. (See also Article 15) (6)
Restricting data processing
This subject right covers the areas of data processing where disputes and difference of views make come into play. For example, this allows for users to contest the accuracy of the data being processed. The article representing this right (Article 18) (7) draws heavily upon the basis of consent within the GDPR.
Objections to data processing
There is provision within the GDPR to allow a data subject to object to their data being processed. However, this is only under certain circumstances, such as when the data is being used for direct marketing. There is also a right to object if the data is being processed for scientific or research reasons, but it is caveated by the use of the data for the public interest. Where services are online, the right to object must be via an automated method.
Automation of data processing
If you perform any automated processing of data, for example, you use data to profile your user base, then you will come under the auspice of the GDPR. Article 22 (8) has special provisions for automated processing of an individual’s data. You can only perform automated processing where there is either explicit consent obtained, or it is needed to carry out a contract, or where it is permitted under the law of an EU state.
International data transfers
There are provisions in the GDPR to allow for data transfers to non-EU countries or international organizations as long as there are recognized ‘adequate’ frameworks for sensitive data protection. There are also caveats where this level of protection is not met, as long as certain contract clauses are in place. Article 42 (9) of the GDPR encourages the use of certifications to address cross-border transfers of data stating that there is provision for the use of “data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance”.
- TrustArc: https://www.trustarc.com/press/us-uk-companies-lagging-gdpr-compliance-efforts-brexit-not-derailing-uk-gdpr-plans/
- International Association of Privacy Professionals (IAPP): https://iapp.org/news/a/survey-61-percent-of-companies-have-not-started-gdpr-implementation/
- GDPR Article 9: https://gdpr-info.eu/art-9-gdpr/
- GDPR Article 20: https://gdpr-info.eu/art-20-gdpr/
- GDPR Article 17: https://gdpr-info.eu/art-17-gdpr/
- GDPR Article 15: https://gdpr-info.eu/art-15-gdpr/
- GDPR Article 18: https://gdpr-info.eu/art-18-gdpr/
- GDPR Article 22: https://gdpr-info.eu/art-22-gdpr/
- GDPR Article 42: https://www.privacy-regulation.eu/en/article-42-certification-GDPR.htm