As May 2018 comes close, everybody is talking about the GDPR. What is the GDPR? What are the various definitions under the GDPR? How does the GDPR apply?
These, and many more questions, may also be puzzling you. This post will help you understand the GDPR much more clearly. This post also explains the definitions under the GDPR with examples.
What is GDPR?
The General Data Protection Regulation (GDPR) is a set of regulations in the European Union (EU) law regarding protecting personal data, and thereby the right to privacy, of all persons within the European Union.
It was adopted in April 2016 and will come into force from 25 May 2018.
It will govern all companies, both European and foreign, that process data of European residents. It aims to make uniform the various laws prevailing in different countries of the EU, thereby making operations of businesses regarding personal more streamlined and law enforcement completely consistent within all EU member states.
Compliance is expected to be strict and penalties listed out are severe.
EU Regulation vs EU Directive
As the Wikipedia puts it, the GDPR is not a directive, but is a regulation. A directive, although a legal act, is distinct from a regulation. A directive in some cases is a bunch of guiding principles. For instance, the Irish constitution has Directive Principles which act as the guiding force for the spirit of the constitution. Yet they are not directly enforceable in a court of law.
In the case of the EU, however, a directive is a legal act and enforceable. But a directive gives the constituent member states of the EU a certain degree of latitude in terms of its wording to suit their own uniqueness that results in their different legal traditions, legal systems and legal processes. As a result, national governments pay pass unique enabling legislations before the directive can be fully implemented.
The GDPR, it must be stressed again, is a regulation and not a directive. A regulation does not permit the constituent member states any variation or freedom in its wording, interpretation or enforcement. Further, it does not need the national government to pass any legislation to make it enforceable. A regulation, therefore, is a law that is simultaneously enforceable as a law in all its member states.
Purpose and objectives of the GDPR
In a single line, the objective of the GDPR is to meaningfully protect the personal data of its residents and make consistent the rules of data processing across the EU.
On the one hand, the objective of the GDPR is to return the control of personal data of the EU residents in their hands, i.e. the hands of the residents. That means the residents get to exercise the right of ownership, storage, and processing of their personal data and the onus of the security is placed strictly on the shoulders of the companies that have collected the personal data. It also ensures the user’s right to be forgotten, i.e. deletion of personal data.
On the other hand, the purpose of the GDPR is also to bring uniformity in the various rules pertaining to data security in its member-states. While compliance will be strict and penalties laid out are certainly harsh, it will also bring a great deal more clarity and coherence in data protection rules.
One of the chief objectives of the GDPR is to require organizations, both operating within the EU and those that process data of EU residents, carry out risk assessment, and put in place measures to mitigate risks their data security audit uncovers. As a part of due diligence, the GDPR categorically requires encryption as a security requirement of the data.
Background and history of the GDPR
Concerns for data protection and a need for standardization of the rules governing the data of EU residents date back to the end of the 20th century. In 1995, the European Data Protection Directive (Directive 95/46/EC) was adopted by the European Commission. Notice that it was a directive, and not a regulation, as distinguished earlier in this post. And this directive used the recommendations of the Organization for Economic Cooperation and Development (OECD) regarding the protection of privacy, submitted in 1980.
In 2012, the EU moved on to focusing on improving the digital economy while simultaneously proposing a major revision of the extant rules. By 2014, the support for giving more teeth to a uniform data protection regulation grew and the European Parliament (EP) garnered huge support. Things moved swiftly from then and, in May 2016, the EU officially adopted the GDPR.
Protection of personal data, which is the core spirit of the GDPR, originally finds its roots in the eight principles of good data handling, laid down in the Data Protection Act.
The following image will better explain the 8 principles of good data handling and processing.
Definitions of key terms in the GDPR
If you wish to understand the GDPR, it’s important to carefully understand the terms defined therein. Definitions helps remove ambiguities, identify the roles of various entities involved and determine where the responsibility lies.
The italics in the following are the definitions as mentioned in the Chapter 1, Article 4 in the official website; the rest is our own observation.
Personal data means any information relating to an identified or identifiable natural person. The same article goes on to further define genetic data, biometric data and data concerning health. For all practical considerations, this is the data of the residents of the EU.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of …processing of personal data relating to him or her. In simpler terms, consent means offering real, express, visible choice and offering control. Data controllers must be able to prove and demonstrate they have received consent; consent cannot be assumed. One of its implications is, for instance, turning cookies off and turning them only on express consent.
Processing means any operation or set of operations …whether or not by automated means, such as collection, recording, …adaptation or alteration, …use, disclosure …erasure or destruction. Processing has been very carefully and elaborately defined, because the distinction between data controller and data processor rests, to a great deal, upon the definition of processing.
(Data) Controller means the natural or legal person… or other body which…determines the purposes and means of the processing of personal data… Put differently, data controller is the individual or the company that decides how to collect, edit and use data.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The definition is short and crisp, but as we discuss in the section below, it is not always easy to distinguish between a data controller and a data processor.
