All you need to know
Compliance as an opportunity
The enactment of the General Data Privacy Regulation has forced businesses worldwide to adjust their procedures by setting up more careful processes related to personal data and updating privacy policies and security practices. The ultimate goal is protecting the privacy and security of consumers' personal data, and failure to achieve it is heavily punished, not to mention the reputational damage that noncompliance could cause. Clearly, the costs of not complying with the GDPR are far greater than any investment made to comply with it.
However, embedding the Regulation and fulfilling its requirement leads companies to greater results than just the safety of avoiding serious penalties. Customer loyalty, trust and confidence increasingly represent a decisive factor in choosing a company to do business with. In this context one could say that demonstrating seriousness about compliance is almost as important as being compliant in the first place. And this is how GDPR turns from a legal burden to a competitive differentiator.
In light thereof, it is our recommendation to clearly signalizing and communicating to your customers and shareholders the procedures being implemented for compliance and the purpose of these procedures. Not only does this show transparency about security measures taken to be compliant but is also builds a deep trust and attract & retain customers.
Which are the principles data processing should be based on?
Lawfulness, Fairness, Transparency
The GDPR requires personal data be processed lawfully, fairly and in a transparent manner in relation to the data subject
The responsibility, as well as the burden of complying with the "lawfulness of processing", lies with the controller
The processed data should be accurate and, where necessary, kept up to date, while ensuring the erasure and rectification without delay of inaccurate information
Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; the personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Integrity and Confidentiality
Personal data must be processed in a manner that appropriately ensures their security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures
Transparency is a central principle in the GDPR, as it promotes the objective of strengthening individuals' rights by ensuring the effectiveness of all the other principles. The transparency obligations begin at the data collection stage and apply "throughout the life cycle of processing".
The principle of transparency requires that any information addressed to the public or to the data subject be communicated in a concise, transparent, intelligible and easily accessible form, using clear, plain and unambiguous language and, where appropriate, visualization and standardized icons provided in writing, or by other means, including, where appropriate, electronic means such as a website.
Ensuring the effective access and comprehension of the information provided to data subjects is as important as the content of the information itself. It's not just what you say, but how you say it, that matters.
What does "Lawfulness of processing" means exactly?
The legal bases for data processing
Processing personal data is generally prohibited, unless it is expressly allowed by law or by the data subject.
There are six legal bases for processing personal data in compliance with the General Data Protection Regulation.
The data processing is lawful only if and to the extent that that it is justified by at least one of the following:
The data subject has given consent to the processing of his or her personal data for one or more well-defined purposes.
Processing is necessary in order to protect the vital interests of the data subject or of another natural person
Processing represents a contractual obligation because it is required for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Processing is essential for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Processing is needed to satisfy a legal obligation to which the controller is subject
Processing is demanded for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data
What are the requirements for consent under GDPR?
Being one of the more well-known legal bases for processing personal data, consent is the subject of various provisions in the GDPR and it can be considered legally valid and effective if some conditions are met. In order to be able to demonstrate the data subjects' consents, the controller must keep records of them within a documentation that states exactly what a data subject has consented to and when, where and how this consent was expressed.
Consent must be:
Freely given: the consent must be given on a voluntary basis; this requirement implies a real choice by the data subject, so any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid. This is why the consent should not be a precondition to the provision of any service, unless it is an essential element in that service.
Informed: the data subjects must at least be notified about the identity of the controller and any third parties that will be relying on the consent; they must also be aware of what kind of data will be processed, how it will be used and the purpose of the processing operations. Moreover, data subjects need to be concurrently informed about their rights and, in particular, the possibility of withdrawing consent at any time. The withdrawal must be as easy as giving consent, therefore simple and effective withdrawal mechanisms should be implemented.
Specific: the consent should be bound to one or several specified and sufficiently explained purposes, especially in the event that the consent legitimizes the processing of peculiar categories of personal and sensitive data. Data subjects must be aware of who will use the data and in what manner. Moreover, the request for the informed consent should always be a standalone mechanism, distinguishable and kept clearly unbundled from information about other contractual matters, terms and conditions and there should be a separate mechanism for obtaining authorization. When the processing has multiple purposes, consent should be given for all of them separately; similarly, when multiple types of processing are involved, granular options should be ensured to express differing degrees of consent via separated actions.
Unambiguous: Consent cannot be implied; it must be an explicit acceptance of the proposed processing of data subject's personal data. It must be expressed by means of a statement or a clear affirmative act, through an opt-in, a declaration or an active motion, excluding any possibility of misunderstanding. 'Opt-out' mechanisms with pre-checked boxes are explicitly not allowed by the Regulation. Written consent is recommended; however, no form requirement must be met and it can also be given in electronic form, provided that the request for consent is presented in an intelligible and easily accessible form, using clear and plain language. The affirmative actions that the data subject must perform to indicate their agreement could include ticking or clicking a box when visiting an internet website, signing a form or choosing technical settings for information society services.
What kind of rights can an individual exercise?
Right to be informed
Various types of information must be provided to data subjects: they range from how to contact the data controller, to information concerning the purposes of the processing and proof of its lawfulness, the period for which the personal data will be processed and stored, the possibility to withdrawing consent and complaining to a supervisory authority. The data subject should also be fully aware of their rights and be able to exercise those rights; to this end, they can ask for clarification and exercise their right to assistance. Appropriate measures should be taken to provide such in-depth information in a transparent way, free of charge and in a timely manner. Derogations apply in the event that the data subject already has the information or in case of impossibility, disproportionate effort or obtaining or disclosing personal data is expressly laid down in law. Additionally, data subjects must be informed if data has leaked and disclosed to unauthorized recipients or made temporarily unavailable or altered. This right consists of receiving proper notification in the case of a data breach that happened either accidentally or unlawfully and poses a risk to individual rights and freedoms.
