GDPR Compliance Guide

Effective May 25, 2018

General guidance for understanding and complying with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)

This document contains an introduction to the General Data Protection Regulation (GDPR) and all of its various requirements for compliance. Each chapter within this Cheat Sheet contains a specific topic related to GDPR compliance, sub-sections that support the topic, and Frequently Asked Questions (FAQs).

Here is a breakdown of the GDPR and its requirements.

GDPR Compliance Guide

Background

Regulation (EU) 2016/679 is commonly known as the General Data Protection Regulation or “GDPR”. The regulation was drafted by the European Parliament and Council with the specific objective “to give citizens back control over of their personal data, and to simplify the regulatory environment for business.” In other words, GDPR strengthens the rules for privacy and unifies data protection for all European Union (EU) residents.

The official site dedicated to GDPR is maintained by the European Commission: http://ec.europa.eu/justice/data-protection/index_en.htm

GDPR mandates a set of requirements for all companies that handle personal data belonging to an EU citizen.

GDPR Enforcement Date was May 25, 2018

NOTE: Large portions of this document have been copied from the United Kingdom’s Information Commissioners Office website (https://ico.org.uk).

Who does the GDPR apply to?

The GDPR applies to “controllers” and “processors” of personal information for organizations operating within the EU and/or organizations outside of the EU that offer goods and services to individuals in the EU.

The GDPR applies to “controllers” and “processors.”

A controller says how and why personal data is processed, and a processor acts on the controller’s behalf. Official definitions for these terms are found in Article 4 Definitions of the Regulation.

  • If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
  • If you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

If you are not a controller or a processor, you DO NOT need to comply with GDPR

The GDPR applies to processing carried out by organizations operating within the EU. It also applies to organizations outside of the EU that offer goods or services to individuals in the EU.

There are certain exceptions made in the GDPR for law enforcement and governmental activities.

If you do not operate in the EU or you do not offer goods and services to individuals in the EU, you DO NOT need to comply with GDPR

What information does the GDPR apply to?

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. GDPR applies to personal data and sensitive personal data.

  • Personal data is any information related to a natural person or “Data Subject,” that can be used to directly or indirectly identify the person. Personal data that has been pseudonymized – e.g. key-coded – can fall within the scope of the GDPR, depending on how difficult it is to attribute the pseudonym to an individual.
  • Sensitive personal data are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (see Article 10).

If you do not handle personal or sensitive personal data, you DO NOT need to be GDPR compliant.

Key GDPR Considerations

If you are a “controller” or a “processor” AND you are an organization that operates in the EU, or you are an organization that offers goods or services to individuals in the EU, then these considerations are applicable.

Lawful Processing

For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. It is important that you determine your lawful basis for processing personal data and document this. Article 6 of the GDPR covers the “lawfulness of processing.” This becomes more of an issue under the GDPR because your lawful basis for processing influences individuals’ rights. For example, if you rely on someone’s consent to process their data, they will generally have stronger rights, like to have their data deleted. The GDPR allows member states to introduce more specific provisions in relation to Articles 6(1)(c) and (e):

“(c) processing is necessary for compliance with a legal obligation;”

“(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”

These provisions are particularly relevant to public authorities and highly regulated sectors.

The tables below set out the lawful bases available for processing personal data and special categories of data.

Lawfulness of Processing Conditions

6(1)(a) – Consent of the data subject

6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract 6(1)(c) – Processing is necessary for compliance with a legal obligation

6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person

6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

6(1)(f) – Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights, or freedoms of the data subject

Note that this condition is not available to processing carried out by public authorities in the performance of their tasks.

Conditions for Special Categories of Data

9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law

9(2)(b) – Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement

9(2)(c) – Processing is necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent

9(2)(d) – Processing carried out by a not-for-profit body with a political, philosophical, religious, or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent

9(2)(e) – Processing relates to personal data manifestly made public by the data subject

9(2)(f) – Processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their judicial capacity

9(2)(g) – Processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards

9(2)(h) – Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional

9(2)(i) – Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices

9(2)(j) – Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1)

Reference

Articles 6-10 and Recitals 38, 40-50, and 59

Consent

Consent is mandatory and must be verifiable.

Consent under the GDPR must be a freely given, specific, informed, and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or, in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes, or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take care to ensure that consent is freely given.

