This overview highlights the key themes of the General Data Protection Regulation (GDPR) to help you to understand the new legal framework in the EU. It is important to note that it is not all new, many of the existing data protection concepts and principles will continue to apply. However, the GDPR introduces some new and different requirements including but not limited to very high fines.
The GDPR will apply from 25 May 2018.
Who does the GDPR apply to?
- The GDPR applies to ‘controllers’ and ‘processors’.
Please refer to the Glossary in the Annex for what a controller and a processor is.
The existing data protection laws did not place any direct liability or obligations on the data processor. This is new under the GDPR!
- The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
What information does the GDPR apply to?
- Personal data:
The GDPR applies to ‘personal data’. The GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address , location data– can be personal data.
- The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.
- Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
- Anonymised data does not fall under the GDPR (however, see the glossary as strict rules apply to when data can be seen as being anonymised)
Key Principles (for data processing)
Lawfulness, Fairness and Transparency
Organizations must always process personal data lawfully, fairly, and in a transparent manner.
Lawfulness- For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data.
e.g. consent of the data subject, processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract; processing is necessary for complying with a legal obligation.
For special categories of personal data (Sensitive Data- see Glossary) specific lawfulness requirements apply e.g. “explicit” consent.
Fairness/Transparency- in assessing fairness it will be relevant to why and how you collect and use personal data.. Fairness requires you to also to be transparent about your data processing (e.g. be open and honest about your identity; tell people how you intend to use any personal data you collect about them (unless this is obvious); usually handle their personal data only in ways they would reasonably expect; and above all, not use their information in ways that unjustifiably have a negative effect on them.)
Organizations can collect personal data only for specified, explicit, and legitimate purposes. They cannot further process personal data in a manner that’s incompatible with those purposes.
Organizations can collect only personal data that’s adequate, relevant, and limited to what’s necessary for the intended purpose.
Personal data must be accurate and, where necessary, kept up to date.
Personal data must be kept only for as long as it’s needed to fulfill the original purpose of collection.
Confidentiality and Integrity (Security)
Organizations must use appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration. Depending on the specific use case and personal data processed, the use of data segregation, encryption, pseudonymization, and anonymization is recommended, and in some cases required, to help protect personal data.
New concepts under the GDPR
As mentioned above, the processing principles did not change that much from existing data protection laws. However, the GDPR also introduces some new concepts which I shortly mention in the following section.
The new accountability principle requires the data controller to implement measures to ensure that the personal data they control is handled in compliance with the principles of the GDPR. In addition, the data controller must be able to demonstrate compliance.
A very important part of this is keeping records of processing activities:
You must maintain additional internal records of your processing activities (companies with more than 250 employees, however, in Germany basically all companies). The GDPR prescribes which information you have to provide in such register (name and details of your organisation and where applicable, of other controllers, your representative and data protection officer, purposes of the processing, description of the categories of individuals and categories of personal data, categories of recipients of personal data, details of transfers to third countries including documentation of the transfer mechanism safeguards in place, retention schedules, Description of technical and organisational security measures).
Privacy by Design
When you plan a new processing activity or develop or implement a new product, service, or feature, you have to design such activities and products with the GDPR principles in mind, to ensure you put appropriate safeguards in place to protect privacy.
Privacy by Default
You must always use the most “privacy friendly” default settings when collecting, processing, or storing data. For example, when giving individuals a choice over how much of their data is processed, the default setting should always be the choice with the least amount of processing. When selecting a retention period, the default must be the shortest possible retention period.
Data Protection Impact Assessments
This is conducting an analysis of new processing activities to identify and address privacy risks. Whilst the GDPR implements a formal PIA for high risk processing it is vastly agreed that you would need to do a kind of lighter PIA for each new processing activity in order to determine whether there is high risk processing involved and for ensuring compliance with the GDPR principles.
Data Subject Rights under the GDPR
In addition, the GDPR grants data subjects a number of rights regarding their data.
The data controllers (which could be SugarCRM, or our customer, as the case may be) are required to enable those rights, i.e. they need to have systems in place to respond to and effectively address data subjects’ requests. [see EU Data Protection Glossary https://www.sugarcentral.sugarcrm.com/docs/DOC-6351 of what is a controller)
Data Access: Data subjects have the right to confirm with a data controller whether the organization is processing their personal data. If it is, the controller must provide the data subject with information about such processing, including the specific data processed, the purposes of the processing, and the other parties with whom such data has been shared.
Right to Object: Data subjects can in certain cases object at any time to the processing of their personal data, in particular if the processing is for direct marketing purposes.
Data Rectification: Data subjects can request that a controller correct or complete personal data if the data is inaccurate or incomplete.
Restriction of Processing: Data subjects can request that a controller stop access to and modification of their personal data. For example, the controller can mark or use technological means to ensure that such data will not be further processed by any party.
Data Portability: In certain cases, data subjects have the right to ask a controller to provide their personal data in a structured, commonly used, and machine-readable format (for example, a .csv file) so that they can transmit their own personal data to another company.
For details on data portability please see the following blog post: https://www.sugarcentral.sugarcrm.com/blogs/nicola/2017/06/21/the-right-to-data-portability-what-does-it-cover-and-when-does-it-apply
Right to Erasure: Also known as “the right to be forgotten,” this right empowers data subjects to request that a data controller delete or remove their personal data in situations such as the following: when the data is no longer needed for the original purpose, when the data subject withdraws consent, or when the data subject objects to the processing and the controller has no overriding legitimate interest in the processing.
EU Data Protection – glossary
Full Glossary can be found on SugarCentral: https://www.sugarcentral.sugarcrm.com/docs/DOC-6351
the method of processing personal data in order to irreversibly prevent identification.
Anonymisation is one method of making data processing more secure. However, it is quite complicated and you may not achieve the anonymization level required by the data protection authorities. WP 29 Working Party has issued a detailed Opinion on anonymisation.
Definition: Art. 4 no. 11 of the GDPR
Freely given, specific, informed and unambiguous indication of the data subject´s wishes by which he or she, bay a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Any person, partnership or company who determines how and for what purposes personal data is processed. A third party may carry out processing on the controller's behalf, although the data controller remains responsible for the processing.
A person who processes personal data for a data controller, other than the controller's employee. Outsourced IT and HR service providers may be processors. When you provide support services and therefore have potential access to customer system you may be a processor.
Data Protection Impact Assessment = DPIA.
The successor to the PIA.
Covered in Art. 35 of the GDPR: DPIAs are effectively a risk assessment looking at data protection risks..
An individual who is the subject of the personal data. In other words, the data subject is the individual whom particular personal data is about.
Definition: Article 4 no. 1 of the GDPR.
Any information relating to an identified or identifiable natural person (“data subject”), an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Art. 4 no. 2 GDPR
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
POTENTIAL access (e.g. if you provide support services and access the system of the customer and therefore have potential access to the data stored in that system ) is also seen da processing!
Often confused with anonymisation but with pseudonymisation the individual can still be identified – for example at its most basic level changing an employee's name to an identification number instead and removing all of their other personal details could be pseudonymisation. The Article 29 Working Party in its paper on anonymisation have warned of the risks of confusing pseudonymisation and anonymisation. They say “pseudonymisation is not a method of anonymisation. It merely reduces the linkability of a data set with the original identity of a data subject, and is accordingly a useful security measure.”
Sensitive Personal Data
Art. 9 GDPR
Personal data revealing, racial or ethnic, origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person´s sex life or sexual orientation.