The General Data Protection Regulation (GDPR) has affected everyone, from individuals to global corporations, companies and organisations, both inside and outside of the European Union (EU); it has transformed marketing practices, the way in which data is managed and given people control of their own personal information.
With a year having passed since it’s implementation; now seems to be appropriate time to look back and reflect upon some of the most common myths, misconception and misinformation surrounding GDPR.
Whilst a lawful basis is required in order to utilise personal data, there are six to choose from:
- Consent: The individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal Obligation: The processing is necessary for you to comply with the law (not including contractual obligations).
- Vital Interests: The processing is necessary to protect someone’s life.
- Public Task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate Interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Due to the high standard for consent set out by the GDPR, complexities involved and the potential to significantly affect the way in which an organisation operates; more often than not, it is in fact preferable for them to rely upon another lawful basis.
2. Individuals’ Rights
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Whilst these rights are a significant part of the GDPR, they’re not absolute and may superseded by other legal rights and/or obligations. For example, an individual’s right to erasure does not apply if processing is necessary for one of the following reasons:
- To exercise the right of freedom of expression and information.
- To comply with a legal obligation.
- For the performance of a task carried out in the public interest or in the exercise of official authority.
- For archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing.
- For the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
- If the processing is necessary for public health purposes in the public interest (e.g. protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices).
- If the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g. a health professional).
3. Data Must Be Stored in the EU
Many organisations hold the mistaken belief that under the GDPR all personal data must reside within the EU and cannot transferred outside of it. This would be particularly problematic given the nature and increasing proliferation of cloud storage solutions.
The GDPR framework states that, “flows of personal data to and from countries outside the Union and international organizations are necessary for the expansion of international trade and international cooperation”.
A requirement of the GDPR is that the transfer of data outside of the EU must only occur with countries deemed as having adequate data protection laws. Whilst the US is not considered to meet this requirement, the Privacy Shield is an agreement between the EU and US that allows for transfer of personal data; this based upon the participating organisation being regarded has having satisfactory protection in place.
4. All Data Breaches Must Be Reported to the Information Commissioners Office (ICO) and the Individuals Affected Immediately
A significant change that the GDPR brought about was the requirement for data controllers to notify the ICO of certain types of personal data breach within 72 hours of them becoming aware of the breach, where feasible.
In instances where the breach has the significant potential to have a negative effect on individuals’ rights and freedoms, then those individuals must also be informed, and without any undue delay.
It should be noted that it is the data controllers’ responsibility to notify the data subjects and ICO of any high-risk breach; the data processor must inform the data controller of any such occurrence but are not obligated to notify the ICO.
Unfortunately, it’s not always practical for organisations to provide accurate details of data breaches straight away, as the incident will need to be investigated so as to ensure the accuracy of the information supplied; remedial and/or preventative measures may also need to be put in place to prevent further adverse impact or related occurrences in the future.
So, whilst the ICO should be notified as soon as is reasonably possible; they will not expect to be provided with in-depth analysis and reports, which can be provided later; they will be more concerned with the cause of the breach, the way in which in the incident is being dealt and the actions being taken to mitigate the problem.
In the event of a suspected data breach, it is always advisable to contact the ICO who will ascertain the level of risk posed to the individuals affected and be able to recommend the best course of action. You may also be required to report the breach under other laws such as the Privacy and Electronic Communications Regulation (PECR), the Electronic Identification and Trust Services (eIDAS) Regulation or the NIS Directive. Regardless of whether or not you are required to notify the ICO, you must keep a record of the incident.
5. Data Breach Fines
One of most publicised aspects of the GDPR is the potentially enormous fines for non-compliance, with the maximum being set at either €20 million or 4% of annual global turnover, depending on which is higher; this represents a massive increase on the maximum of £500,000 allowed for under the Data Protection Act (DPA) 1998.
It is, however, unlikely that most organisations would be subjected to such high fines; Information Commissioner, Elizabeth Denham has stated, “Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense”, adding “We intend to use those powers proportionately and judiciously. The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
Indeed, this is echoed by the fact that of the 18,300 data protection cases which the Information Commissioners Office (ICO) handled between 2016/17, it issued just 16 fines totalling £1.6 million for serious breaches and had never once issued the maximum fine afforded by the DPA 1998 until the infamous Cambridge Analytic Data Scandal and Equifax Data Breach late last year.
As such, the most severe punishments will likely be reserved for global corporations who face the most serious of breaches, repeatedly fail to comply with the regulation or make no meaningful attempt to do so.
One high profile example of this, and the highest penalty issued under the GDPR thus far, is that of Google, who were recently fined €50 million by the French Data Regulator – The Commission Nationale de l’informatique et des Libertés (CNIL), for lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.
Despite the scale of the punishment, the fine represented just 0.0005% of the company’s annual turnover for 2017.