Consent must be verifiable, and individuals generally have more rights where you rely on consent to process their data. Article 7 of the GDPR covers “conditions for consent.”

Remember that you can rely on other lawful bases apart from consent – for example, where processing is necessary for the purposes of your organization’s or a third party’s legitimate interests.

Reference

Articles 4(11), 6(1)(a), 7, 8, 9(2)(a) and Recitals 32, 38, 40, 42, 43, 51, 59, 171

Children’s Personal Data

Special protections are afforded to children’s personal data.

Privacy Notices for Children

Where services are offered directly to a child, you must ensure that your privacy notice is written in a clear, plain way that a child will understand.

Online Services Offered to Children

If you offer an “information society service” (i.e. online service) to children, you may need to obtain consent from a parent or guardian to process the child’s data. The GDPR states that if consent is your basis for processing the child’s personal data, a child under the age of 16 can’t give that consent themselves, and instead consent is required from a person holding “parental responsibility” – but note that it does permit member states to provide for a lower age in law, if it is not below 13.

“Information society services” includes most internet services provided at the user’s request, normally for remuneration. The GDPR emphasizes that protection is particularly significant where children’s personal information is used for the purposes of marketing and creating online profiles.

Parental/guardian consent is not required where the processing is related to preventative or counseling services offered directly to a child.

Reference

Article 8 and Recital 38, 58, 71

Individuals’ Rights

The primary purpose for GDPR is to protect individual rights to privacy.

The GDPR provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

This part of the overview explains these rights.

The Right to Be Informed

Privacy notices are mandatory.

The right to be informed addresses your obligation to provide “fair processing information,” typically through a privacy notice. It emphasizes the need for transparency over how you use personal data.

The details for this right are extensive and prescriptive in the GDPR.

What information must be supplied?

The GDPR sets out the information that you should supply and when individuals should be informed.

The information you supply is determined by whether you obtained the personal data directly from individuals. See the table below for further information on this.

Much of the information you should supply is consistent with your current obligations under the DPA, but there is some further information you are explicitly required to provide.

The information you supply about the processing of personal data must be:

  • concise, transparent, intelligible, and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

The table below summarizes the information you should supply to individuals and at what stage.

What Information Must Be Supplied?Data Obtained Directly from the Data SubjectData Not Obtained Directly from Data Subject
Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officerXX
Purpose of the processing and the lawful basis for the processingXX
The legitimate interests of the controller or third party, where applicableXX
Categories of personal dataXX
Any recipient or categories of recipients of the personal dataXX
Details of transfers to third country and safeguardsXX
Retention period or criteria used to determine the retention periodXX
The existence of each of data subject’s rightsXX
The right to withdraw consent at any time, where relevantXX
The right to lodge a complaint with a supervisory authorityXX
The source the personal data originates from and whether it came from publicly accessible sourcesXX
Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal dataX
The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.XX
When should the information be provided?At the time the data are obtained.Within a reasonable period of having obtained the data (within one month)

If the data are used to communicate with the individual, at the latest, when the first communication takes place; or

If disclosure to another recipient is envisaged, at the latest, before the data are disclosed.

The Right of Access

Individuals have a right to access their data free of charge.

Under the GDPR, individuals will have the right to obtain:

  • confirmation that their data is being processed;
  • access to their personal data; and
  • other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15).

What is the purpose of the right of access under GDPR?

The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing (Recital 63).

Can I charge a fee for dealing with a subject access request?

You must provide a copy of the information free of charge. However, you can charge a “reasonable fee” when a request is manifestly unfounded or excessive, particularly if it is repetitive.

You may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests.

The fee must be based on the administrative cost of providing the information.

How long do I have to comply?

You will have less time to comply with a subject access request under the GDPR. Information must be provided without delay and at the latest within one month of receipt.

You will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, you must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

What if the request is manifestly unfounded or excessive?

Where requests are manifestly unfounded or excessive because they are repetitive, you can:

  • charge a reasonable fee considering the administrative costs of providing the information; or
  • refuse to respond.

Where you refuse to respond to a request, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

How should the information be provided?

You must verify the identity of the person making the request, using “reasonable means.”

If the request is made electronically, you should provide the information in a commonly used electronic format.

The GDPR introduces a new best practice recommendation that, where possible, organizations should be able to provide remote access to a secure self-service system that would provide the individual with direct access to his or her information (Recital 63). This will not be appropriate for all organizations, but there are some sectors where this may work well.

