Data protection legislation is nothing new, but GDPR does enhance the rules, introduce tougher obligations and build on or change previous data protection definitions. Here are some handy answers to frequently asked questions.
Q: What is the relationship between GDPR and the UK Data Protection Act (DPA)?
A: As an EU Regulation, GDPR became automatically enforceable across all EU member states from 25th May 2018.
The GDPR gives EU Member States limited opportunities to make provisions to vary how it applies within their country, known as ‘derogations’. The UK Data Protection Act 2018 is now in force to give clarity to UK organisation how GDPR applies for the UK including the UK’s position on these derogations.
For example, the UK has set the age of consent of a child in respect of information society services at 13. This age will differ across other Member States.
The DPA 2018 also covers data processing that does not fall within EU law, for example immigration and national security. It is therefore important that GDPR and DPA 2018 are read alongside each other.
Q: How has the definition of ‘personal data’ changed under GDPR?
A: Personal data is any information which relates to a living individual who can be identified or is identifiable from that information. For example, a name, an address, a passport number, location data, an online identifier and the list goes on. As well as clearly including individuals’ contact details it also extends to our business contacts from which we can be identified.
The concept of identifiable requires careful consideration; could one piece of information plus another piece of information make an individual identifiable?
It is worth noting that GDPR applies to personal data that is processed wholly or in part by automated means. If not automated, personal data that forms part of a filing system (or be intended to form part of filing system) would be covered the the Regulation.
Q: What is Special Category Data?
A: Certain types of personal data require higher levels of protection. Under the previous DPA 1998 the term “sensitive data” was used. The definition of what is now termed ‘special categories’ of personal data has been enhanced under GDPR and covers personal data revealing:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- data concerning health or sex life
- sexual orientation
- genetic data
- biometric data
The processing of such information is restricted under GDPR. See GDPR Article 9 for more details.
Sometimes this needs careful consideration as at first you may not think you are processing special category data. It is worth considering that some dietary requirements could indicate religious beliefs and different seemingly innocuous pieces of information if combined could reveal sexual orientation.
Many people wonder why the above information is given special protection, the root of this lies in human rights and data protection principles which emerged in Europe after World War Two. A war in which individuals were persecuted for their ethnic background, religious beliefs or indeed sexual orientation.
Q: What are the 7 GDPR data protection principles?
A: Data protection laws across the globe have always had at their heart core data protection principles. GDPR specifically stresses the requirement for organisations to be accountable. The seven principles are:
1. Lawfulness, Fairness & Transparency
2. Purpose Limitation – be clear about the purpose(s) you will use personal data for
3. Data Minimisation – only collect the personal data you need for your clear purpose(s)
4. Accuracy – personal data should not be inaccurate or misleading
5. Storage Limitation – don’t keep personal data for longer than you need it for your clear purpose(s)
6. Security – ensure appropriate security measures are in place to protect personal data
7. Accountability – you must be able to demonstrate your commitment to all of the above.
Q: What is the difference between a data controller and a processor?
A: There can be some confusion around the difference between a controller and a processor, and indeed these roles can sometimes be complex to ascertain. Also, some organisations can act as both a controller and processor for different processing activities.
In essence the distinction that needs to be drawn is that the controller determines the means and purposes of processing personal data (the ‘why’ and ‘how’ the data is to be used)’ and a processor is instructed by a controller to process personal data on the controller’s behalf. The processor cannot change the purpose or use of the data.
The GDPR strikes a balance of responsibilities placed on both the controller and processor making them both jointly and severally liable.
Article 28 of the GDPR stipulates that written contracts between controllers and processors are a strict requirement.
Q: What rights do individuals have?
A: Under GDPR there are 8 fundamental rights of individuals and these are:
- The right to be informed – GDPR requires organisations to act in a transparent way with individuals. Organisations must inform individuals about how their personal data will be used. There are strict requirements surrounding what information must be provided. Organisations must be clear about how they are using personal data.
- The right of access – Individuals have the right to ask organisation to provide a copy of their personal data and the purpose(s) for which it is being processed. This is known as a Data Subject Access Request (DSAR).
- The right of rectification – Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure – Also known as ‘the right to be forgotten’, this refers to an individual’s right to having their personal data deleted or removed. This is not an absolute right and there will be circumstances in which an organisation can justifiably retain personal data.
