Questions About the GDPR That You Were Too Shy to Ask

The General Data Protection Regulation (GDPR) will affect organisations in countries around the world, not just those in Europe. The GDPR regulates how personal data is stored, moved, handled, and destroyed. Not following the regulation will lead to dire consequences for your organisation. As a data professional or developer, you may have many questions and might be wondering how it will affect the way you will do your job. William Brewer answers common questions about the GDPR that you were too shy to ask.

  1. Why the GDPR?
  2. Does the GDPR apply to organisations outside the European Union?
  3. What teeth will this legislation have?
  4. Can we just get users to agree to the usual multi-page legalese gobbledegook to cover ourselves?
  5. What is ‘personal data’?
  6. What are data processors and data controllers?
  7. What rights does the GDPR give to the individual?
  8. What new obligations will there be on IT organisations?
  9. What should the Data People in any organisation do about this?
  10. Does the GDPR affect the way we do development work?
  11. What are Data Protection Officers (DPAs) and who will need them?
  12. Is the GDPR all bad?
  13. Don’t you think that all this extra work for organisations is unfair?

Why the GDPR?

The problem that had to be fixed was that current European privacy legislation, based on Directive 95/46/EC, had been so ambiguously drafted that it has been difficult for ordinary people to understand, and has it has proved to be extraordinarily difficult to prosecute people or organisations for even the most flagrant breaches of privacy. The IT industry has also proved to be insufficiently willing or able to provide effective policing of the individual’s rights to privacy. It was because of this that the GDPR was drawn up and adopted by the EU member nations. It has involved an immense effort to provide a framework of legislation for EU citizens on privacy that is in tune with what is achievable by IT and that is generally politically acceptable. It sets out the privacy requirements that govern how personal data should be managed and protected. It aims to simplify compliance by ironing out the differences in the IT privacy laws of trading nations. The GDPR is a European initiative that was adopted into law by EU members in 24 May 2016. It will affect all countries wishing to trade with the EU. It is likely to form the basis of IT privacy law in most trading nations. It is called a ‘regulation’ because it has already been adopted and is a binding legislative act that must be applied in its entirety across the EU, including the UK

Does the GDPR apply to organisations outside the European Union?

The GDPR will apply to all companies processing, holding or controlling the personal data of anyone living in the EU, regardless of where the company is based, or where the processing takes place. The GDPR will apply to any organisation offering goods or services to EU citizens whether paid-for or not. It applies to every organisation that monitors the behaviour of a resident of the EU; the full range of data from Facebook or Amazon recording every click to a Mobile Phone that sends location data. Businesses that aren’t based in the EU will have to appoint a representative in the EU.

What teeth will this legislation have?

Organizations, whether they be controllers or processors of data, who fail to comply with the GDPR regulations can be fined up to €20 Million but large corporates will receive larger fines, up to 4% of annual global turnover. This does not just apply to data breaches. A company can, for example, be fined 2% for not having their records in order or failing to notify the supervising authority and data subject about a breach. They can even be fined for failing to conduct an impact assessment.

The threat of being banned entirely from trading with the nations that have adopted the GDPR into national law is probably the most likely reason for any organisation to comply with the GDPR.

Can we just get users to agree to the usual multi-page legalese gobbledegook to cover ourselves?

No. Organisations will no longer be able to use interminable and periphrastic terms and conditions full of obscure legal terms. Instead, the request for consent must be given in a understandable, brief and easily accessible form, that gives the explicit reasons as to why the data is being held and processed, using clear and plain language. It must be as easy for the user of a system to withdraw consent as it is to give it.​ Parental consent will be required in order to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.

What is ‘personal data’?

There are several types of data that are considered personal if the person associated with the data can be identified, either directly or indirectly. It can be anything from a name, identification number, a photo, email address, online user identifier, social media posts, physical, physiological, or genetic information, medical information, location, bank details, ip address, cookies or cultural identity. The definition of ‘personal data’ has been increased over previous legislation to include technical metrics of an individual such as biometric and genetic data.

What are data processors and data controllers?

