On a previous blogpost, I discussed what GDPR is and gave a high level introduction of the concepts. In this blog post we will dive a bit deeper on the principles, rights and penalties imposed.
Privacy by design and by default
GDPR enforces the concept of data protection by design and by default. That means that businesses and organisations need to adhere to a few principles with regards to the personal data they are processing.
More specifically the principles mentioned with regards to personal data:
- Should be processed lawfully, fairly and in a transparent way
- Should be collected for specified, explicit and legitimate purpose
- Should be limited to what is necessary
- Should be kept up to date
- Should not allow identification of people for longer than necessary
- Should be processed in a way that ensures appropriate security
It is stated explicitly within the law that organisations are responsible and should be able to demonstrate compliance with those principles. So how can we achieve this?
Well the answer depends on the kind of personal data processed and the amount of data being processed. However, some common themes come out from the principles above. For example point #6 reinforces the value of encrypting data and traffic through a website. So perhaps you are asking for people to provide feedback and capturing their email in the process. That falls within GDPR because an email address is identifiable information. A way to showcase compliance with that principle is to enforce HTTPS traffic through your website.
The lawfulness of processing is also a big chapter in and of itself. How would you showcase that you are lawfully processing personal data? The easiest way is to require the consent of a person. If you were to ask for a person’s consent you would need to be able to demonstrate the following:
- Consent was given by the person
- Request for consent was presented clearly to the person
- Ability for the person to withdraw consent
Under this scheme people would always have to opt-in with a request for consent form that presents information in a clear and distinguishable way. For example when a user registers for a service via their email, phone number, or social media profile they would need to explicitly check a check box. Long are the days of opting-out and clever wording on forms to get consent. People have a right to be informed and to be informed in clear language.
Under GDPR, specific rights regarding personal data are defined. They are:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure (right to be forgotten);
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
Organisations and businesses will need to take appropriate measures to provide any information to people so those rights are exercised. The law specifies that all forms of communication would need to be in a concise and easily accessible form using clear and plain language. That means that legal based documents would need to be revised so they are more accessible by the general public.
Perhaps the most well known right is the right to be forgotten after the publicity received by a European Court of Justice ruling against Google a few years back. The court ruled that search engines are responsible for the content they point to and thus, Google was required to comply with EU data privacy laws. To comply, Google had to create the framework to have links removed from its EU index and the process for people to request such removal.
Businesses and organisations would need to ensure that they have established processes, procedure and staff training to deal with people exercising their rights. Each request would need to be handled within a month from submission and free of charge, otherwise there are penalties imposed.
So what happens if a business or organisation does not comply with the principles or refuses the rights to citizens? There are two kind of fines specified within the law:
- Fine up to 10,000,000 EUR or 2% of total worldwide turnover, whichever is higher.
- Fine up to 20,000,000 EUR or 4% of total worldwide turnover, whichever is higher.
Data protection by design and by default falls within the first fine whilst consent or data transfer to third countries fall within the second. Moreover the law specifies that any person who has suffered material or non-material damage shall have the right to receive compensation.
Even if you’re unsure if you need to comply with the law, you’re better off safe than sorry. It’s easier to make preparations than pay massive fines if you’re found to be in violation of the new regulations. Watch the webinar, "Understanding the EU's new General Data Protection Regulation (GDPR)".