The General Data Protection Regulation (GDPR) is the world’s most stringent privacy and security legislation. Although it was drafted and adopted by the European Union (EU), it imposes requirements on organizations worldwide that target or gathers data from EU citizens. On May 25, 2018, the regulation became effective. The GDPR will impose severe sanctions on anyone that disregards its privacy and protection requirements, with fines potentially exceeding millions of euros.
The GDPR was created to ostensibly reflect Europe’s commitment to data protection and privacy at a period when more individuals willingly give their personal details to cloud providers. With this willingness to provide their personal data, it is simultaneously observed that data breaches occur on a regular basis. GDPR enforcement is an intimidating prospect, especially for small and medium-sized businesses, due to the regulation’s scale, breadth, and relative vagueness, since the GDPR was intended to be more of a framework policy rather than an administrative guide.
The provisions are consistent in all twenty-seven EU member states, which ensures that businesses in the EU must adhere to single legislation. It must be noted herein that EU GDPR is an EU Regulation and it no longer applies to the UK which would mean entities functioning inside the UK need to comply with UK data protection law.
[1.0] HISTORY OF THE GDPR
The right to privacy is enshrined in the 1950 European Convention on Human Rights, which specifies that ‘everyone has the right to protection for his or her private and personal life, his or her residence, and his or her correspondence.’ The European Union has tried to preserve this freedom by regulation on this principle.
The EU acknowledged the need for new security as technologies advanced and the Internet expanded in its breadth. Thus, in 1995, it enacted the European Data Protection Directive, which established minimum data privacy and security requirements on which member states focused their own implementation legislation. The turning point wherein the EU recognized a need for an extensive regulation for internet privacy came in 2011 after a Google client filed a lawsuit against the corporation over collecting information on her emails. Two months later, Europe’s data protection authority announced that the EU needed a ‘comprehensive approach to personal data protection,’ and progress on updating the 1995 directive started.
The GDPR became effective in 2016 after being approved by the European Parliament, and all organizations were obliged to comply by May 25, 2018. The GDPR mandates that EU visitors must be provided with the requisite disclosures, with the website itself requiring to take steps to ensure consumer rights are protected in the event of personal data being breached. These requirements are far-ranging in scope, though they might be initiated as a notification done within the requisite timeline of the breach.
[2.0] HOW DOES THE GDPR ENFORCE SECURITY REGULATIONS
A foremost requirement to remember for entities that are processing the personal data of EU citizens or residents, or that sell products or services to those individuals is that the GDPR is applicable regardless of location. Additionally, the GDPR’s penalties are very heavy. There are two levels of fines, the maximum of which is EUR twenty million or 4% of global sales, whichever is greater, plus data subjects have the ability to claim damages.
Personal data is at the core of GDPR. In broad terms, this is data that enables the actual or indirect identification of a living individual through publicly accessible data. This may be something instantly noticeable, such as a person’s identity, position info, or a readily identifiable online username, or it could be something less immediate like IP addresses and cookie identifiers. Personal data is any material that corresponds to an identifiable person, either explicitly or indirectly. Naturally, names and email addresses are considered to be personal records. Personal data can also include location details, racial origin, gender, biometric data, religious views, web cookies, and political opinions. Pseudonymous data can also be used as it is fairly simple to identify a person from said data as well.
How this defines personal data is via the accessibility to name an individual – pseudonymized data may also be considered personal data. Personal data is critical under GDPR since it covers people, organizations, and businesses who are either ‘controllers’ or ‘processors’ of it. The person whose data is processed is called the subject, who would be the customers or site visitors.
[2.1] DATA PROTECTION PRINCIPLES
At the heart of GDPR are seven fundamental principles outlined in Article 5 of the law that serve as a template for how individuals’ data may be treated. They are not rigid guidelines, but rather an overarching structure for laying out the GDPR’s broad objectives. The standards are virtually identical to those used in previous data security legislation.
The GDPR enumerates seven protection and accountability principles being [A.] lawfulness, fairness and transparency, [B.] purpose limitation in order to ensure data is processed for legitimate purposes that have been explicitly outlined to the data subject [C.] data minimization ensuring that data is collected and processed only if absolutely necessary for the specified purposes, [D.] accuracy of personal data kept up to date, [E.] storage limitation in order to store personally identifying data for as long as necessary for the specified purpose [F.] integrity and confidentiality and security and [G.] accountability of the data controller in order to be able to demonstrate GDPR compliance with all of these principles.
