GDPR compliance: EU General Data Protection Regulation (GDPR) guide

The EU GDPR (General Data Protection Regulation) concerns all organizations processing personal data of EU data subjects, regardless of where processing happens. What you need to know about the GDPR, the journey towards GDPR compliance and ways to demonstrate GDPR compliance.
The GDPR replaces Data Protection Directive 95/46/EC and aims to harmonize data privacy laws across Europe, to protect and enforce data privacy of all EU data subjects and to provide a consisent personal data protection framework to strengthen the digital market in the EU.

Welcome to 2018. In a few months, on May 25th, the EU’s General Data Protection Regulation (GDPR) takes effect. The new regulation, technically known as EU 2016/679, replaces the Data Protection Directive, which already goes back to 1995.

Even if since then there have been additional rules on specific aspects of personal data usage and privacy, the GDPR is a major change with a vast set of rules and vast consequences in many areas. To attain GDPR compliance, various steps need to be taken and mechanisms need to be put in place, starting from GDPR awareness and including several GDPR business strategy and information management aspects, as well as other personal data precautions which encompass various duties, processes, people and disciplines such as cybersecurity.

GDPR General Data Protection Regulation EU Guide

In this guide to the EU GDPR and GDPR compliance, which also serves as a multi-disciplinary GDPR resources hub, you find information and links regarding the General Data Protection Regulation, its impact and the steps to take in order to attain and demonstrate GDPR compliance.

Even if you are not compliant in time, which will be the case for many organizations, both data controllers (those who decide on the purpose and way of processing personal data in any given processing activity) and data processors (those who conduct actual processing activities), it is key to continue working towards higher compliance and demonstration of it after the GDPR compliance deadline. This goes for organizations that are or think they are compliant as well. Data protection challenges evolve, jurisprudence evolves and so do the rules concerning compliance and new technologies and risks which pose challenges in a rapidly changing world.

Overview of the topics in this GDPR hub

We’ve split up this overview into different sections. This enables you to jump to a section that applies to you, rather than having to read it all.

!!! Note: at the bottom of this GDPR page is a list of all 99 GDPR Articles from the final GDPR text of which several are used across this guide. You can simply click on the number and name of the GDPR Article or use the search form which will return all GDPR Articles that contain your keyword in the title and text of the relevant articles.

Table of Contents

The why of this EU GDPR guide

We kick off with the ‘why’ of this guide. The General Data Protection Regulation or GDPR stretches much further than its predecessor and, as mentioned, also affects organizations from outside the EU.

The GDPR affects many organizations, functions and processes

There are ample reasons why you don’t just need to be aware about GDPR but also must set a course of action to be ready and adhere to the GDPR data protection rules.

Do not make the mistake of thinking that GDPR compliance is easy or that it is only about security or technical measures.

The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality (GDPR)

The GDPR affects organizations in many ways, beyond data security and policies. Moreover, you need help or at the very least a clear plan of action, including training, revisiting your data flows and processing mechanisms, privacy practices, the way you leverage third-party data and far more.

If you use or plan to use specific technologies, such as the IoT , you also need to look at additional aspects, including the technologies themselves, which in practice seems to be a challenge as covered in our article on the IoT, GDPR and regulation and, with regards to new technologies in general whether you need a DPIA (Data Protection Impact Assessment), which is one of many ways to demonstrate GDPR compliance or not.

The GDPR foresees clear roles regarding roles and responsibilities within organizations to be able to respond to the requests of EU citizens in exercising one of their many data subject rights or the requests of controlling and monitoring instances, which can range from supervisory authorities to monitoring bodies in the scope of codes of conduct.

A big part of becoming GDPR compliant and being able to demonstrate GDPR compliance relates to the mechanisms and procedures you have in place to respond to such requests. Other factors play a key role as well of course. GDPR compliance also means having legal grounds for personal data processing, of which consent is one, transparency and the duty to provide clear information another one and meeting the safeguards and key principles regarding personal data processing a third one. The GDPR also has several explicit mechanisms and ways to demonstrate GDPR compliance. It’s a long list indeed so let’s start with some essential GDPR aspects.