The right to obtain a copy of information or to access personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of others.

What about requests for large amounts of personal data?

Where you process a large quantity of information about an individual, the GDPR permits you to ask the individual to specify the information the request relates to (Recital 63).

The GDPR does not introduce an exemption for requests that relate to large amounts of data, but you may be able to consider whether the request is manifestly unfounded or excessive

Reference

Article 12, 15 and Recital 63

The Right of Rectification

You must allow individuals the ability to correct their data; response time is one month.

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.

If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.

How long do I have to comply with a request for rectification?

You must respond within one month.

This can be extended by two months where the request for rectification is complex. Where you are not taking action in response to a request for rectification, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy.

Reference

Articles 12, 16 and 19

The Right to Erasure (The Right to Be Forgotten)

The right to erasure is also known as “the right to be forgotten.” The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

When does the right to erasure apply?

The right to erasure does not provide an absolute “right to be forgotten.” Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • When the individual withdraws consent.
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
  • When the personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
  • The personal data must be erased to comply with a legal obligation.
  • The personal data is processed in relation to the offer of information society services to a child.

If the processing does cause damage or distress, this is likely to make the case for erasure stronger.

There are some specific circumstances where the right to erasure does not apply, and you can refuse to deal with a request.

When can I refuse to comply with a request for erasure?

The right to be forgotten has exceptions.

You can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
  • for public health purposes in the public interest;
  • archiving purposes in the public interest, scientific research historical research or statistical purposes; or
  • the exercise or defense of legal claims.

How does the right to erasure apply to children’s personal data?

There are extra requirements when the request for erasure relates to children’s personal data, reflecting the GDPR emphasis on the enhanced protection of such information, especially in online environments.

If you process the personal data of children, you should pay special attention to existing situations where a child has given consent to processing, and they later request erasure of the data (regardless of age at the time of the request), especially on social networking sites and internet forums. This is because a child may not have been fully aware of the risks involved in the processing at the time of consent (Recital 65).

Do I have to tell other organizations about the erasure of personal data?

If you have disclosed the personal data in question to third parties, you must inform them about the erasure of the personal data, unless it is impossible or involves a disproportionate effort to do so.

The GDPR reinforces the right to erasure by clarifying that organizations in the online environment who make personal data public should inform other organizations who process the personal data to erase links to, copies, or replication of the personal data in question.

While this might be challenging, if you process personal information online, for example on social networks, forums, or websites, you must endeavor to comply with these requirements.

As in the example below, there may be instances where organizations that process personal data may not be required to comply with this provision because an exemption applies.

Reference

Articles 17, 19 and Recitals 65 and 66

The Right to Restrict Processing

Individuals have a right to “block” or suppress processing of personal data. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in the future.

You can be ordered to stop processing personal data.

When does the right to restrict processing apply?

You will be required to restrict the processing of personal data in the following circumstances:

  • Where an individual contests the accuracy of the personal data, you should restrict the processing until you have verified the accuracy of the personal data.
  • Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your organization’s legitimate grounds override those of the individual.
  • When processing is unlawful, and the individual opposes erasure and requests restriction instead.
  • If you no longer need the personal data, but the individual requires the data to establish, exercise, or defend a legal claim.

You may need to review procedures to ensure you can determine where you may be required to restrict the processing of personal data. If you have disclosed the personal data in question to third parties, you must inform them about the restriction on the processing of the personal data, unless it is impossible or involves a disproportionate effort to do so.

You must inform individuals when you decide to lift a restriction on processing.

Reference

Articles 18, 19 and Recital 67

The Right to Data Portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy, or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

When does the right to data portability apply?

The right to data portability only applies:

  • to personal data an individual has provided to a controller;
  • where the processing is based on the individual’s consent or for the performance of a contract; and
  • when processing is carried out by automated means.

How do I comply?

You must provide personal data in a form that can be used by other organizations; free of charge.

You must provide the personal data in a structured, commonly used and machine-readable form. Open formats include CSV files. Machine-readable means that the information is structured so that software can extract specific elements of the data. This enables other organizations to use the data.

The information must be provided free of charge.

If the individual requests it, you may be required to transmit the data directly to another organization if this is technically feasible. However, you are not required to adopt or maintain processing systems that are technically compatible with other organizations.

If the personal data concerns more than one individual, you must consider whether providing the information would prejudice the rights of any other individual.

