Data Protection History
In 2016, the European Union (EU) adopted the General Data Protection Regulation (GDPR) for EU residents as a replacement for the 1995 Data Protection Directive (Directive 95/46/EC). The GDPR is a regulation and not just a directive: it is not open to interpretation by the member states and will be implemented uniformly by one supervisory authority across the entire EU.
The GDPR took effect May 25, 2018. Organizations processing private data of EU residents can achieve compliance through the implementation of appropriate technical and administrative controls, which requires an initial gap analysis.
Applicability and Legal Obligations
The GDPR applies to Controllers and Processors, defined as follows:
- A Controller determines the purposes for and means of processing personal data. Controllers are not relieved of their obligations when a Processor is involved. The GDPR places further obligations on Controllers to ensure that company contracts with Processors comply with the GDPR.
- A Processor is responsible for processing personal data on behalf of a Controller. The GDPR places specific legal obligations on Processors: they are required to maintain records of personal data and processing activities, and have legal liability if responsible for a breach.
The GDPR applies to all business entities processing private data of residents of the EU, including organizations operating within the EU and organizations outside the EU that offer goods or services to individuals in the EU.
Note: The GDPR does not apply to certain activities, including processing covered by the EU Law Enforcement Directive, processing for national security purposes, and processing carried out by individuals purely for personal or household activities.
Accountability and Penalties
There is currently no statutory GDPR compliance certification: a business entity cannot be certified as GDPR compliant. However, business entities are expected to put into place comprehensive governance measures that should minimize the risk of breaches and provide the protection of personal data, as specified in the following GDPR sections (articles or recitals):
- Article 5(2) states that a business entity “… shall be responsible for, and be able to demonstrate compliance with” the GDPR requirements for processing of private data.
- Article 58 provides the supervisory authority with the power “… to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case”:
- Article 83 lists the conditions for imposing fines:
- Fines in amounts up to the greater of €10 million or 2% of global annual turnover (revenue) for the prior year can be levied for the infringement of “… the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43”.
- Fines in amounts up to the greater of €20 million or 4% of global annual turnover (revenue) for the prior year can be levied for the infringement of the key provisions of the GDPR, including but not limited to non-compliance with the basic principles for processing, infringement of the data subjects’ rights, and transfer of personal data to a recipient in a third country or an international organization.
Personal Data and Identification
GDPR redefines personal data as:
“… any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” (Article 4(1)).
Recital 24 of the regulation focuses on monitoring and behavioral analysis:
“The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”
Recital 30 clarifies online identifier:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
GDPR also clarifies and extends individual rights for EU residents:
- The right to be informed – Individuals must be provided with the right to be given information about how their data is being processed and why (fair processing information), typically through informed consent and a privacy notice. This right also includes the stipulation that all information supplied to an individual is concise, intelligible, easily accessible, free of charge, and written in plain language, including communications with children.
- The right of access – Right to access personal data and supplementary information, be aware of, and verify the lawfulness of the processing.
- The right to rectification – Right to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure – Also known as the right to be forgotten: enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
- The right to restrict processing – The right to block or suppress processing of personal data. When processing is restricted, the personal data storage is permitted, but it cannot be processed further. Just enough information about the individual can be retained to ensure that the restriction is respected in future.
- The right to data portability – Allows individuals to obtain and reuse their personal data for their own purposes across different services. Also allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
- The right to object – Individuals have the right to object to processing unless it is based on legitimate interests or the performance of a task in the public interest or exercise of official authority (including profiling), direct marketing (including profiling), and processing for purposes of scientific or historical research and statistics.
- Rights in relation to automated decision making and profiling – Automated individual decision-making (making a decision solely by automated means without any human involvement) can only be carried out if necessary for the entry into or performance of a contract; or is authorized by Union or Member state law; or is based on the individual’s explicit consent.