What Is the GDPR?
The General Data Protection Regulation protects any information that could be used to identify an individual in the European Union, either directly or indirectly. People share their personal data with us in many ways, every day!
Every time someone fills out a form, signs up to a new online service, signs an employment contract, or downloads an app, they’re sharing personal data. And these are just some of the many ways people share their personal data.
And we have a legal and moral responsibility to protect all personal data shared with us.
It could be a name, photo, email address, date of birth, ethnicity, religion, financial record, medical information, or employment history. It could even be posts on social networking sites.
Any organization, regardless of where that organization is located, that does business in the European Union or the European Economic Area must comply with the GDPR.
As a company that holds and processes personal data, we need to comply with the GDPR, and we’re relying on you to help us do that.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.
The regulation will fundamentally reshape the way in which data is handled across every sector, from healthcare to banking and beyond.
The Key Players
The GDPR, which became fully applicable on 25th May 2018, defines the three main players in data protection:
- Data Controllers – the people or organizations that collect, manage, and make decisions about what’s done with personal data
- Data Processors – the people or organizations that process personal data on behalf of the controller
- Data Subject – an identified or identifiable person to whom the “personal data” relates.
How Does the GDPR Protect Personal Data?
Let’s take a look at a real-life example of how these three main players interact when it comes to the processing of personal data. Antoine is the data subject in our example.
Antoine lives in Paris. As part of his job, Antoine has to travel frequently and he provided personal data like his name, email address, and date of birth to a travel booking company.
He agreed to the company’s privacy statement which included a request that he consent to the company storing his personal data. However, he didn’t consent to the company disclosing his personal data to other parties.
He was relieved to see that the privacy statement wasn’t as complicated as previous ones he’d seen. Under the GDPR requests for consent must be provided in an easily accessible form, must be written in plain language, and must clearly state how any personal data collected will be processed or held.
Under the GDPR, companies also won’t be able to rely on silence, pre-ticked boxes, or inactivity as a basis for consent.
Consent is a lawful basis to transfer personal data under the GDPR. If we want to rely on consent as the lawful basis for any of our processing activities, we need to ensure that:
- Data subjects are provided with a clear explanation of the processing to which they are consenting
- The consent mechanism is genuinely of a voluntary and “opt-in” nature (e.g., pre‑ticked boxes do not constitute valid consent)
- Data subjects are permitted to withdraw their consent easily
- Any consent is really freely given (e.g. an individual must have a genuine or free choice and the ability to refuse or withdraw consent without detriment)
- Consent is documented and recorded
In this case, the travel booking company has adhered to GDPR by keeping their privacy statement simple and easy to understand. Antoine is confident that the company won’t be able to share his personal data with anyone else without asking him for permission first.
Under the GDPR, companies must also be able to demonstrate that individuals have actively provided consent for the company to process their personal data. It must also be easy to withdraw consent if the data subject wishes – as easy as providing consent in the first place.
Two weeks later, Antoine starts to receive emails from a different company trying to get him to book hotels with them. He doesn’t know where they got his email address from; but the more he thinks about it, the more he suspects that the information he provided the travel booking company may have been shared with someone else.
On the next screen Antoine will ask for your help in determining how this different company got his information and then we’ll see how the GDPR penalizes breaches.
What Can Antoine Do?
Antoine asks you what he can do to try and find out how the travel booking company got his personal data.
What would you tell him?
- As is his right under the GDPR, he should file a Subject Access Request (SAR) with the travel booking company for access to the data they hold on him and how they process this data.
- There isn’t much Antoine can do in this situation. When he provided his personal data, he consented to the travel booking company storing his personal data. This also means that they can then use this data in whatever way they see fit.
Under the GDPR, companies need to have processes in place to deal with SARs, which must be answered – for free – in a set time scale, generally within one month. In some situations, a reasonable fee may be charged if a SAR is manifestly unfounded or excessive. Aggrieved data subjects can complain directly to a company, to the appropriate Supervisory Authority (SA), or go to court.
Each EU member state has a SA to hear and investigate complaints.
When Antoine receives the details of how his personal data was used, he discovers that the travel booking company used a third-party – the data processor – to hold and process his data.
The data processor sold Antoine’s personal data to a marketing agency. Antoine asks you if there is anything he can do to ensure the travel booking company and the third-party processor are punished for misusing his personal data.
What would you tell him?
- Yes. He can file a complaint with the French Supervisory Authority (SA) who will then investigate the issue.
- No. There isn’t much he can do in a situation like this. Once a third-party is involved, there is no way the third-party can be investigated.
- He can report the misuse of his personal data to local law enforcement and they will launch an investigation.
Each member state has a Supervisory Authority (SA) whose functions include investigation and enforcement of the GDPR, co operating with other national SAs, and dealing with data subjects’ complaints.
In a lot of cases, the same company can be the data controller and the data processor.
Antoine filed a complaint with the French Supervisory Authority. The SA investigated the travel booking company and the third-party data processor and found numerous breaches of the GDPR.
In particular, they discovered the failure to secure sufficient customer consent before processing the customers’ data.
What sanctions can the SA impose?
- They can impose a fine of up to 4% of annual global turnover or €20 million, whichever is greater.
- They can impose fines of up to €25 million, plus prison terms of up to five years for the individuals involved.
- They can impose a fine of up to 2% of annual global turnover or €10 million, whichever is greater.
Thanks for helping Antoine
Organizations can be fined up to 4% of annual global turnover or €20 million, whichever is greater, for breaching the GDPR.
Serious GDPR infringements include:
- Failure to secure sufficient customer consent before processing the customers’ data
- Committing data security breaches
- Breaching data subjects’ rights
If you have any questions about how to process personal data, you can find out who to contact here.
Adrienne works in her company’s Amsterdam office. She needs to supply sales figures and customer account information (both containing personal data) to an operating company in Denmark.
She asks your advice on what red flags she needs to watch out for before making a cross-border transfer to the company in Denmark.
Can you identify the three red flags?
- The data was collected without specific consent from the data subject.
- The data was collected without informing the data subject that it would be transferred.
- The purpose for processing the data is materially different to the purpose for which it was originally collected.
- The data is being transferred to another jurisdiction in the EU.
Thanks for helping Adrienne
Before you can even consider a transfer, you must be sure the collection and processing of any personal data complies with the principles of the GDPR.
Only relevant and necessary data should be collected, the data subject’s consent must be obtained in advance, and the data should only be processed for the specified, explicit, and legitimate purposes.
Data collected for a specific reason must not be reused for other purposes that are incompatible with the initial one to which the data subject consented, regardless of where the processing takes place. Once the data protection principles of the GDPR are met, the data may be transferred to any member state or European Economic Area (EEA) country.
This content is an extract from the GDPR Training Course