How long do I have to comply?

You must respond without undue delay, and within one month.

This can be extended by two months where the request is complex, or you receive several requests. You must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Where you are not taking action in response to a request, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

Reference

Articles 12, 20 and Recital 68

The Right to Object

Individuals have the right to object to:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics

How do I comply with the right to object?

If you process personal data for the performance of a legal task or your organization’s legitimate interests:
  • Individuals must have an objection on “grounds relating to his or her particular situation.”
  • You must stop processing the personal data unless:
  • you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
  • the processing is for the establishment, exercise or defense of legal claims.
  • You must inform individuals of their right to object “at the point of first communication” and in your privacy notice.
  • This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.”
If you process personal data for direct marketing purposes:
  • You must stop processing personal data for direct marketing purposes as soon as you receive an objection. There are no exemptions or grounds to refuse.
  • You must deal with an objection to processing for direct marketing at any time and free of charge.
  • You must inform individuals of their right to object “at the point of first communication” and in your privacy notice.
  • This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.”
If you process personal data for research purposes:
  • Individuals must have “grounds relating to his or her particular situation” in order to exercise their right to object to processing for research purposes.
  • If you are conducting research where the processing of personal data is necessary for the performance of a public interest task, you are not required to comply with an objection to the processing.
If your processing activities fall into any of the above categories and are carried out online:
  • You must offer a way for individuals to object online.

Reference

Articles 12, 21 and Recitals 69 and 70

Rights in Relation to Automated Decision-Making and Profiling

Human intervention must be included in certain decisions.

The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. Identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR.

When does the right apply?

Individuals have the right not to be subject to a decision when:

  • it is based on automated processing; and
  • it produces a legal effect or a similarly significant effect on the individual.

You must ensure that individuals can:

  • obtain human intervention;
  • express their point of view; and
  • obtain an explanation of the decision and challenge it.

Does the right apply to all automated decisions?

No. The right does not apply if the decision:

  • is necessary for entering or performance of a contract between you and the individual;
  • is authorized by law (e.g. for the purposes of fraud or tax evasion prevention); or
  • based on explicit consent. (Article 9(2)).

Furthermore, the right does not apply when a decision does not have a legal or similarly significant effect on someone.

What else does the GDPR say about profiling?

The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyze or predict their:

  • performance at work;
  • economic situation;
  • health;
  • personal preferences;
  • reliability;
  • behavior;
  • location; or
  • movements.

When processing personal data for profiling purposes, you must ensure that appropriate safeguards are in place.

You must:

  • Ensure processing is fair and transparent by providing meaningful information about the logic involved, as well as the significance and the envisaged consequences.
  • Use appropriate mathematical or statistical procedures for the profiling.
  • Implement appropriate technical and organizational measures to enable inaccuracies to be corrected and minimize the risk of errors.
  • Secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and prevents discriminatory effects.

Automated decisions taken for the purposes listed in Article 9(2) must not:

  • concern a child; or
  • be based on the processing of special categories of data unless:
    • you have the explicit consent of the individual; or
    • the processing is necessary for reasons of substantial public interest based on EU/member state law. This must be proportionate to the aim pursued, respect the essence of the right to data protection, and provide suitable and specific measures to safeguard fundamental rights and the interests of the individual.

Reference

Articles 4(4), 9, 22 and Recitals 71, 72

Accountability and Governance

The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance.

Well-defined roles and responsibilities and documentation are critical to demonstrating GDPR compliance.

What is the accountability principle?

The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.

How can I demonstrate that I comply?

You must:

  • Implement appropriate technical and organizational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
  • Maintain relevant documentation on processing activities.
  • Where appropriate, appoint a data protection officer.
  • Implement measures that meet the principles of data protection by design and data protection by default. Measures could include:
    • Data minimization;
    • Pseudonymizing;
    • Transparency;
    • Allowing individuals to monitor processing; and
    • Creating and improving security features on an ongoing basis.
  • Use data protection impact assessments where appropriate.

You can also adhere to approved codes of conduct and/or certification schemes.

Records of Processing Activities (Documentation)

Different rules apply to organizations of fewer than 250 employees vs. organizations with more than 250 employees.

As well as your obligation to provide comprehensive, clear, and transparent privacy policies (see the section on individual rights), if your organization has more than 250 employees, you must maintain additional internal records of your processing activities.

