In this digital age, people - willingly or not - are sharing more and more of their personal information and dealing with the consequences. A strict law has always been a requirement to protect the privacy and rights of the people. The arrival of GDPR, therefore, was a turning point for the EU member states.
General Data Protection Regulation (GDPR) is a data protection regulation introduced by the Information Commissioner’s Office (ICO) in the European Union (EU) in April 2016 and came into effect on 25 May 2018. It replaces the Data Protection Directive (DPA) of 1995 and sets out regulations for data protection of people in EU member states that spans 88 pages and includes 99 Articles and 173 Recitals. The law applies to all bodies, regardless of their location, that deal with the user data of EU residents. For example, even if a website is not based in the EU but has visitors from the EU member states, it must take the necessary steps to become GDPR compliant.
This article aims to breakdown GDPR, its key features and requirements, and what it means for the organizations and individuals.
Before discussing the Regulation in detail, let’s acquaint with some of the commonly used terms related to the GDPR.
“Data Subject” (Individual/User) means a natural person who can be identified by their personal data.
“Personal Data” refers to any information that is used to identify a data subject, alone or with other data, e.g., name, age, phone number, bank details, email, login credentials, IP addresses, location, identification numbers, etc. It also includes ‘sensitive’ data such as information about data subject’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life, or sexual orientation
“Controller” is any natural person, organization, legal body, or pubic authority that, alone or with joint control (known as Joint Controller), decides why and how to process the personal data.
“Processor” is any natural person, organization, legal body, or pubic authority that processes the data on behalf of the controller.
“Processing” is any set of operations performed on personal data, e.g., auditing, recording, transmitting, storing, collecting, erasing, modifying, profiling, etc.
“Supervisory Authority” is a public authority from the member state who monitors the exercise of data protection regulation to protect the rights and freedom of the data subjects.
“Pseudonymisation” is a technique of data processing in a manner that the personal data can no longer be associated with a data subject without the use of additional data. The additional data is kept separately from the pseudonymized data.
To comply with the GDPR standards, the data controllers should strictly adhere to the following principles as established by the ICO:
- Lawfulness, fairness, and transparency – Personal data should be processed lawfully, fairly, and transparently.
- Purpose limitation – Data collected should only be processed for the intended purpose.
- Data minimisation – Only the data required for the intended use should be collected.
- Accuracy – Data collected should be accurate and kept up to date. Inaccurate data should be erased or rectified without any delay.
- Storage limitation – Data should not be kept longer than the specified retention period.
- Integrity and confidentiality (security) – Data collected should be kept and processed safely.
- Accountability – The data controller should be able to justify that they are complying with the GDPR standards.
Consent is one of the most critical parts of the GDPR standards. The regulation establishes that the controller cannot process the personal data without the data subject’s consent (except in specific circumstances). It puts the data subjects in charge and control of how and what personal data should be processed. Consent must be a) freely given, b) specific, c) informed, and d) and unambiguous. Freely given indicates free and valid choice without any undue pressure put upon the data subject. It should be as easy to withdraw the consent as it was to give it. Specific consent means the controller should specify the exact purpose behind the data collection. The controllers must inform the data subjects of why and how their data will be used by the controller using plain and clear language. Consent must be unambiguous and explicit, and the data processing should be done within the limit of the intended purpose.
In case of seeking consent from children, the controllers should make sure they meet the age requirement; otherwise, obtain parental consent.
The specific circumstances under which the controllers might not require consent are:
- Contractual basis
- Legal obligation basis
- Vital interests of the data subject
- A public task
- Legitimate interests basis
If a breach is known to have occurred, the regulation mandates that the controllers and processors should notify the supervisory authority (of the respective EU member states) within 72 hours. If the breach poses a high risk to the rights and freedom of the data subjects, they must also inform the affected data subjects about it and advise an action plan. The controllers must have in place a reliable and effective process to tackle such scenarios.
If the breach does not result in any risk to the data subjects’ rights and freedom, the controllers need not have to report it to the authority. ICO’s website provides a self-assessment to decide if the breach is risky enough to be notified.
Data Subject Rights
Data subjects can exercise the following rights, and the controllers should inform them of the same:
- Right to be informed – Data subjects should be informed about why, by whom, and how their data will be processed, and the intended purpose and source from where they collected the data.
- Right of access – Data subjects have the right to access their data as well as request a free electronic copy of the same.
- Right to rectification – Data subjects can ask the data controllers to rectify their inaccurate or outdated data without delay.
