GDPR- Everything you never wanted to know (but probably should anyway)

There seems to be a flurry of activity and mild panic surrounding the imminent implementation GDPR currently so we thought we would do some research in an attempt to separate the reality from hype and hyperbole.

You are advised that these are the comments of a layman so read, digest and act only at your own risk.

What is GDPR ?

The General Data Protection Regulation is EU Regulation 2016/679. It will be applicable as of May 25th, 2018 in all EU member states and is intended to harmonize data privacy laws across Europe. (See its Objectives set out in Article 1)

Can I read it ?

Yes, if you are in business in or with Europe, then it probably applies to you so you should read it. It’s not that long 99 Articles and much less confusing (and scary) than most of the commentary written about it. You can find it, in full here.

What’s it for ?

It is to protect the rights of natural persons (‘Data Subjects’) in the EU in respect of the use and processing of their ‘Personal Data’.

Personal Data includes any data relating to person – ie including name, address, images of them, email address, credit history, telephone number etc. See the official definitions in Article 4.

Who does it apply to ?

It applies to any business based in the EU (Article 2) or any business based outside the EU if they process the Personal Data of natural persons resident in the EU (Article 3).

How does it work ?

Like the existing Isle of Man and UK data protection law its based on a set of underlying Principles (Chapter 2 – Article 5).

These are the meat of the whole thing so this is the key part to understand:-

Principle 1 – Process lawfully, fairly, and in a transparent manner in relation to the data subject. (Lawfulness, Fairness and Transparency)

Principle 2 – Collect for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. (Purpose Limitation)

Principle 3 – data should be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed; (Data Minimisation)

Principle 4 – data should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is accurate having regard to the purposes for which they are processed, is erased or rectified without delay; (Accuracy)

Principle 5 – Data to be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. (storage Limitation).

Principle 6 – Data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. (Integrity and Confidentiality)

Article 6 – is also key as it sets out the conditions under which holding / processing personal data is lawful. At least one of the following must apply…

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Note that ‘consent’ is not always required – as holding / processing of data is also allowed in other circumstances – For example, (b) where it is done in performance of a contract, (c) where required by law or (d) in the data subjects or a 3rd parties vital interests.

These are important conditions as they can frequently be relied upon by companies like ourselves acting in the normal course of business for their clients.

Where data is processed on the basis of consent by the subject then Article 7 requires that – Consent should be express, can be revoked, must be able to be demonstrated.

The rest of Articles 8 – 99 effectively deal with the implementation of the Principles. Most importantly they provide Data Subjects with specific rights and place specific obligations on data processors and controllers:

Chapter 3 – Articles 12-23 sets out the rights of the Data Subjects. These include the following:

Right of access by the Data Subject (Article 15)
Right to rectification by the Data Subject (Article 16)
Right of Erasure – right to be forgotten (Article 17)
Right to Object to automated decision making (Article 21)

Chapter 4 – Articles 24-43 details the Obligations placed on Controllers and Processors. These are many..but highlights are noted below:

General responsibility of a Processor (Articles 24-31)
Responsibility of Security of Processing – (Article 32)
Obligation of Communication of Data Breach to Data Subject (Article 34)
Obligation to appoint a Data Protection Officer (Articles 37-39)

The remaining parts of the regulation are comparatively uninteresting and deal with the following:

Transfers of Data to 3rd Countries (Chapter 5 – Articles 44-50),
National Supervisory Authorities (Chapter 6 – Articles 51-59)
Cooperation and Assistance between Authorities (Chapter 7 – Articles 60-76),
Remedies and Penalties (see Chapter 8 see article 83) – Yes, the horror stories are correct – the fines for non compliance are upto Euro 20m or 4% of turnover.
Finally, chapters 9, 10 and 11 – (Articles 84-99) largely deal with administrative and technical implementation matters

So that’s a whistle stop tour of the Regulations. Clearly, and we think quite correctly, they place heavy responsibilities on data processors and controllers but, they overall they seem proportionate and sensible.

We think, like most things, understanding them is the first step to complying with them.

GDPR specialists – Please help us by pointing out any errors or inaccuracies in this article; we will make corrections / clarifications accordingly.

©2018 Middleton Katz Chartered Secretaries LLC is licensed by the Isle of Man Financial Services Authority

Log in with your credentials

Forgot your details?