GDPR brings significant enhancements to the existing Data Protection Act. Businesses must become compliant by 28 May 2018.
Ability To Demonstrate Compliance
A data controller must be able to prove that data is processed in compliance with the Regulation. The severity of the fine for non-compliance may be reduced according to measures being implemented that are in line with the GDPR regulations.
Legal Basis For Processings
Processing personal data must be legal, for example:
- The data subject has given consent for one or more specific purposes;
- Contract performance;
- Compliance with a legal obligation;
- Protection of the vital interests of the data subject.
Organisations are required to have the ability to cease processing if consent is withdrawn.
Conditions When Processing Special Categories of Data
The GDPR has increased protection for categories of personal data, such as processing data on the following:
- Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
- Genetic and biometric data;
- Data concerning health, sexual orientation, and sex life.
The GDPR extends beyond this specific data to obtain data that could answer the questions indirectly. For example, obtaining the name of a subject’s partner could indicate sexual orientation.
Records For Keeping Track Of All Processing Activities
Under the GDPR, controllers must keep records of all processing activities under their supervision. Electronic reports are permitted under Article 30. Seven types of information must be kept including the following:
- The purpose of the processing,
- A description of categories of data subjects and personal data;
- Who will see the personal data after it is processed.
Processors are similarly mandated to record all categories of processing activities. Both controllers and processors must keep these records in written form. Electronic reports are permitted under Article 30.
Increased Standard Of Consent
Gaining a data subject’s consent is stricter under GDPR than the earlier directive. As defined in Article 4(11), consent must be “by a statement or by a clear affirmative action.” Assumed consent and making consent a condition of participation are not permitted.
Notification Of Data Breaches Within 72 Hours
Once an organisation becomes aware of a data breach of personal or sensitive data, it has 72 hours to notify the appropriate supervisory authority of the breach. The notification must include the following:
- The nature of the breach with categories of data and approximate number of people impacted;
- The name and contact details of the organisation’s data protection officer;
- An analysis of the probable consequences of the breach;
- Measures taken or proposed to be implemented to mitigate the damage.
The exemption to these requirements is where “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Other exemptions include encrypted or similarly protected data.
Appointment Of A Data Protection Officer ( DPO )
If organisations engage in regular, systematic personal data processing, they are required to have a data protection officer. The officer must have “expert knowledge of data protection law and practices” and designated tasks such as educating data controllers, processors, and employees of their obligations under the GDPR. The officer must ensure internal compliance and must cooperate with the supervisory authority.
Right To Data Portability
Data subjects can request their provided personal data be given to another data controller in “a structured, commonly used and machine-readable format.” The subject can also require the controller to transmit the material directly to the new data controller if such a transfer is technically feasible.
Data Protection By Design And By Default
Data controllers must embed GDPR data protection principles into the technology and into the organisation’s processes. Article 25 requires high standards that take the following four factors into account:
- State of the art;
- Cost of implementation;
- Types of processing;
- Associated risk profile.
The rights of data subjects per the GDPR must be understood and matched practically to technical capabilities and organisational processes.
IT vendors and cloud providers must demonstrate they meet the GDPR requirements.
Many Other Requirements
The many GDPR requirements are varied. Other requirements to consider include the following:
- The data subject has the right to access the data in all stages of the process.
- A data controller must provide a copy of any personal data undergoing processing at no charge on a first request and for a reasonable fee on subsequent requests.
- The data subject has the right to rectify incorrect information, and the data control officer is required to rectify the information “without undue delay”.
- The data subject has the right to require erasure of personal data, but data controllers may decline such a request if it meets the requirements of exclusions listed in Article 17(3)
- The data subject has the right to have his personal information excluded from future processing.
- Data control officers must notify data recipients of new restrictions placed on the data by the subject.
- Data subjects have the right to know details on recipients of their personal data.
- The data subject has the right to object to the processing of personal data at any time and to restrict its use.
- If a data controller uses another organisation for processing, the processor must meet GDPR requirements.
- Data controllers must keep records of their activities and implement measures to ensure an appropriate level of security.
- The GDPR lists requirements governing when and where personal data can be transferred to third countries or international organisations.