They are generally organisations that handle or process data. A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.

What rights does the GDPR give to the individual?

It is more precise to say that it aims to maintain their existing rights. It includes the right to access the personal data that is held about them, to obtain a copy of their data, to correct inaccuracies, to request that data is erased, to object to their data being processed, and to request that data be transferred to another service provider. The individual has the right to expect that personal data is protected no matter where it is sent, processed, or stored. Note that some of these rights have to be balanced against other obligations that the data controllers may have: they cannot destroy evidence that is required for prosecution, for example.

The right to access the personal data that is held about them

Individual users can require the data controller to inform them whether or not personal data concerning them is being processed, where and for what purpose. If the controller organisation is asked by individual users for a copy of the personal data held about them, they must send it free of charge in an electronic format.

The right to request that data is erased, to object to their data being processed

Individuals on whom data is held can withdraw their consent to it being used, and require the data controller to erase their personal data, to cease further dissemination of the data, and even to have third parties halt processing of the data. They can do this on the grounds that the data is no longer relevant to the original purposes for processing. The controller must delete the data unless there is a greater “public interest in the availability of the data” such as evidence for legal action.

The right to request that data be transferred to another service provider

For people who use a service-provider, there is a new right to oblige the previous service provider to transmit that data to the new service provider in a ‘commonly use and machine readable format’.

What new obligations will there be on IT organisations?

Organisations that hold personal data first need to be very clear where, why and how these records are stored, and what happens to them. All this will need to be documented because in the future the organisation will need be able to prove that consent was given, to show where the data is going, what it’s being used for, and how it’s being protected.

Although this may seem trivial, the management of this process will take a lot of planning, and monitoring. The process itself will take a significant amount of time. This is why all national governments who are most directly involved are urging that data controllers should begin this process as soon as possible

The processor or controller of data must ‘implement appropriate technical and organizational measures’ to ensure data protection by design and default, security of processing, good detection and notification of breaches, logging and monitoring of operations, and comprehensive documentation of the risks and all the measures taken to mitigate them. The organization is obliged to ensure that its entire IT environment complies with each of these principles and establishes appropriate measures.

“Data protection by design and default” (GDPR Article 25):

This means strictly controlling who has access to data and how. It requires that those who need to access or process that data should operate with just sufficient access rights to perform their professional duties. Only the minimum necessary data should be collected and stored, and there should be an explicit reason for all data retained, the extent of processing, the storage period, and who can access it. Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. This implies a considerable re-engineering of existing database systems.

“Records of processing activities” (GDPR Article 30)

Log and monitor operations. This will involve maintaining an audit record of processing activities on personal data and monitoring access to processing systems.

“Security of processing” (GDPR Article 32)

Data that is required for research and reporting should be pseudonymized as far as possible to prevent individual data from being identified. All personal data, even that which is pseudonymized, should be encrypted, preferably both in transit and at rest. The systems must maintain confidentiality, integrity, availability and resilience. The systems that hold personal data need to be designed to be highly available and secure. The security must be regularly tested

“Notification of a personal data breach to the supervisory authority” (GDPR Article 33)

Any data breaches must be quickly detected and notified within three days. The impact of data breaches of personal data records should be predicted and all possible measures to address any breaches should be documented as procedures.

“Data protection impact assessment” (GDPR Article 35)

All risks and security measures for processing must be documented alongside the processing operations that involve personal data, including an explanation as to why they are necessary and proportional. The measures taken to address risks and protect personal data, and demonstrate compliance with the GDPR must be documented as well.

What should the Data People in any organisation do about this?

Discover

This boils down to the task of finding out where in your organisation personal data is being held, who in the organisation is responsible for holding, storing or moving that data, and why they are holding it Which servers and/or databases contain personal data? Which columns or rows of what tables contain personal data? Who has access to that data in the database system? How vulnerable is that database system to attack from within or outside the organisation. Where does the data go when it leaves the database?