If your organization has fewer than 250 employees you are required to maintain records of activities related to higher risk processing, such as:

  • processing personal data that could result in a risk to the rights and freedoms of the individual; or
  • processing of special categories of data or criminal convictions and offenses.

What do I need to record?

You must maintain internal records of processing activities. You must record the following information:

  • Name and details of your organization (and, where applicable, of other controllers, your representative, and data protection officer)
  • Purposes of the processing
  • Description of the categories of individuals and categories of personal data
  • Categories of recipients of personal data
  • Details of transfers to third countries including documentation of the transfer mechanism safeguards in place
  • Retention schedules
  • Description of technical and organizational security measures

You may be required to make these records available to the relevant supervisory authority for purposes of an investigation.

Reference

Article 30, Recital 82

Data Protection by Design and by Default

Under the GDPR, you have a general obligation to implement technical and organizational measures to show that you have considered and integrated data protection into your processing activities.

Reference

Article 25 and Recital 78

Data Protection Impact Assessments

Data protection impact assessments (DPIAs) (also known as privacy impact assessments, or PIAs) are tools which can help organizations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow organizations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.

Data protection impact assessments are a critical component to GDPR compliance but can also be used to realize business benefits.

When do I need to conduct a DPIA?

You must carry out a DPIA when:

  • using new technologies; and
  • the processing is likely to result in a high risk to the rights and freedoms of individuals.

Processing that is likely to result in a high risk includes (but is not limited to):

  • systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals.
  • large-scale processing of special categories of data or personal data relation to criminal convictions or offences. This includes processing a considerable amount of personal data at regional, national, or supranational level; that affects a large number of individuals; and involves a high risk to rights and freedoms e.g. based on the sensitivity of the processing activity.
  • large-scale, systematic monitoring of public areas (CCTV).

What information should the DPIA contain?

  • A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller.
  • An assessment of the necessity and proportionality of the processing in relation to the purpose.
  • An assessment of the risks to individuals.
  • The measures in place to address risk, including security and to demonstrate that you comply.
  • A DPIA can address more than one project.

Reference

Articles 35, 36 and 83 and Recitals 84, 89-96

Data Protection Officer

A data protection officer (DPO) is an enterprise security leadership role required by the GDPR. Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.

When does a data protection officer need to be appointed under the GDPR?

Under the GDPR, you must appoint a data protection officer (DPO) if you:

  • are a public authority (except for courts acting in their judicial capacity);
  • carry out large-scale systematic monitoring of individuals (for example, online behavior tracking); or
  • carry out large-scale processing of special categories of data or data relating to criminal convictions and offenses.

You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, considering their structure and size.

Any organization can appoint a DPO. Regardless of whether the GDPR requires you to appoint a DPO, you must ensure that your organization has sufficient staff and skills to discharge your obligations under the GDPR.

What are the tasks of the DPO?

The DPO’s minimum tasks are defined in Article 39:

  • To inform and advise the organization and its employees about their obligations to comply with the GDPR and other data protection laws.
  • To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc.).

What does the GDPR say about employer duties?

You must ensure that:

  • The DPO reports to the highest management level of your organization – i.e. board level.
  • The DPO operates independently and is not dismissed or penalized for performing their tasks.
  • Adequate resources are provided to enable DPOs to meet their GDPR obligations.

Can we allocate the role of DPO to an existing employee?

Yes. If the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.

The role of the Data Protection Officer can be contracted out to a third party.

You can also contract out the role of DPO externally.

Does the data protection officer need specific qualifications?

The GDPR does not specify the precise credentials a data protection officer is expected to have.

It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organization carries out, taking into consideration the level of protection the personal data requires.

Reference

Articles 37-39, 83 and Recital 97

Codes of Conduct and Certification Mechanisms

The GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate that you comply.

The specific needs of micro-, small-, and medium-sized enterprises must be considered.

Signing up to a code of conduct or certification scheme is not obligatory, but if an approved code of conduct or certification scheme that covers your processing activity becomes available, you may wish to consider working towards it as a way of demonstrating that you comply.

Adhering to codes of conduct and certification schemes brings several benefits over and above demonstrating that you comply. It can:

  • improve transparency and accountability – enabling individuals to distinguish the organizations that meet the requirements of the law and they can trust with their personal data.
  • provide mitigation against enforcement action; and
  • improve standards by establishing best practice.