The GDPR - European data protection for the digital era - some GDPR elements in a nutshell - source and copyright Council of the European Union
The GDPR – European data protection for the digital era – some GDPR elements in a nutshell – source and copyright Council of the European Union

The EU GDPR is not just about fines: it’s about growth and a thriving digital economy

One reason that is often mentioned as a critical one to make sure your organization is GDPR compliant concerns the high fines in case of serious breaches (for which there is a reporting duty with specific rules and in specific conditions) and other issues regarding personal data: up to 4 percent of annual turnover or €20 Million, whereby the highest of both is applied.

Yet, fines are not the purpose of the General Data Protection Regulation.

The GDPR is conceived as a framework for the protection of personal data in a digital transformation economy where data is a business asset, the new currency, the oil and innovation accelerator; and personal data is leveraged throughout connected ecosystems to achieve benefits thanks to a broader view of individuals in order to achieve better results across various disciplines.

In this economical, digital and societal context there are clear benefits for all organizations, yet there are also rules which need to be respected on the level of the individual without which a growing digital market is hindered by multiple challenges as we’ll see. In other words: as much as the GDPR might seem like a pain to many, it also is needed to make a digital and data-driven world easier and clearer. This offers benefits to organizations as well for several reasons we’ll tackle.

GDPR compliance is not a choice – where the action comes in

There are ample resources on the General Data Protection Regulation or GDPR on the Web. In this guide we’ve gathered several ones for your convenience across various “chapters”.

Looking at the state of GDPR readiness as of end February 2017, little over a year before the GDPR becomes enforceable, we found there was a clear gap. 10 months later, in December 2017, there was still a major GDPR compliance disconnect. And as we’ve entered 2018 the same issues still exist although companies are speeding things up.

Data from several organizations and companies regarding GDPR awareness and preparedness in the UK, the US and, most certainly, the EU, showed there was still a lot to be done. Moreover, we constantly hear from information management experts or security professionals how unready many organizations de facto are. Not acting is not an option, hence this page.

EU General Data Protection Regulation - summary of some key GDPR changes - attention - read the details
EU General Data Protection Regulation – summary of some key GDPR changes – attention – read the details in the Regulation and get advice

Key GDPR definitions, terms, rights and stipulations

To become GDPR compliant you don’t just need some tools. You need a thorough analysis, plan, detailed checklist and so forth, covering all aspects and processes involved. The first stage in any such strategy, checklist or compliance plan is awareness.

Although this is more about awareness and know-how of all stakeholders in the organization (including training your staff), we also need to understand some key terms, concepts, rights and duties in the GDPR. You probably have already most of this and there are far more exhaustive and detailed guides which you can see in the list below this overview.

The processing of personal data: the broad GDPR definition of processing

The GDPR is about the processing of personal data of EU citizens, called ‘data subjects’ in the regulation.

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data (GDPR)

Processing covers a vast reality of actions and includes storage, dissemination, changes and management of personal data. Personal data also covers a broad reality of criteria, definitions, exceptions, personal data identifiers, pseudonymized data and more as we’ll see. Moreover, and this tends to be overlooked, it goes for the processing of personal data, whether the processing occurs with automated means or not. In other words: manually dealling with personal data (carriers) is included too.

In the second part of Article 4 (‘Definitions’) of Chapter 1 of the final GDPR text , the GDPR defines processing as follows:

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

If you start thinking about who processes data of individuals, you start seeing the tip of the iceberg. The definition of processing is crystal clear and that indicates how the GDPR involves ALL activities regarding personal data. This also includes capturing, scanning and processing the personal data which hard copy documents contain and even the simple fact of “having” personal data (or we wouldn’t store or process them) or “having access to them”.

The GDPR definition and scope of the data subject and personal data

The EU GDPR definition of personal data leaves little room for interpretation too. In Article 4, the text states:

‘personal data’ means any  information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural
person; 

The GDPR definition is clear: if you deal with personal data of a data subject, the general rule is that the GDPR applies. However, there is a lot hiding under this seemingly simple definition as we’ll see.

On the other hand, there are several exceptions regarding personal data in areas such as public health and scientific research, so it’s important to understand the impact of the GDPR for your industry. This is again an argument to prepare in time and understand how it impacts your individual organization and activities.

Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person(GDPR)

The EU GDPR does not cover anonymous data. However, it does cover so-called pseudonymized personal data because the pseudonymization, an often used ‘tactic’ in, among others security and analytics, can be reversed and, as opposed to anonymous data can be traced back to an identifiable natural person, the data subject. However, pseudonymization, along with encryption, is one of the methods the GDPR recommends as “an appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

Pseudonymization techniques and the EU GDPR
In its Recital 28 the GDPR emphasizes how the application of pseudonymization techniques to personal data can reduce data protection related risks, even if the fact that pseudonymization is present in EU data protection law for the first time with the General Data Protection Regulation this doesn’t mean it precludes other data protection measures.

 

Research indicates that quite some companies de facto use techniques to de-identify data as a way of reducing risk exposure.

Note that, in general, the more data are combined, the harder de-identification becomes and the higher the risks become. If special categories of data (“sensitive data”) are involved, additional risks and measures are the consequence.

GDPR and pseudonymization

 

Understanding the principles of data protection and information regarding identified and identifiable persons

Recital 26 of the GDPR is key for the understanding of the principles of data protection and stipulates that GDPR applies to any information regarding an identified or identifiable person.

It gives an essential overview of what kind of information regarding an identified or identifiable natural person the General Data Protection Regulation applies to. It also provides an overview of how it should be determined when a data subject or natural person becomes identifiable, states that pseudonymized data also fall under the GDPR and that anonymous information doesn’t. All these topics are further established in depth in more Recitals and Articles in the GDPR.

Online identifiers, genetic data and personal health data

In the GDPR the definition of personal data has been broadened (important for both consent and protection).

It includes identifiers such as genetic data and all data pertaining to a data subject’s health status. Also data for scientific research are included but only to a certain extent.

Genetic data include results from DNA analysis, health status data include data on treatments, medical history, diseases and far more – as the graphic below shows. Identifiers are data elements that could make a natural person identifiable and there are plenty of those. Some are more general, others are ‘sensitive’. It’s important to understand all these identifiers and how a natural person can become a data subject (the various ways in which he/she becomes identifiable). To give you an idea: one of the types of identifiers in the graphic below, namely online identifiers, consists of numerous sorts and forms, from an IP address and cookie to an RFID tag.

GDPR - data subject personal data and identifiers

Recital 30 of the General Data Protection Regulation introduces online identifiers such as IP addresses, cookies, RFID tags and others, without being exhaustive. However, further in the text the GDPR zooms in on them.

The key thing to remember is that online identifiers such as the mentioned ones are considered as personal data because in combination with unique identifiers they can lead to the identification of a data subject and because such online identifiers, again in combination with other identifiers can and de facto are used for profiling, which is explicitly mentioned in the GDPR.

We see that many people do not know this and often even see surveys that indicate that professionals in various sectors do not consider other identifiers, such as even email addresses or photos as identifiers under the scope of GDPR. It is essential to understand they are (and in which context they are).

Genetic data are clearly considered as personal data as you can read in Recital 34. Moreover, genetic data are considered sensitive data and deserve special protection. The same goes for personal health data, which include information derived from genetic data but goes much further as is explained in Recital 35 of the GDPR that sums up various forms of healthcare-related personal data which fall under the GDPR (and for which there are special protection rules).

We recommend you to learn all about personal data, data subjects, identification, identifiers, pseudonymization and so on via the button below.

Data subject, personal data, identifiers and pseudonymous information

The expanded territorial scope of the GDPR

A major change of the GDPR, compared with the existing Directive, is its so-called extra-territorial applicability, the technical term for the mentioned fact that the GDPR doesn’t just affect EU companies.

The GDPR concerns all companies which process personal data of citizens (‘data subjects’) who reside in the EU, regardless of where these companies (the ‘data processors’ and ‘data controllers’) are located.

When the processing of personal data of EU data subjects is done by a controller or processor that is not present in the EU, the GDPR applies in activities related to offering goods or services to EU citizens (free and paying services) and behavior monitoring of EU data subjects.

Moreover, a non-EU company which processes the data of EU citizens needs to appoint a representative in the EU.

