• General Data Protection Regulation (GDPR)

GDPR

The General Data Protection Regulation (GDPR) was passed by European Parliament in 2016 to establish data privacy and security standards for EU citizens. It is driven by fundamental privacy rights derived from the 1950 European Convention on Human Rights and introduces specific penalties;

  • The less severe infringements could result in a fine of up to €10 million, or 2% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages
  • The more serious infringements occur when the organization denies or disrespects the basic principles at the heart of the GDPR, such as lawfulness, data subject rights, etc. These types of infringements could result in a fine of up to €20 million, or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages

The GDPR follows the following outline:

Data protection principles

  1. Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
  2. Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
  3. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
  4. Accuracy — You must keep personal data accurate and up to date.
  5. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
  6. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
  7. Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

Accountability

The GDPR says data controllers have to be able to demonstrate they are GDPR compliant.

Data Security

The organization must implement appropriate technical and organizational measures, and follow time based data breach reporting.

Data protection by design and default

Data protection principles must be considered in the design of any new product or service.

Data Processing

Specific scenarios are outlined to justify the processing of personal data.

  1. The data subject gave you specific, unambiguous consent to process the data. (e.g. They’ve opted in to your marketing email list.)
  2. Processing is necessary to execute or to prepare to enter into a contract to which the data subject is a party. (e.g. You need to do a background check before leasing property to a prospective tenant.)
  3. You need to process it to comply with a legal obligation of yours. (e.g. You receive an order from the court in your jurisdiction.)
  4. You need to process the data to save somebody’s life. (e.g. Well, you’ll probably know when this one applies.)
  5. Processing is necessary to perform a task in the public interest or to carry out some official function. (e.g. You’re a private garbage collection company.)
  6. You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.

Consent

  • Consent must be “freely given, specific, informed and unambiguous.”
  • Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
  • Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
  • Children under 13 can only give consent with permission from their parent.
  • You need to keep documentary evidence of consent.

Data Protection Officer (DPO)

  1. You are a public authority other than a court acting in a judicial capacity.
  2. Your core activities require you to monitor people systematically and regularly on a large scale. (e.g. Google.)
  3. Your core activities are large-scale processing of special categories of data listed under Article 9 of the GDPR or data relating to criminal convictions and offenses mentioned in Article 10. (e.g. You’re a medical office.)

Data Subject Rights

Listed below are a data subjects’ privacy rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

Who does it apply to?

Any organization that processes personal data of an EU citizen or resident, even if the organization itself is not located in the EU.

How can Socium Security help?

Socium Security can help with assessments and program development and managed services supporting GDPR requirements.