- Right to erasure (Right to be forgotten) – Data subjects can ask for the deletion of their data in case of withdrawal of consent, inaccuracy, unlawful processing, legal disputes, or expiration of the retention period.
- Right to restriction of processing – Data subjects can ask for restricting the processing of their data in case of withdrawal of consent, inaccuracy, unlawful processing, legal disputes, or expiration of retention period.
- Right to data portability – Data subjects have the right to ask their data to be transferred back to them or another controller in a commonly used and machine-readable format.
- Right to object – Data subjects can object to the processing of their data in case of withdrawal of consent, inaccuracy, unlawful processing, legal disputes, or expiration of retention period.
- Automated individual decision-making, including profiling – Data subjects can ask to use manual methods instead of automated machines to process their data.
The data controllers should respond to the data subjects as quickly as possible, i.e., no later than one calendar month from the day they receive the request. In case the controllers need additional information, the calendar month starts from the day they receive it. In case of complex or multiple requests, the controllers can take a maximum of three calendar months to respond.
The data controllers may refuse to comply with a request if it is:
a) manifestly unfounded; or
Manifestly unfounded requests are those where the data subject offers to withdraw the request in exchange of a favor from the controller; or when it intends to harass the controller or its employee(s) or to cause disruption.
Excessive requests are repeated requests (without legitimate reasons) or overlapped requests relating to the same set of data.
However, this depends on the context of the request.
GDPR Penalties and fines
Failure to comply with GDPR will result in hefty fines or strict actions, depending on the violation. Severe violation will subject to 4% of annual global turnover or €20 million - whichever is higher. Less severe violation will subject to 2% of annual global turnover or €10 million – whichever is higher. Other actions include written warning, temporary or permanent ban, data deletion, and restriction on data transfers. Ultimately this leads to a loss in trust and reputation.
In September 2018, British Airways reported ICO of a breach of personal data of approximately 500, 000 of its users. The breach involved theft of user data, including names, addresses, credit card details, and booking details of passengers after being diverted to a fraudulent website. Even though British Airways reported the incident, ICO found in its investigation that the poor security management caused the leak, and in July 2019, they were fined with a whopping £183.39 million. Therefore, reporting an incident is not enough; proper care is necessary to avoid such scenarios.
Data Protection Impact Assessment (DPIA)
As per the GDPR, the controllers and processors must conduct a Data Protection Impact Assessment (DPIA) before processing the data where there is a high risk to the rights and freedom of data subjects. DPIA is followed through by studying the nature of data collected, its purpose, and identifying the risk scenarios, its impact, and how to mitigate them. It is a safe practice to document all these steps for an efficient assessment.
Data Protection Officer
The GDPR establishes that the controllers and the processors must appoint a Data Protection Officer (DPO) to monitor the implementation of data protection regulation, if they deal with large-scale processing of data, especially the sensitive data. This person could be an employee of the controller or an independent authority. The DPO should have the necessary knowledge about the data protection regulation and should be able to guide the controllers and the processors and should be the point of contact for the supervisory authority and the data subject.
Privacy by Design Under GDPR
Privacy by Design (PbD) means protecting data through technology at the inception of the processing. It encompasses a) IT systems; b) accountable business practices; and c) physical design and networked infrastructure. Embed privacy and security in every step of the system design. Perhaps it will be more insightful to look at the seven foundation principles of Privacy by Design proposed by Ann Cavoukian, the former Information & Privacy Commissioner of Ontario, Canada.
- Proactive not Reactive; Preventative not Remedial: it merely states that PbD aims to take all preventive measures to deal with privacy violations before they happen.
- Privacy as the Default Setting: the users need not take any preventive measures to protect their data as privacy and security are already embedded in the system by default.
- Privacy Embedded into Design: privacy and security are embedded in the design and thus becomes an integral part of the system.
- Full Functionality — Positive-Sum, not Zero-Sum: Privacy does not have to compete with other legitimate interests, design objectives, and technical capabilities, and done in a way to achieve full functionality of the system.
- End-to-End Security — Full Lifecycle Protection: Ensure security throughout the lifecycle of the personal data. It includes methods of secure destruction, appropriate encryption, and robust access control and logging methods.
- Visibility and Transparency — Keep it Open: The processing should remain visible and transparent and per the regulation in place. The controllers should be accountable and verify the procedures are compliant with the privacy policies.