Manage

This requires a properly-designed and implemented access-control system that govern how personal data is used and accessed. It must be possible to say at any one time who has access rights to the data and why. It must be possible to detect and record whoever accesses the data (no shared logins). The access control system must take care to allow individual logins to access only the data that is necessary for them (the principle of least privilege), and to prevent access to any other data. The access control system should be able to record unusual patterns of access that suggest an intrusion. The access control system should be centrally managed within the organisation wherever possible.

Protect

The Database administrator must ensure that the opportunities for attack are minimised and that the data is encrypted. Where data is exported to be used for downstream reporting and analysis, the data must be pseudonymized to the point where it becomes futile to try to identify individual data. Where data close to production data must be used for testing database systems, the masking process must ensure that the original data is actually destroyed rather than flagged for deletion. It must no longer be present in the logs or in the data pages. The data must not be retained in the auditing or logging systems.

Report

The governance and operations activity within IT must keep required documentation that describes its data protection policy and keeps it under continuous review. It must manage data requests, implement intrusion detection, and secure the network, servers and physical premises. There must be documented procedures for every type of untoward event such as a data breach, data misuse within the organisation, or data loss. Anyone holding or processing personal data bust be able to provide clear reports to meet the “Data protection impact assessment” requirement of the GDPR (GDPR Article 35). These must record all activities related to personal data for its own end users, and to serve as evidence of compliance

Does the GDPR affect the way we do development work?

Privacy by design has now become a requirement of the GDPR. Privacy by design includes data protection from the onset of the designing of systems, rather than as an afterthought. More specifically, ‘The controller shall implement appropriate technical and organisational measures in an effective way… in order to meet the requirements of this Regulation and protect the rights of data subjects’. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing

What are Data Protection Officers (DPAs) and who will need them?

These Data Protection Officers (DPAs) are experts on data privacy who will either be a member of staff of an organisation or who will provide their expertise as a service. They will be responsible for overseeing both the data protection strategy and its implementation to ensure compliance with GDPR requirements: they will report directly to senior management. Although they may only need to work in this role part-time, they cannot undertake any other concurrent role that would be a conflict of interest. The appointment of a DPO will only be mandatory if the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.

Is the GDPR all bad?

Not at all. It makes for a much simpler and consistent legislation of privacy. It makes it much clearer what the rights of the individual are. It helps any trading organisation that has to use personal data, because it ‘harmonises’ the legislation internationally. There is also a real opportunity for organisations to gain a reputation for the way that they respect the privacy of individuals. The GDPR was strongly influenced by the work of privacy experts who had studied in detail the reasons for data breaches and abuses in the past, and who had identified good practices that underlie responsible stewardship of data. It provides a clear guideline for any country wanting to create legislation that can protect the privacy of its citizens.

It is only bad news if you belong to an organisation that abuses the privacy rights of individual users, or is irresponsible in the way that it holds the information, because it makes it much easier to prosecute this sort of organisation, and increases the penalties that will damage both their public reputation and bank balance.

Don’t you think that all this extra work for organisations is unfair?

No. It has been unfair of organisations to take a chance on the privacy of their customers by skimping on the necessary measures to protect it. Most of the major data breaches in the past have been due to failings in some of the most basic measures, such as forgetting to apply patches, installing databases without any access control, or leaving parts of the domain entirely unprotected. Major injustices have been suffered by individuals who have had incorrect, misleading or malicious information held about them. IT crime has increased enormously, and has been greatly worsened by the amount of data on individuals that has come into the possession of criminals. There has been intolerable behaviour by some organisations that have misused personal data to increase their revenues by analysing and sharing their details.

Although the GDPR reads rather scarily, most of it merely defines existing good practice in protecting the privacy of the individual, and much of it is merely a reminder of the standards that good corporate and government systems have maintained over several decades. However, the increasing sophistication of criminals stealing data in what has been termed ‘the war against the Cyber-criminals’ means that IT organisations must inevitably spend more of their resources on protecting their data. This is a consequence of the times we live in rather than the GDPR. We very much need a shared understanding of the requirements of privacy and the GDPR will help greatly with this. A lot of organisations will have to do a great deal of work to meet these standards, but they would still be in default of good practice were there no GDPR.