Open in app

Sign up

Sign in

Write

Sign up

Sign in

Understanding General Data Protection Regulation (GDPR)

For Everyone Who Hates Reading Law!

Prabath Siriwardena
FACILELOGIN
Published in
19 min readAug 7, 2017

--

Loved reading the book, Understanding Privacy by Daniel J. Solove (Harvard University Press), a couple of weeks back in a flight from Colombo (Sri Lanka) to San Fransico. The book is almost a decade old, published in 2008 prior to GDPR, but still one of the best on the subject. Once I started writing this blog post — was wondering how the intro would be. Could never take my mind out of Daniel J. Solove’s text. Here it goes — I copy few paras from his book, which covers the path to GDPR.

Privacy is a Fundamental Human Right

Privacy is an issue of profound importance around the world. In nearly every nation, numerous statutes, constitutional rights, and judicial decisions seek to protect privacy. In the constitutional law of countries around the globe, privacy is enshrined as a fundamental right. Although the U.S. Constitution does not explicitly mention the word “privacy,” it safeguards the sanctity of the home and the confidentiality of communications from government intrusion.

Beyond the United States, the vast majority of nations protect privacy in their constitutions. For example, Brazil proclaims that “the privacy, private life, honor and image of people are inviolable”; South Africa declares that “everyone has the right to privacy”; and South Korea announces that “the privacy of no citizen shall be infringed.” When privacy is not directly mentioned in constitutions, the courts of many countries have recognized implicit constitutional rights to privacy, such as Canada, France, Germany, Japan, and India.

Thousands of laws protect privacy around the world. Multinational privacy guidelines, directives, and frameworks have influenced the passage of privacy laws in a vast number of nations. In 1980, the Organization for Economic Cooperation and Development (OECD) issued its Privacy Guidelines. In 1995, the European Union’s Directive on Data Protection specified fundamental principles for privacy protection in Europe. The Asia-Pacific Economic Cooperation (APEC), with over twenty member nations, set forth a Privacy Framework in 2004. Numerous countries have enacted extensive privacy protections, such as Canada’s Personal Information Protection and Electronic Documents Act of 2000, Japan’s Personal Information Protection Law of 2003, Australia’s Privacy Act of 1988, and Argentina’s Law for the Protection of Personal Data of 2000, to name just a few. In the United States, hundreds of laws at state and federal levels protect privacy. Since 1970, the U.S. Congress has passed several dozen statutes to protect the privacy of government records, student records, financial information, electronic communications, video rental data, and drivers’ records, among other things.

Privacy is recognized as a fundamental human right. According to the United Nations Universal Declaration of Human Rights of 1948, “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation.” The European Convention of Human Rights of 1950 provides that “everyone has the right to respect for his private and family life, his home and his correspondence.” Thus there appears to be worldwide consensus about the importance of privacy and the need for its protection.

GDPR Overview

The EU General Data Protection Regulation (GDPR) is the regulation 2016/679 of the European parliament and of the council, which replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens (and residents) data privacy and to reshape the way organizations across the region approach data privacy. Commonly known as GDPR, was passed as a regulation on 27th April 2016 — and will be effective from 25th May 2018. GDPR became quite prominent due to the heavy penalties introduced by it for violators — which could be as much as 4% of the annual global turnover or €20 Million (whichever is greater).

A brief history of the General Data Protection Regulation

On 28 January 2016: The 47 countries of the Council of Europe as well as European institutions, agencies and bodies…

iapp.org

If you are interested in reading the full GDPR regulation (88 pages) yourself, it’s available here. You do not need to be a lawyer to understand it — but of course you need to be a lawyer to interpret and understand some fine words there in case you are to fight a case in courts! As a technical person, to understand the privacy requirements expected by GDPR, it’s not a hard read. The document highlights 173 recitals and 99 articles. The 99 articles are divided into 11 chapters. This is all you have to read :-) A recital is a formal statement appearing in a legal document which provides an explanation or the reasons for such an initiative.

Natural Person

Throughout the regulation — the term ‘natural person’ is used. The natural person is a person (in legal meaning. i.e., one who has its own legal personality) that is an individual human being, as opposed to a legal person, which may be a private (i.e., business entity or non-governmental organization) or public (i.e., government) organization. In this blog I’ll be using the term user interchangeably with the natural person. Sometimes the term data subject is also used to carry the same meaning.