- The right to restrict processing – Refers to an individual’s right to block or suppress processing of their personal data.
- The right to data portability – This allows individuals, in specific circumstances, to receive the personal data they have provided to a controller in a specific format. It also gives them the right to request a controller transmits this directly to another controller. For example, you may be being provided with a service from one controller and wish your personal data to be transferred to another provider.
- The right to object – Individuals have an absolute right to object to direct marketing. They may also object to the processing of their personal data for different purposes in certain circumstances. A controller may continue to process personal data where they can demonstrate a compelling reason to do so.
- Rights of automated decision making and profiling – GDPR introduces a definition of profiling, and introduces specific provisions surrounding automated decision-making and profiling. Individuals have the right to object to profiling in certain circumstances.
Q: What is Data Subject Access Request?
A: Right of Access, also known as a DSAR gives individuals the right to obtain a copy of their personal data being processed by a Controller as well as other supplementary information. (See Article 15). This ‘Right of Access’ helps individuals to understand why and how you are using their personal data.
An organisation who has been issued with a DSAR has one calendar month from the date it is received to provide information to the individual. Where the controller requests identification from the individual then the date would start once the identification has been provided. For practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
A request can be made in writing or verbally and can be made to any part of an organisation (including via social media) and it does not have to be addressed to a specific person or contact point. A request does not have to include the phrase ‘subject access request’, as long as it is clear that the individual is asking for their own personal data.
Q: What are ‘lawful bases’?
A: Under GDPR there are six lawful bases for processing personal data. Which basis to use will depend on the purpose and relationship with the individual whose data you wish to process. It’s important to note that no single basis is ’better’ or more important than the other and you must determine your lawful basis for each processing activity. The six lawful bases for processing are:
- Consent – the requirements for consent to be valid under GDPR are stricter. Consent is a freely given, informed and unambiguous indication of an individual’s wishes given by a clear affirmative action.
- Contract – the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation – the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests – the processing is necessary to protect someone’s life.
- Public task – the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests – the processing is appropriate when you are using people’s data in a way that they would reasonably expect and has minimal privacy impact on the rights and freedoms of the individual. The key is a balance between the organisation’s (or a third party’s) legitimate interests and the individual’s privacy rights and freedoms. Legitimate interests may be considered one of the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. For more information see our industry-led Legitimate Interests Guidance.
Q: What is a personal data breach?
A: A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
It is important to distinguish between a data incident, which may or may not include personal data, and an actual data breach (which does include personal data).
An example of a data breach could be sending personal data to the wrong recipient, a USB stick, mobile phone or laptop being lost or stolen or a malware or phishing attack. Many data breaches are due to human error, so training staff is important to mitigate risks, equally critical is having robust organisational and technical security measures in place.
Q: What should I do if there is a data breach?
A: When a suspected personal data breach has occurred, it’s critical to establish the likelihood and severity of the risk to the people’s rights and freedoms. Immediate action should be taken to ensure that no further personal data is compromised. You must notify the your Supervisory Authority (in the UK that’s the ICO) within 72 hours if you judge the breach presents a ‘risk’ to those affected.
There is a further requirement to notify affected individuals without undue delay if the breach represents a ‘high risk’ to them. If you choose not to report it to the ICO, you must document that decision so you can justify your position later if necessary.
You can read more on how to report a data breach on the ICO website.
Q: What is a privacy notice under GDPR?
A: A privacy notice is a public statement that outlines how your organisation applies the key data protection principles when processing personal data. Such notices needs to be transparent and written in a clear and easy to understand way that is accessible to individuals. Also see the ICO’s guidance on the right to be informed.
Q: What will the financial penalties be for failing to comply with GDPR?
A: There are different layers of fines depending on the type of infringement, but failure to comply with the GDPR could result in fines of up to a maximum of €20 million or 4% of annual global turnover. These potential fines are far higher than under previous legislation.
The ICO and other European regulatory bodies also have a number of corrective powers and sanctions. They can request an organisation to cease processing personal data and can investigate in various ways such as conducting audits, issuing warnings or demanding access to premises. In addition to these consequences you should also consider the potential for damage to an organisation’s reputation and share price due to a data breach which goes public.
Gemma Johnson, November 2018
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.