When contracting work to third parties, including processors, you may wish to consider whether they have signed up to codes of conduct or certification mechanisms.

Code of conduct and/or certification schemes are NOT mandatory.

Who is responsible for drawing up codes of conduct?

Governments and regulators can encourage the drawing up of codes of conduct.

Codes of conduct may be created by trade associations or representative bodies. Codes should be prepared in consultation with relevant stakeholders, including individuals (Recital 99).

Codes must be approved by the relevant supervisory authority; and where the processing is cross-border, the European Data Protection Board (the EDPB). Existing codes can be amended or extended to comply with the requirements under the GDPR.

What will codes of conduct address?

Codes of conduct should help you comply with the law, and may cover topics such as:

  • fair and transparent processing;
  • legitimate interests pursued by controllers in specific contexts;
  • the collection of personal data; • the pseudonymizing of personal data;
  • the information provided to individuals and the exercise of individuals’ rights;
  • the information provided to and the protection of children (including mechanisms for obtaining parental consent);
  • technical and organizational measures, including data protection by design and by default and security measures;
  • breach notification;
  • data transfers outside the EU; or
  • dispute resolution procedures

Practical Implications

If you sign up to a code of conduct, you will be subject to mandatory monitoring by a body accredited by the supervisory authority.

If you infringe the requirements of the code of practice, you may be suspended or excluded and the supervisory authority will be informed. You also risk being subject to a fine of up to 10 million Euros or 2 percent of your global turnover.

Adherence to a code of conduct may serve as a mitigating factor when a supervisory authority is considering enforcement action via an administrative fine.

Who is responsible for certification mechanisms?

Member states, supervisory authorities, the EDPB or the Commission are required to encourage the establishment of certification mechanisms to enhance transparency and compliance with the Regulation.

Certification will be issued by supervisory authorities or accredited certification bodies.

What is the purpose of a certification mechanism?

A certification mechanism is a way of you demonstrating that you comply, in particular, showing that you are implementing technical and organizational measures.

A certification mechanism may also be established to demonstrate the existence of appropriate safeguards related to the adequacy of data transfers.

They are intended to allow individuals to quickly assess the level of data protection of a particular product or service.

Practical Implications

Certification does not reduce your data protection responsibilities.

You must provide all the necessary information and access to your processing activities to the certification body to enable it to conduct the certification procedure.

Any certification will be valid for a maximum of three years. It can be withdrawn if you no longer meet the requirements of the certification, and the supervisory authority will be notified.

If you fail to adhere to the standards of the certification scheme, you risk being subject to an administrative fine of up to 10 million Euros or 2 percent of your global turnover.

Reference

Articles 40-43, 83 and Recitals 98, 99,100, 148, 150, 151

Breach Notification

The GDPR will introduce a duty on all organizations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected.

What is a personal data breach?

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

FRSecure’s definition of information security is managing risks to the confidentiality, integrity, and availability of information using administrative, physical, and technical controls.

What breaches do I need to notify the relevant supervisory authority about?

You must notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage.

This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold.

When do individuals have to be notified?

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly.

A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.

What information must a breach notification contain?

  • The nature of the personal data breach including, where possible:
    • the categories and approximate number of individuals concerned; and
    • the categories and approximate number of personal data records concerned;
  • The name and contact details of the data protection officer (if your organization has one) or other contact points where more information can be obtained;
  • A description of the likely consequences of the personal data breach; and
  • A description of the measures taken or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.

How do I notify a breach?

A notifiable breach must be reported to the relevant supervisory authority within 72 hours of the organization becoming aware of it. The GDPR recognizes that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases.

If the breach is sufficiently serious to warrant notification to the public, the organization responsible must do so without undue delay.

A detailed incident response plan is critical for business and GPDR compliance.

Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of your global turnover.

What should I do to prepare for breach reporting?

You should make sure that your staff understands what constitutes a data breach and that this is more than a loss of personal data.

You should ensure that you have an internal breach reporting procedure in place. This will facilitate decisionmaking about whether you need to notify the relevant supervisory authority or the public.

Considering the tight timescales for reporting a breach – it is important to have robust breach detection, investigation and internal reporting procedures in place.

Reference

Articles 33, 34, 83 and Recitals 85, 87, 88

Transfer of Data

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organizations, to ensure that the level of protection of individuals afforded by the GDPR is not undermined.