Data storage limitation has fast grown to be an important aspect of data protection. Organizations should not collect more personal information than they need from their users and thus need to be kept in check in order to maintain security with the type of data that may be obtained from people.
It is necessary to ensure that personal data is protected from ‘unauthorized or unlawful processing,’ as well as accidental loss, destruction, or damage. Essentially, it is exceedingly important for the organization to set adequate security protections. This means that appropriate information security protections must be put in place to make sure information isn’t accessed by hackers or accidentally leaked as part of a data breach.
The GDPR does not say what good security practices look like since they would be different for every organization. Although GDPR imposes the most severe penalties on data controllers and processors, the law is intended to better preserve individuals’ rights. As such, GDPR guarantees its protections. This means that it is imperative to grant individuals easier access to the data that businesses keep regarding them and also require that this data be erased under some circumstances.
Individuals have the following GDPR rights in full: the right to be informed, the right to access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, and the right to object, and also rights around automated decision making and profiling.
[3.0] ACCOUNTABILITY IN THE GDPR
Per the GDPR, data controllers must be willing to show compliance with the regulation. This is not something an entity should do retrospectively: if the entities believe that they are GDPR compliant but cannot demonstrate it, they cannot be considered to be GDPR compliant. Consequently, firms have come up with many ways to demonstrate compliance, including [A.] signing responsibility for data protection to members of the staff [B.] keeping accurate records of the data they receive, how it is utilized, where it is kept, and which individual is accountable for it, [C.] securing the company by training employees and implementing strategic and internal protection steps.
This protection may also manifest by having Data Processing Agreements in effect for third parties associated with the entity who work to handle data on the corporation’s behalf or even to designate a Data Protection Officer.
[3.1] DATA SECURITY
The organization is expected to protect data by enforcing adequate technological and organizational safeguards. Technical safeguards will range from encouraging staff to implement two-factor authentication on accounts that hold personal data to partnering with cloud service companies that use end-to-end encryption.
Organizational steps include conducting employee training, including a data protection policy in the employee handbook, and restricting access to sensitive data to only those workers who need it. If a data leak occurs, companies have seventy-two hours to notify affected individuals or risk fines. Some entities may be exempt from this notice provision if they use technical protections, such as encryption, to make data worthless to an attacker.
[3.2] WHEN CAN DATA BE PROCESSED
Article 6 details the circumstances in which it is permissible to process personal data. A major circumstance would be when the data recipient expressly and unambiguously consented to the processing of their data or when processing is required for the performance of a contract to which the data subject is a party or for the preparation of a contract to which the data subject is a party. Data may also be processed if the processing is required in order to comply with a legal duty placed on the entity or to preserve an individual’s safety. Essentially, acceptable data processing is used to carry out a mission that is in the public interest or to conduct an official role with a fair reason for processing another person’s personal details.
Consent should be expressed in a direct affirmative act establishing a freely granted, precise, aware, and unambiguous indication of the data subject’s consent to the processing of their personal data. This indication can come from a written document, including electronic means, or an oral statement. This could involve checking a box while using an internet database, selecting technical settings for information society facilities, or engaging in any statement or act that demonstrates the data subject’s explicit approval of the proposed processing of his or her personal data in this sense. Therefore, silence, pre-ticked boxes, or inactivity cannot be interpreted as consent
Consent should apply to any processing activities undertaken for the same or similar reasons. When processing is carried out for various uses, approval should be obtained for each of them. If permission is to be granted electronically in response to a submission, the request must be simple, succinct, and not overly intrusive to the data subject’s usage of the service. Consent must be ‘freely given, specific, informed and unambiguous.’ Data subjects can withdraw previously given consent whenever they want.
[4.0] DATA PROTECTION OFFICERS
It must be known that not every data controller or processor needs to appoint a Data Protection Officer (DPO.) The appointment of a DPO would be pursuant to three conditions wherein the entity needs to be either [A.] a public authority other than a court acting in a judicial capacity, [B.] the core activities require them to monitor people systematically and regularly on a large scale or [C.] their core activities are large-scale processing of special categories of data listed under Article 9 of the GDPR or data relating to criminal convictions and offenses mentioned in Article 10. However, an entity could voluntarily choose to designate a DPO when they are not obliged to.
