In our previous blog post, we compared CASL to GDPR, and from what we gathered, there’s a whole lot more to GDPR than just consent and CEMs.
The good news, if you’re GDPR compliant, you’re probably going to be CASL compliant by default.
The bad news is, we still have a lot of ground to cover when it comes to GDPR. But fear not! We have a handy breakdown of the whole kit and caboodle.
A Quick Recap
The General Data Protection Regulation (GDPR) came into effect on May 25th, 2018 and applies to ‘controllers’ and ‘processors’.
The law applies to all data subject who reside in the EU so if you operate anywhere in the world but have EU clients, you better believe you have to be GDPR compliant or you can risk fines up to €20 million euros (~$30 million CAD), or 4% of your annual turnover, whichever is higher.
As of the May 25th date, all you new and existing database must be GDPR compliant. This means you will have to review all your existing data and ensure they have consented and you can prove it.
In this blog post, I’m going to cover the rest of GDPR that I didn’t touch on, including the different ways you can process data, info on the data itself, the individual’s rights and different ways to ensure you’re up to date on your compliance game.
How Can I Process Data?
Under GDPR, you must have a lawful reasoning as to why you’re processing data. Without explicitly stating which basis you are using, you are not allowed to collect, process, or monitor any data.
The six lawful bases are:
The individual has given you clear consent to process their data. Generally, most will fall under this basis as it’s for general processing for marketing communications, e-commerce and other services that require general data such as email, names, address, etc.
This basis is used if you have a contract or obligation with the individual, or because they have asked you to take specific steps before entering a contract (e.g provide a quote).
- Legal Obligation
This basis is used if you need to process personal data to comply with a common law or statutory obligation. It does not apply to contractual obligations and is applicable to courts, financial institutions, employers that need to disclose employee salaries to a governing body, etc.
- Vital Interests
Applies to those who process data to protect someone’s life. Does not apply to health data or other special category data is the subject can give or refuse consent. For example, a patient in a hospital who cannot respond to questioning or consent, but needs to transfer their medical history from a different hospital would fall under vital interests.
- Public Task
Applies mostly to public authorities, but can apply to any organization that exercises official authority or carries out tasks in the public interest. For example, a private water company acts in the interest of public interest but isn’t necessarily a public authority.
- Legitimate Interests
Although this basis is the most flexible of the bases for processing, it can be difficult to justify to the GDPR if you are in fact acting in legitimate interests.
You must be able to:
- Identify a legitimate interest, can be your own, or a third party’s
- Show that the processing is necessary to achieve it
- Balance it against that of the individual’s interests, if yours outweighs theirs (if they would not reasonably expect this processing or it can harm them) their interests will likely override yours.
Once you’ve chosen and documented the basis on which you will be working on, you cannot change your mind later on to suit your needs. You can, however, add on to your original basis with another one if it is compatible with your original one.
Types of Data
There are three types of data that is regulated by the GDPR: general personal data, “special category” or sensitive data, and criminal offence data. Each type of is treated differently but no matter what, all data must be properly justified for processing. If you’re collecting data that you don’t have a legitimate reason for, you’re better off no longer collecting it.
General Personal Data
As stated in our previous blog post, personal data is anything that can be used to identify a data subject, name, email, IP address, etc.
Special Category Data
Sensitive data requires extra protection, and it is imperative that you can justify why you’re processing this data.
The subjects include:
- Ethnic origin
- Politics (their views and associations)
- Religion (those that they follow as well as those they denounce
- Trade Union Membership
- Sex life
- Sexual orientation
As these topics are sensitive, they are high-risk to a person’s fundamental rights and freedoms (a data breach can cause discrimination, reputational risks), it’s important to be able to fully justify why you’re processing this data.
Criminal Offence Data
To be able to process any criminal data, you must have both a lawful basis, as well as be legal or official authority.
For example, if you operate a website that provides criminal background checks but as not a legal or official authority, you cannot process this data under GDPR.
The Rights of Individuals
It’s important to know the different types of rights that data subjects have, and that they can report and seek compensation claims should you infringe on their rights and freedoms.
Individuals have the:
- Right to be informed
Individuals have the right to know about the collection of their data, as well as the purpose, retention periods, and who it will be shared with. All responses to requests must be as transparent as possible and written in clear, concise language.
- Right of access
Individuals have the right to access their personal data (subject access). They can make a request verbally or in writing, and you must respond in 30 days, free of charge (with certain exceptions like excessive or unnecessary requests).
- Right to rectification
If an individual’s data is inaccurate, they have the right to have their data rectified/completed, requested verbally or in writing. You can refuse the request in certain cases.
- Right to erasure
Individuals can now have their personal data erased. Also known as the “right to be forgotten.” The request can be made verbally, or in writing and the request must be responded within 30 days.
- Right to restrict processing
Individuals have the right to request the restriction or suppression of their personal data. You are permitted to store their data, but not use it (under restriction). The request can be made verbally or in writing and the request must be responded within 30 days.
- Right to data portability
Individuals have the right to use the data collected for their own personal reasons. You can move, transfer or copy your data in a safe and secure way, that must be in a universally compatible format.
- Right to object
Individuals have the right to object to the processing of their personal data (with exceptions). They do, however, have the absolute right to stop their data being used for direct marketing. The request can be made verbally or in writing and the request must be responded within 30 days.
- Right in relation to automated decision making and profiling Controllers and processors are limited to the use of automated individual decision-making (making a decision solely by automated means without any human involvement) and profiling.
You can only do this if the decision is:
- Necessary for the entry into a performance or contract
- Authorized by Union or Member state law
- Based on the individual’s explicit consent
- If you are using this method, you must disclose it publicly
The best way to ensure you protect yourself and the data you process is to establish and maintain documentation on all your processes. Be sure to have procedures for:
- Documenting all incoming and existing data, including consent information.
- Responding to data requests by individuals, such as erasing or transferring their data. You need to respond to requests within 72 hours so you need to make sure you can execute responses efficiently.
- Data breach protocols, it’s extremely important that you report a breach within 72 hours to the proper authorities, as well as you are able to provide that you have still done your due diligence (this may reduce your penalties).
To exercise due diligence, and ensure you’ve taken the proper steps for compliance, you need to be able to produce reports to clearly show regulators that:
- You know what personal data you have and where it’s located, across your databases.
- You have properly gained consent from individuals and documented evidence of consent.
- You can prove how personal data is used, who uses it, and for what purpose.
And That’s It!
Phew! That’s a lot of info. It may seem overwhelming and easy to mess up, but as long as you’re honest with your users, honest with the GDPR, and keeping proper documentation on everything you do, you’re going to be just fine.
Be sure to really investigate and research processes that may be specific to your organization.
To end my GDPR series, I would like to link some awesome resources to help you with your GDPR-journey:
GDPR Requirements in Plain English (A personal favourite of mine)
Mandatory Documents Required by GDPR *Note: Not all these documents will be needed for non-EU organizations*