With the final approval of the EU-U.S. Data Privacy Framework, data can once again flow across the Atlantic. Learn more about the new rules at TrueVault.
GDPR is fundamentally a new framework for processing personal data. We have previously looked in detail at the lawful grounds for processing data (including consent). But as well as having a lawful basis, the processing must also be carried out properly and securely.
The Regulation sets out a number of principles governing the collection and use of personal data, following the overall philosophy of “data protection by design and by default”. The main principles (in Articles 5 unless otherwise stated) are as follow:
GDPR sets out (at Article 13) a number of pieces of information which must be provided to data subjects when their personal data is collected. Note that this applies even if you will not be relying on their consent. The information provided must include:
You do not need to provide information which the data subject already has. Where you intend to process the data for purposes other than those for which it was originally collected, you must update data subjects with the new purposes, and restate the information listed above.
Clearly, it will be possible to set out most of the above in a standard privacy notice, although some of it will vary with the circumstances of collection. The information must be given in a manner which is clear, concise, intelligible and easily accessible.
Similar requirements apply if you obtain personal data other than directly from data subjects (under Article 14). In this case, you must usually contact data subjects to provide the above information, as well as:
You must do so within a reasonable period, and in any case by the earliest of (i) your first communication with them, (ii) any further transfer to another party or (iii) a month after receipt of the data.
There are exceptions where the data subject already has the information, where providing the information would be impossible or involve disproportionate effort, and where EU or national law otherwise permits.
You should collect and keep only the data necessary for the specified purposes of the processing. You will need to think through each piece of data you collect and consider how it contributes to your goals.
There is an overlap between this and the lawful grounds, most of which only justify processing which is necessary (to the performance of a contract, for your legitimate interests etc.). However, this requirement makes clear that even if you have consent to processing, you will still need to think about whether each piece of data collected is necessary for the stated purposes.
You need not be certain that every piece of data will in fact be used, but you should be able to show that there is at least a reasonable chance that they will be necessary. For example, you may only need to collect phone numbers in order to contact clients if there is an issue with their order or account. Although you will not actually use the vast majority of the numbers you collect, it is still likely to be considered necessary data.
Personal data which you collect, and use should be kept accurate and up to date. This means that you need to take all reasonable steps to correct or delete any inaccurate data.
As we saw above, there is an obligation to inform data subjects of their right to have their data rectified. However, this principle will in some cases go further, requiring a proactive approach to correcting your data. In any case, you should make it easy for them to update their data, and you should process any updates speedily.
The nature of “reasonable steps” will depend on the nature of the processing. If it takes place some time after the data was initially collected, then the risk of inaccuracy increases, and it may be proper to check with data subjects that the information is still correct. This is especially true if the processing will have a significant impact on their freedoms, rights and responsibilities.
The reasonable steps has not been clearly defined and it would be smart to pay attention to court rulings, lawyers, and thought pieces that come out in the coming months as this gets scoped.
As another example, say that you are an online vendor, and a client with an existing account makes a purchase. It would probably count as a reasonable step (and would certainly be good practice) to remind the client of the delivery address and payment details you have on record and give them an opportunity to amend them before purchase, to avoid problems completing the order.
As a complement to the principle of keeping no more data than needed, you should also keep data for no longer than necessary for the specified processing purposes.
Again, this will depend on the nature of the processing and your relationship with the data subjects. If they are ongoing clients, then there is unlikely to be an issue with keeping their relevant details. Do consider whether you actually need to keep, for example, previous addresses and contact details, as they are unlikely to be needed anymore.
Key Point: One way to show compliance with this requirement (in appropriate situations) would be to implement a deletion policy for lapsed clients or users. After a set length of time without contact (which will depend on the nature of your relationship and your organization), you could email them to ask if they would like to stay on your records. If you do not get a positive response within a reasonable time, you would then delete their personal data.
There will of course be other legal requirements governing the need to keep certain types of data, for example financial data for tax purposes. These will feed in to how long you need to keep the data for GDPR purposes.
There is an exception to this requirement for archiving in the public interest, for historical or scientific research or statistical purposes. Note that if the data is stripped of identifying information, leaving only non-identifying (e.g. aggregate demographic) data, this is no longer a concern.
It is a core requirement of GDPR that you must keep all personal data secure. This includes protecting it against unauthorized and unlawful processing and accidental loss, using “appropriate technical and organizational measures”.
What is appropriate will depend on the nature, scope, context and purposes of processing, as well as the costs of implementation and what is in fact possible. Particular thought should be given to the risks should a breach occur. Article 32 spells out a number of possible steps which could be taken to keep data secure:
In terms of unauthorized processing, you should consider not just illegal access from outside of your organization, but also rogue employees and agents who may steal, sell or tamper with data to which they have access. To keep these risks to a minimum, you should look to restrict access to personal data to individuals who actually need it, rather than keeping it in a shared space available to all. It may also be wise to put in place measures to record access to and use of data even for authorized individuals.
Underlying all of the above is the principle (in Article 25) of “data protection by design and by default”. This means that data controllers should design their processes with data protection in mind from the beginning (rather than attempting to bolt it on afterwards).
In practice, this means going through and rewriting your processes (or creating them if they do not yet exist) with principles like data security, data accuracy and data minimization firmly in mind. It also means making sure that these apply by default, rather than requiring specific action in each case.
Finally, a recurring theme throughout GDPR is the importance of keeping records (Article 30). Organizations must generally keep records of the processing activities for which they are responsible, the categories of data subjects involved and the measures taken to demonstrate compliance with the above principles (as well as the other principles discussed in this series). You will need written policies explaining how you implement these principles, and what to do if things go wrong.
Technically, the general obligation to keep records does not apply to organizations which employ fewer than 250 people, unless the processing (i) is more than occasional, (ii) is likely to involve a risk to the rights and freedoms of data subjects or (iii) involves special categories of data or data about criminal offense and convictions (see our article on lawful grounds for processing).
However, the Regulation’s other obligations affect everyone, the burden of proof will always be on you to demonstrate compliance, and documentation will often be the only way to do so. Therefore, rather than leaving it and trying to deal with data protection issues only when they become a problem, it is well worth taking the time to get your policies and records in place first, before GDPR takes effect on 25 May 2018.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.