When can personal data be transferred outside the European Union?

Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.

All personal data transfers outside of the EU must meet specific requirements.

Transfers Based on a Commission Decision

Transfers may be made where the Commission has decided that a third country, a territory or one or more specific sectors in the third country, or an international organization ensures an adequate level of protection.

Reference

Article 45 and Recitals 103-107 & 169

Transfers Subject to Appropriate Safeguards

You may transfer personal data where the organization receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.

Adequate safeguards may be provided for by:

  • a legally binding agreement between public authorities or bodies;
  • binding corporate rules (agreements governing transfers made between organizations within in a corporate group);
  • standard data protection clauses in the form of template transfer clauses adopted by the Commission;
  • standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission;
  • compliance with an approved code of conduct approved by a supervisory authority;
  • certification under an approved certification mechanism as provided for in the GDPR;
  • contractual clauses agreed authorized by the competent supervisory authority; or
  • provisions inserted in to administrative arrangements between public authorities or bodies authorized by the competent supervisory authority.

Reference

Article 46 and Recitals 108-10 & 114

The GDPR limits your ability to transfer personal data outside the EU where this is based only on your own assessment of the adequacy of the protection afforded to the personal data.

Authorizations of transfers made by Member States or supervisory authorities and decisions of the Commission regarding adequate safeguards made under the Directive will remain valid/remain in force until amended, replaced or repealed.

The GDPR provides derogations (or exceptions) from the general prohibition on transfers of personal data outside the EU for certain specific situations. A transfer, or set of transfers, may be made where the transfer is:

  • made with the individual’s informed consent;
  • necessary for the performance of a contract between the individual and the organization or for precontractual steps taken at the individual’s request;
  • necessary for the performance of a contract made in the interests of the individual between the controller and another person;
  • necessary for important reasons of public interest;
  • necessary for the establishment, exercise or defense of legal claims;
  • necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent; or
  • made from a register which under UK or EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register). The first three derogations are not available for the activities of public authorities in the exercise of their public powers.

Reference

Article 49 and recitals 111 & 112

What about one-off (or infrequent) transfers of personal data concerning only relatively few individuals?

Even where there is no Commission decision authorizing transfers to the country in question, if it is not possible to demonstrate that individual’s rights are protected by adequate safeguards and none of the derogations apply, the GDPR provides that personal data may still be transferred outside the EU. However, such transfers are permitted only where the transfer:

  • is not being made by a public authority in the exercise of its public powers;
  • is not repetitive (similar transfers are not made on a regular basis);
  • involves data related to only a limited number of individuals;
  • is necessary for the purposes of the compelling legitimate interests of the organization (provided such interests are not overridden by the interests of the individual); and
  • is made subject to suitable safeguards put in place by the organization (in the light of an assessment of all the circumstances surrounding the transfer) to protect the personal data.

In these cases, organizations are obliged to inform the relevant supervisory authority of the transfer and provide additional information to individuals.

Reference

Article 49 and Recitals 113

National Derogations (or Exemptions)

What derogations does the GDPR permit?

Article 23 enables Member States to introduce derogations to the GDPR in certain situations. Member States can introduce exemptions from the GDPR’s transparency obligations and individual rights, but only where the restriction respects the essence of the individual’s fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

  • • national security;
  • defense;
  • public security;
  • the prevention, investigation, detection or prosecution of criminal offenses;
  • other important public interests, in particular, economic or financial interests, including budgetary and taxation matters, public health and security;
  • the protection of judicial independence and proceedings;
  • breaches of ethics in regulated professions;
  • monitoring, inspection or regulatory functions connected to the exercise of official authority regarding security, defense, other important public interests or crime/ethics prevention;
  • the protection of the individual, or the rights and freedoms of others; or
  • the enforcement of civil law matters.

Other Member State Derogations or Exemptions

Chapter IX provides that Member States can provide exemptions, derogations, conditions or rules in relation to specific processing activities. These include processing that relates to:

  • freedom of expression and freedom of information;
  • public access to official documents;
  • national identification numbers;
  • processing of employee data;
  • processing for archiving purposes and for scientific or historical research and statistical purposes;
  • secrecy obligations; and
  • churches and religious associations.

Reference

Articles 6(2), 6(3), 9(2)(a), 23 and 85-91 and Recitals 71, 50, 53, 153-165