Personal Data

GDPR is applicable for processing of personal data. Personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personally Identifiable Information (PII) vs Personal Data

Personal data — does not carry the same meaning of personally identifiable information (PII). It’s much broader than that. PII is a term mostly used in US. According to NIST, Personally Identifiable Information (PII) is ―any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual‘s identity (such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records) or any other information that is linked or linkable to an individual (such as medical, educational, financial, and employment information).

Figure — 1: Personal Data

Personal Data is PII+

Personal data is PII+. IP addresses, cookies, device identifiers which do not fall under PII, are treated as personal data in GDPR. You should not track or record any of the user’s personal data, without his/her consent. Login patterns, buying patterns, behavioral patterns all fall under the definition of personal data. When you use Google DNS — it probably be tracking all the web sites you visit. Amazon tracks all your buying patterns to give much meaningful recommendations. Yelp tracks all the restaurants you visit. GDPR shows no mercy at all to any of these vendors.

There is an interesting story behind GMail. Google’s top revenue even today comes from online advertising. They used to track search patterns of the users via cookies. That didn’t help Google to identify who the exact user is. If the same user uses different devices or browsers — cookie based tracking is not very effective. GMail made users to log into the browser. Once the user logs in, Google can easily map all the search patterns and other behavioral patterns to a real user — and make the target marketing very productive.

Not Just for Citizens — But for Anyone on EU Soil

GDPR is applicable for the processing of personal data of EU citizens in EU or anyone in EU (not just citizens), in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the EU or not.

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. If your business occupies an external company for payroll processing — and share some of your employees’ personal data — then you act as the controller — while the company that processes the payroll acts as a processor.

Figure — 2

Another example is, if you are a business established in EU, which collects user personal data — but stores and processes in a data center in North America — still GDPR is applicable to you and you play the role of the controller (figure — 2).

Figure — 3

Controller/Processor Can Even Be Outside EU

The regulation also applicable for the processing of personal data of data subjects who are in the EU (no need to be a citizen — just need to be there on EU soil) by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or the monitoring of their behavior as far as their behavior takes place within the EU (figure — 3). This is applicable to Facebook, Google, Amazon and all the cloud service providers who are established in North America, but process data of EU citizens/residents. Further, GDPR is also applicable to the processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law.

Supervisory Authority

When the controller is outside the EU, it has to nominate a representative (in writing), in any of the EU member states, which will work with the corresponding national supervisory authority. The supervisory authority is the government organization in each member state that will be responsible for the enforcement of GDPR.

Data Protection Officer (DPO)

GDPR requires having a data protection officer where necessary, under following criteria:

  1. The processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
  2. The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
  3. The core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offenses.

The data protection officer can be an existing employee of your company or a new recruit — but GDPR recommends the qualifications. There can be a case where one data protection officer serves multiple companies too.

The data protection officer is responsible for ensuring that the controller, processor and employees, who process personal data understand their obligations, and for providing advices for meeting those obligations. He/she also has to monitor compliance with GDPR, with other EU or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.

The data protection officer, is also the primary point of contact for the corresponding national supervisory authority — and also plays a key role in Data Protection Impact Assessment(DPIA), which we’ll be talking towards the end of this blog post.

Controllers and Processors

The controller is the entity that determines the purpose of processing activities. This includes, which data will be collected, who to collect data from, whether there is a justification for not notifying the data subjects (users) or seeking their consent, how long to retain the data and so on. The data processors are those bodies contracted by the controller to perform some functions on the personal data. It’s the duty of the controller to ensure that any third-party processors abide by the rules, in accordance with the GDPR.

The controller will usually be the public facing entity which data subjects interact with. It is the controller’s duty to protect personal data by implementing appropriate technical and organizational measures to ensure and to demonstrate that processing is performed in accordance with GDPR. Processing here could also just means — storing personal data.

The controller does not have to define every single element of how the data is processed, and will often rely on processor’s assurance that processing will be done securely. Processors are restricted from engaging another processor without prior specific or general written authorization from the controller.

Lawfulness, Fairness and Transparency

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the corresponding person or the data subject. It’s the responsibility of the controller to educate the user on what personal data being collected and for which purpose — and then get the user’s consent.