Analysis of definitions with examples
As matters stand today, modern businesses have evolved into such level of complexity that there will likely be grey areas for legal definitions. Unless the definitions are clearly explored with a few relevant examples, it’ll not be easy for businesses themselves to figure out where they stand.
Let’s take a few examples to better distinguish between data controllers and data processors.
Case 1: Is the delivery driver a data processor?
You run a pizza joint that offers on-demand delivery. You have, on a freelance basis, contracted with a handful of drivers to deliver pizzas as per order. Naturally, to effect the delivery, you need to share some details of the customers with the drivers – typically name, address and phone number. You control the data of your customers, so you are clearly data controllers. But are your delivery drivers data processors?
To be a data processor, a person (in this case, the driver) must hold the data to begin with. That condition is satisfied.
However, the way processing of data has been defined in the GDPR implies a degree of control over data in terms of its storage, editing, manipulation, deletion and so on. Your deliver drivers are unable to do any of these activities. They exercise no control over the data beyond using the data to deliver a product (the pizza). They are merely a channel that’s used to deliver the pizza, with no data processing done at their end whatsoever.
That means the delivery drivers are neither data controllers nor data processors in this case. To that extent the Information Commissioner’s Office (ICO) cannot take any action against the drivers in case of data breach.
Case 2: Is the email verification company a data processor?
You run a pizza joint that offers on-demand delivery that collects emails and phone numbers of customers. Once your database grows, you would like to verify if the email addresses are still valid and the phone numbers are all correct. You approach a verification company for these services. Is the verification company a data processor?
The verification company receives the data you have supplied. It stores the data for a short time.
But it goes beyond that. It runs your database through a certain process.
For phone verification, it will feed the phone numbers into a database and run it through an algorithm. The end results can classify the phone numbers as valid or disconnected.
In case of email verification, the service uses SMTP verification and validates if the email address is valid, disposable, invalid, role-based and so on.
Notice that the verification process can significantly impact the way you’ll store the data returned to you. You will, for instance, maintain separate lists for valid addresses and invalid addresses.
That means the verification company is definitely a data processor.
Case 3: Is a market research agency a data processor?
Your pizza delivery business has grown substantially and you’ve multiple franchise and company-run outlets. You wish to conduct detailed market research and understand the prospects and customers better.
You hire a market research agency to carry out the research. Is the market research agency a data processor?
For practical reasons, the agency will not interview every single prospect or customer. Instead, it will decide a statistically acceptable sample size which it will study.
So it categorizes the data as ‘To be interviewed’ and ‘Not to be interviewed’. If it were to stop there, the situation would have been different.
But the market research agency goes much beyond that. It decides what sort of questions to ask, which factors to focus on and how to analyze the results on the basis of demographics. Finally, it will also make decision on how to interpret the results and present them to you.
The role of the market research agency, therefore has gone beyond data processing. It takes a number of decisions on how to use the data. That means it is not just a data processor, it is now a data controller.
Data processors or data controllers?
On the basis of the above understanding, your tax-consultant is a data controller because she decides what do with your income expense data you shared with her to file your tax returns.
Your attorney is a data controller because she decides how to present your case in front of the jury.
Your credit card company is a data controller because it controls the amount of data it will share with your supermarket when you make a purchase.
As you can see, the roles keep evolving. In a simple and an ideal society, the data controller will lay down strict guidelines for data processors and the decisions are taken by the data controller. However, given the complexity of businesses and their specialties, such situations are increasingly rare.
In real life, data processors need to use their domain knowledge and decide how the data provided to it should be used and processed. In most cases, it makes them data controllers.
Data Breach, reporting and fines
To begin with data breach is not only about data loss or data theft. The moment the data subject loses control over how the data is used, the possibility of data breach opens up. For instance, access by an unauthorized third-party is breach, sending information to an incorrect recipient is a breach, altering personal data without permission is breach… the list can’t easily include everything.
Organizations must be both prepared for and be well-prepared for a personal data breach. That includes the understanding of what data breach means, having a response plan, establishing internal responsibility, knowing within what time the ICO must be informed and so on.
The ICO expect organizations to inform the ICO within 72 hours of the data breach. If there is a delay of more than 72 hours, the organization must provide acceptable reasons for the delay. Moreover, the ICO expects to be notified as per a certain format of reporting data breach to the ICO.
The ICO notes the following regarding fines on its website: Failing to notify a breach when required to do so can result in a significant fine up to 10 million euros or 2 per cent of your global turnover. The fine can be combined the ICO’s other corrective powers under Article 58.
You might want to have a look at this simple infographic that explains GDPR.
* * *
So that was a summary of the GDPR. What do you think we missed out? Don’t forget to let us know in the comments below.