Relevant links and texts regarding this territorial scope include:

  • GDPR Recital 22 which says that any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU should be carried out in accordance with the General Data Protection Regulation, whether the processing happens within the EU or not.
  • Recital 23 of the GDPR text which essentially stipulates that the processing of personal data of data subjects in the EU with regards to the offering of goods and services (with or without payment) by organizations outside of the EU is subject to the GDPR.
  • Recital 24, which says that the GDPR applies to organizations that are not in the EU but monitor behavior of data subjects in the EU.
  • Recital 25, which covers the territorial application of the GDPR in the scope of public international law, with for instance diplomatic missions outside of the EU, where EU rules apply, falling under GDPR.
  • Article 3 (‘Territorial Scope’) of the General Data Protection Regulation which summarizes it all and specifically tackles that territorial scope of the GDPR.

GDPR Territorial scope- subjects controllers and processors - when GDPR applies

GDPR and the duties of controllers and processors

The GDPR hasn’t changed the definition of controllers and processors that much in comparison with its predecessor. What has changed though is the impact with regards to processors (and the flows of reporting and obligations in the overall picture of various players with on top of the controllers themselves also the role of the supervisory authorities and the European Data Protection Board which replaces the Article 29 Working Party as mentioned further in this GDPR compliance guide).

In the infographic on the territorial scope of the GDPR we already mentioned the definitions of the data controller and the data processor.

  • The data controller is any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Let’s say it’s the main organization.
  • The data processor is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. So, depending on the type of personal data processing activity, it’s really everyone that takes care about specific processing tasks as an outsourcing partner for any possible business function involving personal data as processing is so broadly defined as mentioned elsewhere.
GDPR and the data controller

 

Data controller versus data processor under GDPR - place of the processor
Data controller versus data processor under GDPR – place of the processor and controller

We dedicated a special page to the role of the data processor as data processor obligations are numerous under the GDPR and there is a de facto shared liability in case of infringements or personal data breaches.

Processors must follow the exact same principles of personal data processing as controllers do. On top of that, processors, among others,

  • Must keep a record of all processing activities they have done for a controller (audit trail) and of all controllers they conduct data processing activities for,
  • Must have a contract or legal basis that clearly describes what they do for the data controller, for how long, for which reasons, which types of data and categories of data subjects and more,
  • Must assist controllers in many obligations such as secure data processing, the notification duty in case of a personal data breach (with a personal data breach notification duty from processor to controller), the potential need for a data protection impact assessment or prior consultation,
  • Must inform the data controller when using or considering to use the services of other data processors with the additional obligation to have a clear mandate for the described personal data processing activities.

In other words: the GDPR is highly impactful for data processors and thus all sorts of outsourcing companies in areas such as marketing, data services, human resources, logistics, you name it.

The list of processor obligations above is far from complete. They must work in secure and compliant ways themselves, they must operate in far more transparent ways with the data controller than before, the data controller in turn must be far more attentive to the degree of compliance of processors he works with, there must be a clear data processing agreement and processors are liable in more (direct) ways than before.

GDPR and the data processor

 

GDPR compliance and consent: consent definition, importance and rules

The GDPR is stricter with regards to consent than its predecessor. Consent remains one of several legal bases for the lawful processing of personal data. However, when it is chosen as the legal ground it adds upon the general data subject rights which we cover further in this GDPR compliance guide and whereby attaining GDPR compliance means being able to meet the requests of data subject rights when they want to exercise such a right.

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement (GDPR)

With consent as a legal ground, additional rules apply and the degree of control of the data subject over his/her personal data is greater, while the duties of controllers and processors increase and additional, specific consent-related rights join general data subject rights such as the right to withdraw consent. In practice this is difficult and needs a consent management possibility. So, at all times it is key to see what is the best legal basis as consent is certainly not a holy grail nor a walk in the park. However, in several cases it will be the most appropriate legal ground or perhaps the only (valid) one for specific personal data processing activities.

Under the GDPR, when consent is chosen as the lawful processing basis in any data processing activity, consent needs to be proven by the data controller. Consent also needs to be freely given, specific, informed, unambiguous and given by a statement or clear affirmative action. All these elements are crucial.

By choosing an action-based consent approach GDPR compliance doesn’t just mean a harder duty to prove consent when it’s chose, it also means that the way in which consent is gained needs to be really based on a data subject’s clear action instead of being gained through pre-ticked boxes, inactivity, silence and several other grounds which might make it harder for the data subject to freely consent. The other mentioned elements regarding consent are obviously related with this notion of active consent whereby freely given, specific, informed and unambiguous de facto are intertwined.

