The Lowdown on Personal Data: GDPR part 2
We all leave a digital trace across the sites, platforms and providers we interact with, and we trust that these hosts or services will safeguard our personal information in a way that has been sanctioned by the appropriate authorities.
We know that personal data needs to be protected, and can leave us vulnerable if it is not. We expect that our data is protected, but might not understand what this involves, or know how it should be kept. Many of us may not be able to outline exactly what constitutes as personal data, especially as the definition is always liable to change, especially as technology develops.
This blog will present an overview of some of the key changes in the treatment of personal data under GDPR. It will also point you in the direction of other sources that can help you understand how your data will be handled under GDPR, and how (as an organisation) you should be handling other people’s information.
What constitutes as ‘Personal Data’?
According to article 4(1) of the GDPR:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location, data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
The European General Data Protection Regulation (GDPR) has expanded the definition of personal data to include modern forms of ‘identifiers’ that are often collected from citizens, such as IP addresses. Other data such as the subject’s race, political opinions, religious beliefs, health conditions, as well as the new additions of biometric and genetic data are also considered personal data.
Your rights under GDPR
These are the following rights you can expect under GDPR when it comes to your personal data. It is important to note that many of the points below are subject to additional conditions, which should be explored before calling on any of these rights. You can find more details in this overview from the Information Commissioner’s Office (ICO).
- The right to be informed
This area of the regulation outlines when you are obliged to inform individuals about how their data is being processed.
- The right of access
Individuals will have the right to access:
- Confirmation that their data is being processed; access to their data; and supplementary information – this should largely correspond to the information provided in a ‘privacy notice’.
- The right to rectification
Individuals have the right to have their personal data rectified if it is inaccurate or incomplete. If details have been shared, this will also involve notifying third parties of any rectification.
- The right to erasure
Also known as ‘the right to be forgotten’. The individual can request that all their data is removed or deleted, but there are specific circumstances which you can find here.
- The right to restrict processing
Users have the right to suppress or restrict the processing of personal data. When this happens, organisations are still allowed to store the data, but cannot process it any further. As the ICO explains, ‘You can retain just enough information about the individual to ensure that the restriction is respected in future’.
- The right to data portability
This right enables individuals to obtain and reuse (move, copy, or transfer) their data for their own purposes.
- The right to object
As with the right to erasure, there are certain conditions when an individual can object to their data being processed. Details about the conditions can be found here.
- Rights in relation to automated decision making and profiling.
GDPR also has safeguards against any automated decisions made about data. It’s important to check whether your systems involve these kinds of automation, and whether you will be compliant.
The regulations for processing personal data bear many similarities to the 1998 Data Protection Act but with added conditions. According to the ICO, to lawfully process personal data, at least one of the following conditions must be met:
- The consent of data subject must be obtained.
- The processing of said data is required for the performance of a contract with the data subject, or the processing is needed to take steps in a contract.
- Processing is needed to fulfil legal obligations.
- Processing is necessary to protect the data or vital interests of a data subject or another person.
- Processing is necessary for the purposes of legitimate interests of the controller or third party (except when the interests, rights or freedoms of the data subject override these).
What’s The ‘One Stop Shop’ Mechanism?’
‘One Stop Shop’ refers to the mechanism that ensures organisations with multiple branches across EU states will be required to answer to a single supervisory authority based in the same area as their main establishment (usually in their EU headquarters). The aim of this mechanism is to ensure that all organisations, regardless of location or border, can deal with their issues from their home base, and that such issues can be consistently addressed across the entire EU.
What happens if you’re non-compliant?
It might seem like there are hundreds of hoops to jump through for GDPR, but the more you research and understand the requirements for your organization, the clearer your path to compliance will be. It’s estimated that 69% of companies are currently ‘unprepared’ for GDPR, which is concerning, given the timeframe and consequences for non-compliance. By the 25th May 2018, all organizations who fall under the act must be compliant, otherwise they will face the consequences of non-compliance. The punishments for non-compliance can range from warnings to heavy fines of up to €20 million or up to 4% of total global revenue of the previous year, whichever is bigger.
GDPR is coming, and you won’t want to be part of the 69% when it does, so now’s the time to learn all about what the regulation means for your organisation. In our next post, we’ll be exploring what GDPR means for small to medium companies who don’t have entire teams, consultants, or extensive resources available for implementing compliance strategies. If you’re an SME and you’re unsure how to approach GDPR, make sure you check back on the blog for specific tips and guidance on becoming compliant.
Cogmotive is the leading global provider of enterprise level reporting and analytics applications for Office 365. Find out more now.