GDPR defines consent as, any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Processing shall be lawful only if and to the extent that at least one of the following applies:

  1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  3. Processing is necessary for compliance with a legal obligation to which the controller is subject.
  4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Where the consent has not being gained for the specific purpose in question, the controller must address additional conditions to determine the transparency and fairness of processing.

  1. Any link between the purposes for which the personal data have been collected and the purposes of the intended further processing.
  2. The context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller.
  3. The nature of the personal data, in particular whether special categories of personal data are processed, or whether personal data related to criminal convictions and offenses are processed.
  4. The possible consequences of the intended further processing for data subjects.
  5. The existence of appropriate safeguards, which may include encryption or pseudonymization.

Right to Access

GDPR stipulates that the controller must provide data subjects access to their personal data, the purpose of processing their data, the categories of data being processed, the third parties or categories of third parties that will receive their data and the period of time which the data will be stored (or the criteria used to determine the retention period).

According to GDPR, the controllers must respond to the data requests from their data subjects without undue delay and in any event within one month of the receipt of the request.

Right to be Informed

A lawful, fair and transparent business must respect the right to be informed — of the end user. It starts from the point of data collection. Businesses must let the users know that the information collected from them will be processed in a transparent and fair manner, through a privacy note. Also, it’s a must for enterprises to get clear and valid consent from the users for processing their personal information through a consent document laid out in simple terms.

The controller shall, at the time when personal data are obtained, provide the user with the following further information necessary to ensure fair and transparent processing:

  • The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
  • The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability.
  • Where the processing is based on, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  • The right to lodge a complaint with a supervisory authority.
  • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
  • The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Right to Data Portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller.

Purpose Limitation

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The business must explicitly specify the usage and purpose of the personal data collection — and gets the user’s consent. Your online restaurant should not track your favorite dish without your consent — and if the consent is given to record such for the purpose of sending further recommendations, the business has no rights to share such data with another 3rd party.

The privacy notices, terms and conditions, and consent forms should provide the data subject with unambiguous information about the extent of processing involved. These public statements should be reflected in the actual processing and the documentation of that processing.

Right to be Forgotten

GDPR grants full rights to individuals to request deletion or removal of their personal data. The user can request for data erasure under different circumstances.

  • The storage of personal data is no longer necessary in relation to the purpose for which it was originally collected or processed.
  • The user withdraws consent for data processing.
  • The user raises a request to stop data processing due to the unlawful processing of data or if there was a breach of data.
  • The data has to be erased in order to comply with a legal obligation.

Pseudonymized Data

As we discussed before the definition of personal data under GDPR has a broader scope. It’s a good practice to record any additional data that you collect, apart from direct user attributes — against a pseudonym. Pseudonymous and anonymous carry two different meanings. Anonymous is pseudonymous + unlinkability. Any data about the user apart from the core set of attributes — like user behaviors and access patterns, can be recorded against a pseudonym. The link between the pseudonym and user can be maintained in a different table — and to make it much secure, we just encrypt the data in this table. Once the user request to delete his/her account, apart from the user attributes, the mapping between the username and the pseudonym can also be removed. This will make all the recorded data against the corresponding pseudonym, anonymous. Anonymous data are safe under GDPR — and you do not need to worry erasing them.

Then again right to be forgotten is a tricky requirement under GDPR. Some financial/tax regulations require the retention of certain data for a given period. When there is a conflicting regulation, in most of the time tax regulations will win. You may need to consult your lawyer to get more clarity on this.

Data Minimization and Storage Limitation

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Also personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

No data should be collected for future anticipated usage. For example, if the registration with your business is only for people elder than 21 years — you should not record user’s birthdate, but just the claim that your customer is elder than 21. In the same way, if all your communications with your customers are over email, you should not keep track of his/her physical address or the phone number. In case you had a customer who has opted to use his physical address for the primary means of communication and later changed to use email, you must remove the corresponding customer’s physical address from your records.

Your approach to storage limitation should be enshrined in a data retention policy and supporting procedures. This must take into account legal and contractual requirements for retention periods — both minimum and maximum — and then trigger a process by which data is either securely disposed or secured at the end of this period.