- Respect for User Privacy — Keep it User-Centric: Users’ privacy must be the top priority. It can be made sure by
a) obtaining explicit consent from them;
b) keeping up to date and accurate data;
c) allowing access to personal data;
d) informing the users of their rights; and
e) complying with privacy protection regulations.
This principle also proposes for user-friendly options in the system.
Website Form for GDPR Compliance
A website form is an interactive page on a website that allows users to enter their information for processing. Web forms are used for contact points, surveys, online payment, marketing, etc. Since these forms collect personal data, the website owners (the data controllers) must ensure they are GDPR compliant. Here are some of the checklists for the same:
- GDPR Principles – Adhere to all the GDPR principles
- Data Mapping – All information about the data must be documented and ready to be submitted if requested. Article 13 of the GDPR lays out the information to be provided where personal data are collected from the data subject, e.g., the contact details of the controllers and the DPO, the nature and purpose of processing, the rights, etc.
- Consent – get affirmative consent from the data subjects before processing their data. Tick boxes are an effective way to do that. Data subjects can opt-in or opt-out of web services using them. There should be separate tick boxes for different consents. If data subjects opt-out, do not process their data. For example, in email marketing, the website owner must not send any emails to data subjects who have opted out of it. Consent withdrawal should be allowed at any time the data subject deems right.
- Rights of data subjects – respect and protect the rights of data subjects and cater to their requests without any undue delay. The controllers must make the data subjects aware of their rights.
- Security – adopt the PbD approach to secure personal data. Data masking techniques, such as pseudonymization and encryption, must be applied to process data entered in the form field. Pseudonymization means replacing one or more personally identifiable data in the form field with artificial identifiers. It may obstruct any violation of unique information linked to a data subject. Data entered in the form field may be encrypted using mathematical techniques to provide end-to-end security
Cookies and ePrivacy Directive
Cookies are small text files that are stored in a user’s computer when they visit a website. It is used to track the user activity on the site, among other things. Different types of cookies serve a different purpose:
First-party cookies –These are placed on the user’s system directly by the website
Third-party cookies – These are set by a third-party, and it is commonly used for advertising
Session cookies – This type of cookies expires once the user’s session on a website expires
Persistent cookies (functionality cookies) – this type of cookies remain in the user’s system unless they delete it, or the site does. They usually have expiration dates coded in.
Strictly necessary cookies – this type of cookies is essential for the users to use certain features of a website such as remembering past activity in the site or holding items in shopping cart
The GDPR mentions cookie once in Recital 30:
"1Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers […]. 2This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
That means that the data collected by the cookies may identify a data subject if combined with other identifiers.
Cookies, in general, are harmless and very useful. However, they can also result in few GDPR violations if not assessed properly. The ePrivacy Directive (ePD), also known as EU Cookie Law, plays a significant role here. ePD, passed in 2002 and amended in 2009, addresses the confidentiality of communication in the digital age and the rules related to tracking and monitoring. ePD still exists and goes hand in hand with the GDPR. Hence, to comply with the law, the website owner must:
- seek consent from the user to use any cookie except the strictly necessary cookies;
- document the consent obtained;
- state the cookie terms in clear and understandable language;
- disclose how and for what the data will be used for and to whom it will be shared with;
- make it as easy to withdraw the consent as it was to give it;
- not restrict access to other website features except the ones for which the user has denied consent.
Every user who uses the internet must have come across small pop-ups that appear when they visit a website. Those pop-ups are called Cookie Banners. Their objective is to inform and seek consent from the user about the cookies the site will use. Cookie banner has thus become a vital and must-do part. It should be exercised by the website owners to achieve a GDPR compliant website.
Cookie banners can be of different types depending on the kind of cookies the site is using and to fulfill the GDPR compliance:
- Banners for strictly necessary cookies that provides all information about the cookies the website will apply.
On 1 October 2019, the Court of Justice of the European Union (CJEU) issued a press release of its decision on consent for cookies that
a) pre-ticked boxes are not valid consent;
b) the users must be informed about the duration of the operation of cookies and if any third-party can access them.
In short, while designing cookie banners, code in options for the users to have more control over the cookies and provide all the necessary information.
It is safe to say that for a website to be GDPR compliant (check out this checklist), the owners must aim at being pro-data subjects. It is the most fundamental approach to protecting the digital life of people, and more amendments to the data protection regulations can be expected in the future.
Disclaimer: This article does NOT represent any legal advice. The purpose of this article is to provide general information only. For any legal advice, please contact a lawyer specialized in GDPR.