The General Data Protection Regulation (GDPR) is at the core of Europe’s digital privacy legislation. It is a set of rules designed to give EU citizens more control over their data, requiring GDPR-compliant businesses to protect the personal data and privacy of EU citizens.
The European Parliament adopted the GDPR in April 2016, replacing an outdated data protection directive from 1995. Essentially, the GDPR creates an imperative to evaluate and update how companies store, manage, transfer, and secure data, and companies that fail to achieve compliance will be subject to stiff penalties and fines.
The regulation gives data subjects extended rights to access, correct, and erase their personal data, as well as to withdraw consent to its use.
According to Article 5(1)(a), personal data shall be “processed lawfully, fairly and in a transparent manner in relation to the data subject.”
Lawfulness is related to two things: choosing a proper lawful basis for processing personal data and avoiding illegal activities when processing personal data. There are 6 six different lawful bases for processing personal data, according to Article 6(1):
A. Consent: the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
B. Contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
C. Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject;
D. Protection of vital interest: processing is necessary in order to protect the vital interests of the data subject or of another natural person;
E. Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
F. Legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
If one cannot apply any lawful basis on his or her data processing activity, then the processing is considered unlawful.
Fairness means companies are not misusing personal data in any way that would negatively impact an individual. The transparency principle requires clear, open, and honest communication towards individuals about how their personal data is being used, including notifying them about the information companies use, whether it’s obtained from them directly or from another source.
Organizations must have legitimate reasons for collecting and processing personal information. According to Article 5(1)(b), personal data shall be: “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’).”
This principle simply means to collect collecting only the minimum data needed. It limits the data controller to collect, store, process, and use only personal information that is necessary to provide the required service or fulfill a specific purpose. According to Article 5(1)(c), personal data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).”
Companies are responsible for taking all reasonable steps to ensure the personal data they collect is correct and accurate. The intention is to encourage businesses to keep only relevant data and eliminate all unnecessary, incorrect, or irrelevant data. According to Article 5(1)(d), personal data shall be “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).”
For every piece of personal data that is being proceeded, companies have to be able to justify why they are keeping it. Personal data should only be kept long enough for the data to be processed for its stated purpose.
According to Article 5(1)(e), personal data shall: “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with undefined(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’).”
Organizations should have security measures in place to protect the collected personal data from unlawful use, accidental loss, and destruction, according to Article 5(1)(f). This principle has a strong connection with information security, but it also applies to organizational measures that can be implemented to safeguard personal data.
The data controller or organization is responsible for demonstrating proper personal data handling and GDPR compliance. According to Article 5(2), personal data shall be: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
Every step of the compliance should be documented, including:
Technical and organization measures
Data protection policies
Data protection impact assessments
Appointment of a DPO
Each member of the European Union and any organization that does business in the EU is subject to the GDPR, meaning all large organizations in the United States must adhere to this legislation, too. It applies to anyone who:
Offers products and services in the EU
Monitors the behavior of people in the EU (including via targeted online ads)
Applies to governments and private companies
May 25, 2018
The GDPR lists a number of key controls and practices related to the management and monitoring of data subjects and personal data. The first two of these are data breach notification and a required role, Data Protection Officer. Under the GDPR definition, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
In the event of a personal data breach, organizations must notify the supervisory authority. The GDPR defines two separate concepts that typically (but not always) refer to organizations - Data Controller (or controller) and Data Processor (or Processor).
The Data Controller is the entity (in most cases, an organization, but sometimes a person) that directs the reason why personal data are processed in the first place. For example, a ride sharing company wants to analyze its riders usage patterns to better allocate drivers. Note that the entity that is the controller doesn’t actually have to be the one who analyzes or processes data.
The Data Processor is the entity (again: person or organization) that actually does the processing or analysis of data. For example, banks frequently outsource their fraud analysis to third parties, in which case the bank is the controller (directing what’s done with data), and the third party is the processor (actually doing the analysis).
In the event of a breach, the organization must notify the supervisory authority of the member state where the data controller has its main establishment and the affected data subjects. Meaning, if an organization is based in Frankfurt and has the majority of their customers in Germany, the notification should go to the German supervisory authority. Article 51 in the GDPR covers the creation of the per-state supervisory authority.
Notice must be given “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” For those familiar with the Equifax breach, the organization waited six weeks before announcing it publicly. This delay in announcement seems to have only made the situation worse: executives took time to sell shares in the company and the public was prevented from taking action to protect their identities.
The notification to the supervisory authority must include “at least” the following:
The nature of the personal data breach, including the number and categories of data subjects and personal data records affected.
The Data Protection Officer’s contact information.
The likely consequences of the personal data breach.
How the controller proposes to address the breach, including any mitigation efforts.
The GDPR does provide some exceptions to the additional requirement of notifying the data subjects of the personal data breach, if:
The controller has implemented appropriate technical and organizational protection measures that render the data unintelligible to any person who is not authorized to access it (see our forthcoming blog on pseudonymization).