Accuracy, Right to Rectification

Personal data shall be accurate and, where necessary, kept up to date. If individuals feel their personal data is incomplete or inaccurate, they have the right to ask the business to rectify their personal data. When a rectification request has been raised, it’s the responsibility of the controller to provide information on actions taken on the request without undue delay to the concerned individuals. The controller must respond to all the requests from its data subjects within one month.

Right to Restrict Data Processing

The right to restriction of data processing effectively allows data subjects, under certain specific circumstances, to prevent controllers from conducting specific processing of their data. It means that, although the controller can store the personal data, it cannot process the data unless the individual gives their consent to lift the restriction or the processing is required for the establishment of legal claims, to protect the right of another person or in the interest of the wider public. If the data has been disclosed to any third parties, they must be notified of the restriction to further processing as far as is reasonably possible.

Integrity and Confidentiality

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

In the parlance of information security, confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities or processes. This means, personal data must be classified as confidential even within the organization, as it is extremely unlikely, that every single person in the organization needs to have access to personal data. Integrity is the property of accuracy and completeness. This is necessary to make sure that the data subjects are not jeopardized by altered, inaccurate information.

Accountability

The notion of accountability is not new to privacy law and policy. It was formally introduced into data protection regulation in 1980 when it was explicitly included as a basic data protection principle in the Organization for Economic Cooperation and Development (OECD) guidelines. Since then, the accountability principle has been included in a variety of international data protection instruments as one of several core principles and is slowly (but surely) finding its way into national data protection laws.

While accountability used to be all about allocating responsibility for privacy compliance, it is now about requiring a proactive, systematic and ongoing approach to data protection and privacy compliance through the implementation of appropriate data protection measures — increasingly referred to as “privacy management programs”. Various international data protection instruments are being revised to reflect that change.

GDPR requires controllers to implement appropriate technical and organizational measures (including introducing data protection by design and by default principles where relevant) to ensure and be able to demonstrate that data processing is performed in accordance with the GDPR; and review and update those measures where necessary through notably internal and external assessment such as privacy seals.

Personal Data Breach

In the GDPR, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted or otherwise processed. GDPR forces organizations to report data breaches without undue delay, and where feasible, within 72 hours.

Data Protection Impact Assessment (DPIA)

Data Protection Impact Assessments(DPIAs) are essentially a form of risk management. You use them to identity the risks to the data subject’s privacy, the security of their personal data, and their rights and freedom in relation to their data. A DPIA builds trust. You can publish the results of DPIA in order to show both that your organization is keeping personal data secure and that you have taken a rigorous approach to ensure this.

The DPIA is one of the specific processes mandated by the GDPR. Many organizations will be required to conduct a DPIA. The guidelines defined here explains the process with more clarity and the need for a DPIA. eAccording to the GDPR, the desired outcome of the DPIA can be reduced to:

  1. A description of the processing and its purposes.
  2. The legitimate interests you are pursuing with this processing.
  3. An assessment of the necessity and proportionality of the processing.
  4. An assessment of the risks to the rights and freedom of data subjects.
  5. The measures envisaged to address the risks.
  6. All of the safeguards and security measures to demonstrate compliance with the GDPR.
  7. Indications of timeframes if the processing will include erasure of personal data.
  8. An indication of any data protection by design and by default measures.
  9. A list of the recipients of personal data.
  10. Details of whether the data subjects have been consulted and have consented.

Privacy by Design — Privacy by Default

GDPR states that the controller should adopt internal policies and implement measures which meet in particular, the principles of data protection by design and data protection by default. DPIAs are an important part of privacy by design and by default, which is a process of ensuring that all personal data collection, processing, storage and destruction measures are designed to secure privacy.

References

  1. General Data Protection Regulation: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
  2. EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide: https://www.amazon.com/gp/product/1849288356/
  3. Understanding Privacy: https://www.amazon.com/gp/product/0674027728/
  4. NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (PII): http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf

Prabath Siriwardena

Visit Amazon.com's Prabath Siriwardena Page and shop for all Prabath Siriwardena books and other Prabath Siriwardena…

www.amazon.com

Privacy
Gdpr
Eu Gdpr
Technology
Security

--

--

Prabath Siriwardena
FACILELOGIN
Follow

Written by Prabath Siriwardena

3.3K Followers
Editor for

https://github.com/prabath/me

Follow

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams