PrivacyAid

What is the General Data Protection Regulation (GDPR)?​

Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million (whichever is the greater)

What Does GDPR Compliance mean in practice?

There is currently no formal certification or accreditation for GDPR to enable an organisation to achieve a ‘magic bullet’ of GDPR compliance. There’s a huge level of misunderstanding about GDPR; it involves process, people, systems, technology and security. 

So, while applying the latest update to a database software application is the correct approach because it will include the latest security patches, you cannot simply ‘patch your applications’ to achieve GDPR compliance. It is just not that simple, so you should be wary of anyone who says that it is.  Ultimately, if an organisation misuses, leaks or loses any personal data, the ICO in the UK (or the relevant supervisory body in each member state) will take into account the security, processes, workflows and safeguards that were established for GDPR when determining the size of any fine.

What are the fines?

Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million (whichever is the greater). The most serious infringements will attract the maximum fines because they are approached via a tiered structure.  A company can be fined 2% for not having their records in order (Article 28), not notifying the supervising authority and data subject about a breach or not carrying out the correct impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘Clouds’, which many have mistakenly believed to be some “quick fix” will not be exempt from GDPR enforcement.

Geographical considerations – a worldwide law?

The geographical basis that underpins the way in which the GDPR is written is hugely significant and means that organisations believing themselves to be exempt by virtue of being based outside the EU will still fall foul of it because of the wording. The GDPR states that even if the controller or processor is not established in the EU, the regulation still applies to the processing of “personal data of subjects located in the EU,”

The physical location of the organisation is irrelevant unless the company can guarantee that they will never market to a data subject who will ever set foot on European soil!  It is this provision in the GDPR that gives it such global reach. The former Data Protection Directive (DPD) was not nearly as extensive in this respect and that is partially because it did not consider digital data such as IP addresses to be personal data.

So, while applying the latest update to a database software application is the correct approach because it will include the latest security patches, you cannot simply ‘patch your applications’ to achieve GDPR compliance. It is just not that simple, so you should be wary of anyone who says that it is.  Ultimately, if an organisation misuses, leaks or loses any personal data, the ICO in the UK (or the relevant supervisory body in each member state) will take into account the security, processes, workflows and safeguards that were established for GDPR when determining the size of any fine.

The regulation applies to the processing of “personal data of subjects located in the EU"

The data subject sits right at the heart of the GDPR

What constitutes personal data?

The GDPR’s definition of personal data can be found in Article 4 which states that ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).  An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The data subject sits right at the heart of the GDPR.  The data subject is the identified or identifiable natural person to whom the personal data refers, and the GDPR is designed to protect.   By itself, the name Bob Jones may not always be personal data because many individuals share the same name. However, if the name is combined with other information (such as an address, a place of work, or email address), this will usually be sufficient to identify one individual clearly.  You should also remember that you do not need to have a name to identify someone.  Think about fingerprints, facial recognition – these all constitute personal data as does CCTV footage. This means that, under certain circumstances, personal data now includes online identifiers such as IP addresses and mobile device IDs. Similarly, the GDPR introduces the concept of ‘pseudonymous data’ which means personal data that has been subject to technological measures (for instance, hashing or encryption).  In this case, suppose that a piece of software analyses the typing patterns of its users to the extent that it can identify them (referred to as de-anonymisation). In this case, it would fall within the scope of Article 4’s definition and be subject to GDPR as a result.

The GDPR’s definition of personal data can be found in Article 4 which states that ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).  An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The data subject sits right at the heart of the GDPR.  The data subject is the identified or identifiable natural person to whom the personal data refers, and the GDPR is designed to protect.   By itself, the name Bob Jones may not always be personal data because many individuals share the same name. However, if the name is combined with other information (such as an address, a place of work, or email address), this will usually be sufficient to identify one individual clearly.  You should also remember that you do not need to have a name to identify someone.  Think about fingerprints, facial recognition – these all constitute personal data as does CCTV footage. This means that, under certain circumstances, personal data now includes online identifiers such as IP addresses and mobile device IDs.

Similarly, the GDPR introduces the concept of ‘pseudonymous data’ which means personal data that has been subject to technological measures (for instance, hashing or encryption).  In this case, suppose that a piece of software analyses the typing patterns of its users to the extent that it can identify them (referred to as de-anonymisation). In this case, it would fall within the scope of Article 4’s definition and be subject to GDPR as a result.

GDPR stipulates that personal data can only be used for the purpose or purposes or which it is collected, and this must be stated at the time of collection.  If an organisation has collected information for a specific purpose, for example, to register a warranty for a customer, they cannot simply sell that data on to other companies without the data subject’s prior knowledge and consent.