Right of access
The data subject must be able to exercise their right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed.
Where that is the case, the data subject has the right to access to their personal data, receive a copy of the personal data undergoing processing free of charge and in an accessible format, and be provided with the information to which he is entitled.
Right to data portability
It involves the data subject's right to receive the personal data concerning them, in a structured, commonly used and machine-readable format (in order to obtain an intelligible overview of their information) and to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. In exercising their right to data portability, the data subject can also request to have the personal data transmitted directly from one controller to another, where technically feasible.
Right to rectification
If an individual believes that their personal data is incorrect, incomplete or inaccurate, he or she can exercise the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning the data subject.
Right to restriction of processing
It is about the right to obtain from the controller restriction of processing where:
- the data subject has objected to processing or in the event that the accuracy of the personal data or the lawfulness of processing is contested by the data subject;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims.
Where processing has been restricted, such personal data would only be processed with the data subject's consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Right to erasure "right to be forgotten"
The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay.
The personal data must also be erased without needing a previous request in the event that
- they are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed.
Exceptions do exist: in fact, the erasure of individual's personal data cannot be asked to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- for the establishment, exercise or defense of legal claims.
Right not to be profiled
Profiling takes place when personal aspects (characteristics such as age, sex, height) are evaluated in order to make predictions or classify a person in a category, even if no decision is taken (this often happens for actions like online recruiting or credit ratings). Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing for such marketing, which includes profiling to the extent that it is related to such direct marketing. This right must be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
Right to object to automated individual decision-making
Decision-making based solely on automated means happens when decisions are taken about a person by technological means and without any human involvement, even without involving profiling.
Data subjects have the right not to be subject to a decision based solely on automated means if the decision produces legal effects concerning them and impacting their rights or in the event that the decision significantly affects them in a similar way because it influences their circumstances, behavior or choices. This type of decision-making may exceptionally take place if allowed by law and suitable safeguards are provided, or if there is no other way to achieve the same goal to enter or perform a contract, or explicit consent has been given.
Union or Member State law may restrict the scope of the obligations and rights provided for in GDPR when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard national or public security, defence and important economic or financial interest, or to prevent, detect or prosecute criminal offences or to enforce civil law claims. Any legislative restrictive measure should contain specific provisions as to the purposes of the processing, the categories of personal data, the scope of the restrictions introduced, the risks to the rights and freedoms of data subjects and their right to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.
The exercise of data subjects' rights must be facilitated and their effectiveness must be ensured
When a data subject exercises one of their rights, the data controller cannot refuse to act on the request and must provide information on actions taken on the request to the data subject without undue delay and in any event within one month of receipt of the request. If the controller does not take action on the request of the data subject, the controller must inform them without delay of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
What is meant by "data protection by design and default"?
Data protection by design and data protection by default are two new principles introduced in the GDPR.
At Penneo, we have heartily embedded them in our operational systems, embraced GDPR and today our starting point for everything we do is to acknowledge our responsibility to protect our customers' privacy.
Data protection by design requires that any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step. During internal projects, product development, software development, IT systems implementation, the controller must integrate the necessary safeguards into the processing in order to meet the GDPR requirements and protect the rights of data subjects. To do so, it's necessary to put in place appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization. The actual application of this principle minimizes privacy risks and increases trust by placing data protection at the forefront of developing new goods or services, allowing to avoid any possible data protection issues at an early stage and helping to raise awareness about data protection across all departments and levels of a company.
Data protection by default aims to ensure that companies always make the most privacy-friendly setting the default setting. While the first principle concerns preliminary stages of product or service development, this second criterion is applied once a product or service has been released to the public. The strictest privacy settings should apply by default, without any manual input from the end user: for example, if two privacy settings are possible and one of the settings prevents personal data from being accessed by others, this should be used as the default setting. Moreover, the controller must implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
What are the GDPR penalties?
In order to strengthen the enforcement of its rules, the GDPR imposes stiff dissuasive penalties that make non-compliance a costly mistake for obliged organizations. The fines are flexible and proportionate to the infringement and apply to all types and sizes of businesses, from micro or small companies to multi-national enterprises.
Businesses that fail in complying with their obligations can incur administrative fines up to 10.000.000 euros or up to 2% of the company's total worldwide annual turnover, whichever is higher. When other more severe violations occur, the fines can reach 20.000.000 € or up to 4% of the company's global annual turnover, whichever is higher. This more significant liability is faced in case of infringements related to the very core of the right to privacy and the GDPR, such as the basic principles for processing, the conditions for consent, the data subjects' rights, and in the event of on-compliance with an order by the supervisory authority.
Under the GDPR, fines are administered by the data protection regulator in each EU country, which will determine whether an infringement has occurred and the severity of the penalty. Before deciding to impose a fine, there may be warnings, reprimands, suspension of data processing. After these preliminary measures have been taken, ten criteria are used to determine whether a fine will be assessed and in what amount:
- the nature, gravity and duration of the infringement,
- whether it was intentional or the result of negligence,
- whether any actions have been taken to mitigate the damage,
- the amount of technical and organizational preparation the firm had previously implemented to be in compliance with the GDPR,
- any relevant previous infringements,
- the degree of cooperation with the supervisory authority to discover and remedy the infringement,
- what categories of personal data the infringement affects,
- whether the firm proactively reported the infringement to the supervisory authority,
- whether the firm followed approved codes of conduct or was previously certified,
- any other aggravating or mitigating factor applicable to the circumstances of the case, including financial benefits gained or losses avoided as a result of the infringement.