The GDPR (General Data Protection Regulation) is a complex piece of legislation that’s understandably hard to grasp.
For those looking for advice on how to comply, we’ve provided a summary of the key GDPR requirements in this blog.
1. Lawful, fair and transparent processing
Article 5 of the GDPR states that organisations must have documented a lawful reason for processing personal data and that data subjects are aware of the ways their information is being processed and used.
That sounds straightforward, but according to report from our sister company, IT Governance UK, Article 5 violations are the most cited error in penalty notices.
You can ensure that your processing is lawful by reviewing your processes against the GDPR’s lawful bases for processing (more on that later).
To ensure transparency, you should create privacy notices and make them easily accessible to data subjects.
2. Limitation of purpose, data and storage
Another requirement of Article 5 is that organisations can only collect personal data for a specific purpose. They must also document that purpose and ensure that information is deleted when it’s no longer needed.
Processing that’s done for archiving purposes in the public interest or for scientific, historical or statistical purposes is given more freedom.
Find out more about GDPR compliance by downloading our free green paper.
General Data Protection Regulation – A Compliance Guide contains a comprehensive overview of your compliance requirements.
You’ll learn about the scope of the Regulation, gain more information on its key requirements and receive expert tips on how to bolster your security practices.
3. Data subject rights
The GDPR enshrined eight data subject rights:
- The right to be informed
Organisations must tell individuals what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
This information must be communicated concisely and in plain language.
- The right of access
Individuals can submit DSARs (data subject access requests), which oblige organisations to provide a copy of any personal data they hold concerning the individual.
Organisations have one month to produce this information, although there are exceptions for requests that are manifestly unfounded, repetitive or excessive.
- The right to rectification
If an individual discovers that the information an organisation holds on them is inaccurate or incomplete, they can request that it be updated.
As with the right of access, organisations have one month to do this, and the same exceptions apply.
- The right to erasure
Individuals can request that organisations erase their data in certain circumstances – for example, when the data is no longer necessary, the data was unlawfully processed, or it no longer meets the lawful ground for which it was collected.
- The right to restrict processing
The right to restrict processing is an alternative to the right to erasure, and is applicable when individuals no longer use the product or service for which their data was originally collected, but the organisation needs it to establish, exercise or defend a legal claim.
Instead of deleting the information, therefore, the organisation should limit the way it’s used.
- The right to data portability
Individuals are permitted to obtain and reuse their personal data for their own purposes across different services. This right only applies to personal data that an individual has provided to data controllers by way of a contract or consent.
- The right to object
When organisations process personal data using legitimate interest or the performance of a task in the interest of an official authority as their lawful basis, they give individuals can object to the processing.
If organisations exercise this right, organisations must stop processing information unless they can demonstrate a reason for the processing that overrides the interests, rights and freedoms of the individual.
- Rights related to automated decision making including profiling
The GDPR includes provisions for decisions made with no human involvement, such as profiling, which uses personal data to make calculated assumptions about individuals.
There are strict rules about this kind of processing, and individuals are permitted to challenge and request a review of the processing if they believe the rules aren’t being followed.
There is a misconception that the GDPR requires organisations to gain an individuals’ consent before processing personal data. In fact, consent is only one of six lawful bases, and it should only be sought if the others don’t apply.
When consent is the most applicable, organisations must follow specific rules.
Essentially, consent must be given with a clear affirmative action. In other words, individuals need a mechanism that requires a deliberate action to opt in, as opposed to pre-ticked boxes.
5. Personal data breaches
Data breaches are at the heart of the GDPR, so it’s essential that you understand exactly what is covered in this term.
Article 4 defines a personal data breach as any event leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
As this suggests, data breaches aren’t always a result of cyber criminals hacking into an organisation’s systems.
They may also occur as a result of an employee sending an email containing sensitive information to the wrong person, accessing files that aren’t relevant to their job function or sharing files with someone outside the organisation.
Incidents that render organisations unable to access systems containing personal data are also considered data breaches, such ransomware attacks or damaged hardware, because the information is no longer accessible.
6. Privacy by design
The concept of ‘privacy by design’ isn’t new, having previously been considered best practice. However, with the GDPR, it has become mandatory.
So what exactly is it? It states that organisations must consider privacy concerns at the outset of data processing practices, rather than applying features retroactively.
This means that organisations must:
- Implement appropriate technical and organisational measures designed to implement the data protection principles; and
- Integrate safeguards to comply with the GDPR’s requirements and protect the individuals’ rights.
7. Data protection impact assessment
Article 35 introduces the concept of DPIAs (data protection impact assessments).
These help organisations identify and minimise privacy risks in data processing activities. They are essential if you process any high-risk data, but they are also relevant when you are introducing a new data collection process, system or technology.
The GPDR states that DPIAs must be conducted where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”.
It doesn’t define ‘high risk’, but it generally refers to the use of:
- Systematic and extensive profiling;
- Special category or criminal offence data on a large scale; and
- Systematic monitoring of publicly accessible places on a large scale.
8. Data transfers
The rules surrounding data transfers depend on where you are moving data to and from.
Organisations that transfer personal data within the EU don’t need to take any additional steps to protect their personal data.
However, if you are moving data to a third country, you need to use one of the safeguards outlined in Article 46.
In most cases, that will mean using SCCs (standard contractual clauses), which apply when organisations are sharing data with non-EU-based organisations in a straightforward manner.
The European Commission has so far issued two sets of SCCs for data transfers between data controllers, and one set for data transfers between data controllers and data processors.
9. Data protection officer
A DPO (data protection officer) is an independent data protection expert who is responsible for advising an organisation on how to comply with its regulatory requirements.
The requirements for a DPO are outlined in Article 39, and include:
- Advising staff on their data protection responsibilities;
- Monitoring the organisation’s data protection policies and procedures;
- Advising management on whether DPIAs (data protection impact assessments) are necessary;
- Serving as the point of contact between the organisation and its supervisory authority; and
- Serving as a point of contact for individuals on privacy matters.
10. Awareness and training
Staff awareness training is mandatory for anyone who handles personal data or who is responsible for overseeing data protection practices.
You should also ensure that training is relevant to the work that employees do. For example, those responsible for processing personal data should be taught about their responsibilities and the threats that come with that.
Senior personnel should be taught these things alongside the data protection strategy, covering things such as privacy by design and DPIAs.
GDPR compliance made simple
Those looking for help meeting their data protection requirements should take a look at our GDPR Toolkit.
Designed and developed by GDPR experts, the toolkit contains a complete set of template documents to demonstrate your compliance practices.
It’s ideal for anyone who wants help completing their documentation requirements quickly and easily – but it’s more than simply a set of templates. It also includes:
- Gap analysis and DPIA tools that help you identify compliance weaknesses and how to address them;
- Two licences for the GDPR Staff Awareness E-learning Course; and
- Guidance documents covering data subject consent forms, data retention records, and pseudonymisation, minimisation and encryption.