The General Data Protection Regulation (GDPR) is a regulation from the European Union (EU) designed to strengthen and unify data protection for all individuals within the European Union. Additionally it regulates the export of personal data outside the EU. The GDPR intends to bring control back to EU residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDPR will become effective from May 25th of 2018 and it applies to all businesses processing and holding the personal data of people residing in the EU, regardless of the business location.
The General Data Protection Regulation (GDPR) is a regulation from the European Union (EU) designed to strengthen and unify data protection for all individuals within the European Union. Additionally it regulates the export of personal data outside the EU. The GDPR intends to bring control back to EU residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDPR will become effective from May 25th of 2018 and it applies to all businesses processing and holding the personal data of people residing in the EU, regardless of the business location.
Penalties
Companies in breach of the GDPR regulation can be fined up to 4% of annual global turnover or €20 million, whatever is higher. That is the maximum fine to be imposed for the serious infringements such as not having customer consent to collect and to process customer data or violating the core of privacy by design.
Responsibility and accountability
The notice requirements remain and are expanded. They must include the retention time for personal data and contact information for data controller and a data protection officer has to be provided.
Automated individual decision-making, including profiling (Article 22) is made contestable. Citizens now have the right to question and fight decisions that affect them that have been made on a purely algorithmic basis. Many media outlets have commented on the introduction of a “right to explanation” of algorithmic decisions, but legal scholars have since argued that the existence of such a right is highly unclear without judicial test, and limited at best.
In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default.
Privacy by Design and by Default (Article 25) require that data protection measures are designed into the development of business processes for products and services. Such measures include pseudonymisation of personal data, by the controller, as soon as possible (Recital 78).
It is the responsibility and liability of the data controller to implement effective measures and to be able to demonstrate the compliance of processing activities even if the processing is carried out by a data processor on behalf of the controller. (Recital 74). Source: Wikipedia
Personal data
Personal data is defined as any information related to a person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be a name, a photo, an email address, content from social networking, medical information, or a computer IP address, an identification number, location data, online identifier or to one or more factors specific to the physical, genetic, economic, cultural or social identity of that person.
Data processor and a data controller
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
Controllers and processors are required to “implement appropriate technical and organisational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals.” Controllers and processors that adhere to either an approved code of conduct or an approved certification may use these tools to demonstrate compliance.
Consent
Consent must be explicit for data collected and the purposes data is used for. Consent for children must be given by the child’s parents or custodian, and it must be verifiable. Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn.
The conditions for consent have been strengthened, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.
Right to Access
Data subjects (EU residents) have the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed and where and for what purpose. Furthermore, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
Data Erasure ( previously Right to be Forgotten)
The data subject has the right to request the data controller to erase his or her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
Consent for Children
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.
Data Protection Officer (DPO)
DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
Data breaches notification
Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.
Data Portability
GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.
Privacy by Design
Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At it’s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically – ‘The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects’.
Pseudonymisation
The GDPR refers to pseudonymisation as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. An example of pseudonymisation is encryption, which renders the original data unintelligible and the process cannot be reversed without access to the correct decryption key. The GDPR requires that this additional information (such as the decryption key) be kept separately from the pseudonymised data. Pseudonymisation is recommended to reduce the risks to the concerned data subjects and also help controllers and processors to meet their data-protection obligations (Recital 28).
Although the GDPR encourages the use of pseudonymisation to “reduce risks to the data subjects,” (Recital 28) pseudonymised data is still considered personal data (Recital 26) and therefore remains covered by the GDPR. Source: Wikipedia
Social-ID support for GDPR
CoffeeBean has developed systems and programs to meet GDPR compliance as a data processor.</h3
Here you will find a list of GDPR’s provisions that we are bringing support through continuous software updates:
CHAPTER II
Principles
? Article 7 – Conditions for consent (32, 33, 42, 43)
? Article 8 – Conditions applicable to child’s consent in relation to information society services (Recital 38)
CHAPTER III
Rights of the data subject
Section 2 – Information and access to personal data
? Article 13 – Information to be provided where personal data are collected from the data subject (60, 61, 62)
? Article 14 – Information to be provided where personal data have not been obtained from the data subject (60, 61, 62)
Section 3 – Rectification and erasure
? Article 16 – Right to rectification (65)
? Article 17 – Right to erasure (‘right to be forgotten’) (65, 66)
? Article 18 – Right to restriction of processing (67)
? Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
Section 4 – Right to object and automated individual decision-making
? Article 21 – Right to object (69, 70)
? Article 22 – Automated individual decision-making, including profiling (71, 72)
CHAPTER IV
Controller and processor
Section 1 – General obligations
Section 2 – Security of personal data
? Article 32 – Security of processing (83, 74, 75, 76, 77)
? Article 33 – Notification of a personal data breach to the supervisory authority(75, 85, 87, 88)
Resources
? EU General Data Protection Regulation (EU-GDPR) Table of contents
? EU Regulation
CoffeeBean support for GDPR
CoffeeBean has developed systems and programs to meet GDPR compliance as a data processor.
Here you will find a list of GDPR’s provisions that we are bringing support through continuous software updates: