Updated: Jul 20
A Brief on the General Data Protection Regulation (“GDPR”)
By: Zoe Kabillio, Attorney at Law
What Did GDPR Change?
Prior to its coming into effect, a directive governed what companies could and could not collect about their customers and users. The issue with a directive is that it allows each of the member states of the EU to adopt and edit the directive to fit their needs. The GDPR in comparison, must be accepted in its entirety by all member states of the EU. It also applies to companies located outside of the EU, but with activity within the EU. In short, the ratification of the GDPR has made data protection more expansive, up-to-date, non-negotiable and compulsory.
What Is Included in the Provisions of the GDPR?
The GDPR creates a legal framework for the collection, tracking and storage of “data” belonging to residents of the EU. “Data” according to the GDPR is any of the following: 1. Personal information including name, ID, address, telephone number, credit card details, etc. 2. IP addresses, user locations, cookies, RFIDs and other web-based data. 3. Biometric data including fingerprints, and facial recognition. 4. Gender, race, and ethnicity. 5. Health and Genetic data 6. Sexual orientation. 7. Political opinions. 8. Household income.
The GDPR consists of 99 articles, and the full text can be viewed via this link. The GDPR is applicable as of May 25th, 2018. Its eleven chapters are titled the following:
Rights of the data subject
Controller and processor
Transfers of personal data to third countries or international organizations
Independent supervisory authorities
Cooperation and consistency
Remedies, liability and penalties
Provisions relating to specific processing situations
Delegated acts and implementing acts
Becoming GDPR compliant is extremely complicated, and this article will only just cover the tip of the iceberg. In general, however, there are a number of basic doctrines that are worth highlighting.
Article 5 of the GDPR outlines the seven key provisions of the legislation in order to provide the general rules as to how an individual’s data is to be dealt with and protected.
The Principles of the GDPR:
1.The Principle of Lawfulness, Fairness and transparency:
This principle outlines that the processing of an individual’s data must occur in a way that is lawful: legally obtained and legally processed; fair: in a way that the individual would expect and deem an appropriate use of their information, or adversely appropriate method of obtaining said information; and finally, transparent: data collection must be done in a way that it is completely clear to the individual what data is being collected, and how said data is being used.
2.The Principle of Purpose Limitation
3.The Principle of Data minimization
The amount of data that is allowed to be stored must be reduced to a bare minimum. As the saying goes: knowledge is power. Companies have a tendency to collect an endless amount of information, just for the sake of collection. This principle ensures that only the data that is necessary for the outlined purpose will be stored, and everything else will be deleted.
4.The Principle of Accuracy
There are four main components of this principle. Companies must take all reasonable steps to ensure that the data being stored is correct and up to date. All personal data must be maintained and updated. Upon discovery of any misleading or incorrect data, all reasonable steps must be taken to remedy this. Careful consideration must be made as to the maintenance of data storage in order to ensure its accuracy at all times.
5.The Principle of Storage Limitation
Personal data is to be stored for the exact amount of time that is necessary. The length of time data is stored must be completely and legally justifiable as well as periodically assessed. Standard retention period policies must be sent to clients/users. A periodic review must occur in order to determine the potential problems in data retention to provide remedies before they occur. Clients/users have a right to request the erasure of data. The only exception to the rule of data retention even after the expiry of the time limit are: public interest archiving, scientific or historical research, and finally, statistical purposes.
6.The Principle of Integrity and confidentiality (security)
Companies must ensure that they are using appropriate and adequate security measures in order to protect the data being processed and stored. In other words, there must be a sufficient amount of protection against anyone seeking to hack, steal, or otherwise unlawfully obtain said data, as well as to secure against accidental deletion or leakage of said data.
7.The Principle of Accountability
This principle may seem redundant at first, and in fact it is the only principle that did not exist in one form or another in the directive mentioned earlier. A closer look however, reveals that the accountability clause ensures that companies take the steps to accept responsibility for their policy on data processing. For example, exact documentation of data processing policy, employee training sessions, employment of a data protection officer at the company, and regular assessment and evaluation of said policies and of the data itself.
User and/or Customer Rights:
The GDPR also outlines eight the essential rights of any individual whose data is being processed by a company:
The right to be informed: information is given using concise, clear language, easily accessible and free of charge.
The right of access: an individual has the right to access the information easily and free of charge.
The right to rectification: personal data that is incorrect or misleading must be corrected.
The right to erasure: individuals have the right to demand the erasure of their data.
The right to restrict processing: certain circumstances (usually as a result of a request filed by said user/customer) allow for individuals to set restrictions and limits on the processing of their data.
The right to data portability: data being stored must be accessible, easily downloadable and transferrable to clients and/or users.
The right to object: individuals can object to the use of their information for the purposes of direct marketing or profiling.
The individual’s rights in relation to automated decisions and profiling: If any processing of data includes decisions that are automated or automated profiling, users/customers have the right to object to any of these said decisions and to receive human intervention in order to make their request known, receive and explanation and contest it if necessary. (this may not apply in certain circumstances, where automated decisions are necessary for the provision of the service, if explicit consent is given or in certain legally admissible conditions).
The Future of GDPR:
The GDPR has instituted a complex and intricate framework of legislation that governs the way companies process data, as well as protects the rights of the individuals whose data is being handled. In the short time that the GDPR has been in effect, large global companies such as Google, Amazon and Facebook, have already been hit by massive multi-million-dollar lawsuits, in a clear precedent. This trend points to a foreseeable future in which data protection is institutionalized and enforced, and individuals and companies can interact with mutual respect.
For more information on the practical steps you can take toward ensuring GDPR compliance check out our article :
The information provided is solely for your general guidance and does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only.