What is GDPR?
The General Data Protection Regulation is the European data privacy law that aims at changing the way EU citizens’ personal data is collected, processed and stored, transferring the power over personal data from companies to data subjects.
A person’s identity is no longer just a set of randomly floating data; the new law provides power, control and consent over the shared data.
According to the GDPR, personal data must be processed only when there is a clear purpose and legal grounds for it, data subjects must be informed about the data collection before any personal identifying information is collected. When personal data is processed based on the consent of the data subject, it needs to be collected before or at the time of data collection and meet requirements of the GDPR on transparency on data processing and provide clear and understandable information to data subjects about the processing and their rights.
Even though the first step towards GDPR compliance is awareness and a thorough understanding of what changes the regulation has brought, acknowledging its impact over your organization is the starting point towards compliance.
What is Personal Information and what are other key definitions?
Under the GDPR, personal data is defined as “any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Any processing of special categories of data is prohibited under the GDPR, with very specific exceptions, with the understanding of special categories being data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. ”
The GDPR distinguishes between a data controller and a data processor as follows:
- 'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
In addition, it includes two more types of identification data, namely,
- ‘genetic data' which means “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question” and
- ‘biometric data' which means “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
Last but not least, according to the GDPR, 'processing' means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Who has to comply with the GDPR?
Any organization (for-profit, nonprofit and governmental) that processes personal data of European citizens and residents, regardless of the organization’s location has to comply with the GDPR.
Who is excluded from GDPR compliance?
The GDPR does not exclude businesses based on size, revenue or location, but it can exclude certain types of data such as:
- Data processed by a natural person “in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.”
- Anonymised information.
- Personal data of deceased persons.
- Data processing done in the context of national security or law enforcement.
- Data processing done in the context of journalism as it cannot suppress the free press.
- Data processing done in the context of education.
How can I keep my organization GDPR compliant?
There are six principles that the GDPR outlines in Article 5 that help companies be compliant:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
These can be followed if you make sure to follow the below checklist:
- Assess whether your company needs to appoint a DPO (based on volumes and types of data processed).
- Create a Privacy Notice and inform data subjects when you collect their data.
- Publicly display your company's name and contact information, as well as your DPO's name and contact information, if your company has assigned one.
- Communicate European data subjects' rights clearly.
- Empower data subjects to exercise their data privacy rights by setting up a method they can use to easily submit requests.
- Verify the identity of data subjects before acting on the requests you receive.
- Enforce internal processes to respond to the data subject's requests in time (30 days).
- Update and communicate your cookie / data collection policies to include information on what personal data you collect, why, for how long, what is the legal base for collecting it, where you store the data and who you share it with.
- Classify and map data, legal bases, processing purposes and data processors.
- Ensure cookie compliance by asking users' consent before loading any scripts on your website.
- Ensure the security of personal information through security and privacy practices.
- Document that you collected consent before performing any processing activity that is governed by users' consent.
- Demonstrate that you have respected users’ rights and addressed their requests.
What data access rights does GDPR grant?
According to the GDPR, data subjects have the following rights:
- Right of Access: Data subjects have the right to obtain confirmation as to whether or not personal data concerning them is processed, and where that is the case they have the right to request and get access to that personal data.
- Right to be Forgotten: Officially called the “Right to Erasure”. In certain cases, data subjects have the right to obtain the erasure of their personal data.
- Right to Data Portability: Data subjects have the right to receive their personal data from data controllers in structured format and they have the right to (let) transmit such personal data to another controller.
- Right to Restriction of Processing: Under GDPR, data subjects have the right to obtain the restriction of processing, applicable for a certain period and/or for certain situations.
- Right to Object: In certain cases, data subjects have the right to object to processing of their personal data, including with regards to profiling. They have the right to object to further processing of their personal data insofar as such data has been collected for direct marketing purposes.
- Right to Rectification: Data subjects have the right to obtain the rectification of inaccurate personal data and they have the right to provide additional personal data to complete any incomplete personal data.
- Right to Reject Automated Individual Decision-Making: Data subjects have the right to not be subject to a decision based solely on automated processing.
How to address data subject access requests under GDPR?
Under the GDPR, companies also have less time to respond to data subject requests – one month instead of 40 calendar days.
This legislative shift puts customers in the driving seat, something which holds a range of implications for companies with large banks of customer data. Today, companies need to be more transparent with the data they collect and they need to obtain explicit consent from the people they collect information from, or face big fines. GDPR obliges companies to confirm where data is being held, if they have deleted data, and what they will do with it. Previously it was often held in unsecured places and companies presumed that it was fine to simply take data.
Additionally, the GDPR requires companies to correct or erase a customer’s personal data upon request, according to their rights. Individuals can also stop an organization from processing their data after a certain amount of time, or for certain situations. Furthermore, businesses must comply if an individual files a complaint about the way their data is being used, or if they object to having their personal data processed for any other purpose than those originally stated at the time of consent.
Upon receiving a data subject access request, you must:
- Verify the identity of the person who submitted the request;
- Make sure you understand the type of request;
- Review the information you send as your response to the request;
- Provide the data subject with the information in a format that is easy to access;
The GDPR mandates that your company should have a Data Protection Officer, also known as a DPO, who is responsible for monitoring and replying to requests.
Enforcement and penalties
According to the GDPR, each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).”
The supervisory authorities will assess each situation on a case by case basis and determine the penalties imposed, but the GDPR states that for severe violations of its provisions the penalties can get up to €20 million or 4% of annual global revenue, depending on which figure is higher.
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.