The controller takes actions subsequent to the personal data breach to “ensure threat the high risk for the rights and freedoms of data subjects is unlikely to materialize.
Notification to each data subject would involve disproportionate effort, in which case alternative communication measures may be used.
Complying with the breach notification requirements, as covered above, is only a part of the spirit of the regulation. Effectively doing so requires two other steps:
Assessing which data an organization has that is considered to be “personal data.”
Understanding if a breach has occurred in the first place.
GDPR defines personal data as any information relating to a natural person living in any of the EU countries that can be identified directly or indirectly.
Addresses (physical and email)
Location data, IP address, cookies, and RFID tags
National identification numbers (i.e., social security)
Credit card numbers
Health and genetic
Biometric (facial recognition, finger prints, behavior, etc.)
Personal philosophy, politics, religion, and beliefs
Race or ethnicity
Sexual identity or orientation
Data that is irreversibly anonymized.
According to the GDPR, if the data is anonymized so the data subject is no longer identifiable (directly or indirectly), the GDPR does not view or consider it as personal data anymore.
Recital 26 explains it in detail:
1The principles of data protection should apply to any information concerning an identified or identifiable natural person.
2Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.
3To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.
4To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
5The principles of data protection should therefore not apply to anonymous information, namely, information which that does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
6This Regulation does not, therefore, concern the processing of such anonymous information, including for statistical or research purposes.
The key actions to prepare for GDPR are:
Discover the personal data held
Implement controls on how this data is processed
Ensure processing meets data subjects’ rights
Assure that outsourced processing is compliant
Update and test the processes for managing a data breach to include the new requirements for notification
Implement data protection by design and default
The GDPR introduces new mandatory data breach reporting rules. Businesses that suffer a data security incident will potentially find themselves compelled to notify their enterprise customers, their regulators, and the individuals whose data have been compromised.
Any business that has experienced a data breach will know that, quite apart from the cost of re-securing the compromised data, data breaches attract very significant financial, reputational, and resource costs.
In terms of the specific rules it introduces, the GDPR sets an expectation that businesses must report to data protection authorities within 72 hours upon becoming aware of a breach – a very short timescale for any material data security incident – and must inform the individuals affected without “undue delay.” However, the GDPR says that businesses do not need to notify data protection authorities if they can “demonstrate that the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.”
On a similar note, it also says that businesses only need to inform affected users if the breach is likely to result in a “high risk” to their privacy – and that notification is not required if the business “has implemented appropriate technical and organisational protection measures that render the data unintelligible to any person who is not authorised to access it”.9
In short, if a data breach presents low risk to the individuals concerned, the GDPR’s breach notification requirements become more relaxed. Pseudonymisation, whether through masking,
hashing or encryption, offers a clear means to reduce the risks to individuals arising from a data breach (e.g., by reducing the likelihood of identity fraud and other forms of data misuse), and is supported by the GDPR as a security measure.
Consequently, businesses that have effectively pseudonymised their data may therefore benefit from exemptions from notifying regulatory authorities and the individuals affected in the event they suffer a data breach.
Data access requests are very commonly made in the context of litigious claims, by individuals seeking to get wider access to information than they would ordinarily be entitled to under
normal litigation disclosure rules. Individuals will continue to have a right of access to data under the GDPR. However, consistent with its approach to pseudonymisation on data breach issues, the GDPR appears to relax disclosure requirements in response to a data access request where data has been pseudonymised—see Articles 15 to 18.
This means that a business may not be obligated to include data that has effectively been pseudonymised when responding to data access requests from an individual. This is a particularly important benefit for large consumer-facing businesses who that may face lots of subject access requests from their customers at any given point in time.
A further key development in the GDPR is that the law introduces a specific concept of “profiling,” defining it as “any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
The GDPR goes on to say that businesses should not make “decisions” about an individual
if those decisions are solely based on automated processing, including profiling, unless one of certain specific legal criteria are met – typically requiring the individual’s “explicit consent.” The rule only applies, however, if the profiling produces “legal effects” concerning the individual or “similarly significantly affects him or her.”
Data profiling where an individual’s direct identifying information has been removed through pseudonymisation will significantly reduce any privacy impact on the individual, particularly when keeping in mind the GDPR’s overarching support of pseudonymisation.
Rather than the intentional versus unintentional divide like the California Consumer Privacy Act, enforcement of GDPR uses different criteria that factor into the severity of the penalty. This includes the nature, gravity, and duration of the infringement; the intentional or negligent character of the infringement; action(s) taken to mitigate the damage suffered by individuals; technical and organizational measures put in place to protect personal data; past history of infringements; the level of cooperation with the supervisory authority; types of personal data involved; the manner in which the infringement was notified to the supervisory authority; adherence to industry standards.
The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
The more serious infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
Aside from the potential fines, the GDPR also grants data protection authorities additional powers, including mandatory audit rights,19 and gives individuals the ability to bring legal claims (or have legal claims brought on their behalf by civil liberties organisations or similar) against non-compliant businesses.