[4.1] WHO IS RESPONSIBLE FOR COMPLIANCE
The GDPR establishes three positions accountable for compliance: data controller, data processor, and data protection officer (DPO). The data controller determines the manner in which personal data is collected and for what reasons it is processed. Additionally, the controller is liable for ensuring that outside vendors adhere to the rules.
Data processors may be organizational groups responsible for maintaining and processing personal data information, or they could be some third-party firm that executes all or part of such functions. Processors are held responsible for data breaches or non-compliance under the GDPR. Thus, it is likely that both the business and a processing party, such as a cloud service, would be responsible for damages, even though the processing partner is solely at fault.
The GDPR needs both the controller and processor to appoint a data protection officer (DPO) to monitor their data management strategies and GDPR enforcement. A DPO is expected whether a business processes or stores a significant volume of EU citizen data, processes or stores particular categories of personal data, monitors data subjects on a regular basis, or is a public authority. Certain government agencies like law enforcement could be excluded from the DPO provision.
[4.2] THE GDPR AND THIRD-PARTY AND CUSTOMER CONTRACTS
The GDPR holds data controllers (the company that controls the data) and data processors equally liable (outside organizations that help manage that data). A non-compliant third-party processor implies that the company itself is noncompliant. Additionally, the current law has stringent monitoring requirements that must be adhered to by all in the chain, wherein organizations must remind consumers of their GDPR privileges.
This ensures that all current arrangements with processors like cloud suppliers or payroll service providers and consumers must clearly define roles and obligations. Additionally, the new contracts would specify transparent procedures for data management and protection, as well as how violations are reported.
There are a large number of providers that have access to this personal data which comprises the third-party suppliers and purchasing partnerships that handle data on the entity’s behalf and the GDPR makes it very plain that they must guarantee that all of those external parties comply with GDPR and process the data appropriately.
Client contracts must also incorporate legislative adjustments specific to the contract since they may take a variety of types, from internet click-throughs to structured arrangements in which they consent to certain ways of viewing, accessing, and processing data.
Prior to revising such contracts, the organization must consider how data is handled and handled and settle to a compliant monitoring mechanism. The technology keepers undertake a significant exercise to determine what data belongs within the organization, where it is retained or processed, and where it is exported beyond the organization. If they grasp the data flows and their effect on the enterprise, the entity will begin identifying the suppliers on which they can place the greatest emphasis, both from an information management standpoint and in terms of how they handle such partnerships as well as how they memorialize it in the contract itself.
The GDPR has altered the way the company and protection teams view information. Given the GDPR’s formal approval requirement and companies’ increased granularity in their interpretation of data and data flows, there is also a whole new class of liabilities associated with data accumulation. Consent should be legitimate, freely provided, precise, aware, and involved, as described by the GDPR. However, securing legal consent has proven difficult due to a lack of enforceability. Facebook and its branches WhatsApp and Instagram, as well as Google LLC (targeting Android), were sued instantly for their usage of ‘forced approval.’ It is a somewhat different mindset for legal enforcement, but especially for the way the company views the accumulation and use of the data, as well as for computer technology groups and their approach to data management.
For more information on serving legal papers, contact a Professional Process Service (800) 774-6922. Representatives are available Monday-Friday 8 am – 8 pm EST. If you found this article helpful, please consider donating. Thank you for following our blog, A space dedicated to bringing you news on breaking legal developments, interesting articles for law professionals, and educational material for all. We hope that you enjoy your time on our blog and revisit us! We also invite you to check out our Frequently Asked Questions About Process Servers.
1. ‘What Is Personal Data?’. Ico.Org.Uk, 2021, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/.
2.Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocols Nos. 11 and 14, 4 November 1950, ETS 5 Article 8 – Right to respect for private and family life
1. Everyone has the right to respect his private and family life, his home, and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary for a democratic society in the interests of national security, public safety, or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
3. Directive 95/46/EC L281, 23 November 1995, p. 31–50
4. ‘The Principles’. Ico.Org.Uk, 2021, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/.
5. ‘Privacy notices under the EU General Data Protection Regulation’. ico.org.uk. 20th May 2021
6. Art. 6 GDPR Lawfulness of processing
Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
2Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
7. ‘Exemptions’. Ico.Org.Uk, 2021, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/exemptions/.
8. Art. 10 GDPR Processing of personal data relating to criminal convictions and offenses
Processing of personal data relating to criminal convictions and offenses or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. 2Any comprehensive register of criminal convictions shall be kept only under the control of official authority
9. Hours after midnight on 25 May 2018 by Max Schrems’s non-profit NOYB