Freely given consent GDPR - imbalance of power detriment bundled consent conditionality granularity
Consent is only considered freely given when very specific rules are followed and conditions which make the consent not freely given are absent

If consent for a data processing activity is bundled with other terms and conditions to use services or with contracts, without the consent for the specific data processing activity being separated from these terms then consent is deemed not freely given as consent needs to be given for each single activity (granularity).

Moreover, data controllers must use clear and simple language about the purpose of the processing activity for which consent is sought and consent needs to imply a real affirmative and free choice whereby there are several notions which make freely given consent invalid.

An example of this: when consent is given in a context where there is a clear imbalance of power between data controller and data subject, consent will not be considered as being freely given.

There are also limits on the use of some forms of data processing whereby explicit consent is needed, an even stricter form of consent that strictly speaking only applies in some conditions.

As said, consent regarding the processing of personal data needs to be crystal clear and in plain language.

In practice this means gone with the legalese and easily distinguishable and accessible ways of describing for what consent is given and how it is given by the data subject. That same level of easy must apply to the withdrawal of consent. Moreover, personal data can’t be shared with other parties, without consent.

Consent and consequences/duties regarding consent in detail

GDPR Recitals and Articles determine how consent should be given, when it applies and when not, what the duties of organizations are regarding consent, how the data subject can withdraw consent and far more.

It all starts in Recital 30 of the GDPR where it is clearly mentioned that consent regarding the data subject’s agreement to the processing of his/her personal data must happen by a ‘clear affirmative act’, as just mentioned. It must not just be clear and affirmative, it must also be a freely given, specific, informed and unambiguous indication of that agreement.

All this has even more consequences.

  • Freely given means that in no way there has been compulsion, pressure or inability to exercise free will. Freely given consent also means that consent, when used as a legal basis for lawful processing of personal data, can be freely (and easily) withdrawn at any given time by the data subject with no negative consequences or detriment whatsoever.
  • Informed means that the data subject does know what he/she is agreeing to, which is a duty of anyone asking consent.
  • Clear means that organizations can’t hide the agreeing to personal data processing, as well as the purpose of it and the rights of the data subject, in legalese or ambiguous ways.
  • Specific means that consent is given for the specific purpose and in the specific scope of the reasons why consent is asked, how personal data will be used and so forth.
  • An affirmative act is what we mentioned previously regarding the dimension of activity from the data subject’s side whereby, among others, pre-ticked boxes are a ‘no go’.

In other words: it stretches far and really puts the informed data subject at the center. Recital 32 clearly means end of pre-ticked boxes in consent as these do not mean consent. Clarity and transparency is key. Transparency is further tackled in the scope of the rights of the data subject in Chapter 3 of the GDPR text (mainly Section 1).

There are many Recitals and Articles covering consent so do check the rules for your specific situation. By way of an example: Recital 33 of the GDPR looks at consent and personal data in the scope of scientific research.

In, among others, Chapter 2 of the GDPR text (Articles 5-11) the topic of consent is tackled in more details, including the conditions for consent, consent and children below the age of 16, the right to withdraw consent and more.

GDPR and consent

 

The difference between explicit consent and specific/unambiguous

There are often misunderstandings with regards to the meaning of explicit consent. Explicit consent is not mentioned in the definition of consent as it is stated above.

A two stage verification method is recommended as a good option in the case of explicit consent.

However, the term explicit consent comes back a few times in the GDPR, among others in Article 9 about special data categories, GDPR Article 22 on automated decision-making and profiling and in GDPR Article 49 on derogations in international data transfers.

In December 2017 GDPR consent guidelines from the Article 29 Data Protection Working Party, explicit consent is one of several consent-related topics which are mentioned.

Explicit consent is needed in specific circumstances where there are serious risks to personal data protection and an even higher level of individual control over personal data is considered appropriate.

In other words: explicit consent is not the same as specific consent nor any of the other terms used in the GDPR’s consent definition. The mentioned guidelines elaborate further on mechanisms to obtain explicit consent and in which cases you need it as you can read in our article.

Explicit consent

 

GDPR compliance and the legal bases for lawfully processing personal data

Consent is just one, albeit the most often mentioned, legal basis for lawful processing. This in no way means that consent is more important in the eyes of the GDPR, even if the rules are stricter.

We keep saying it: having the most appropriate legal basis for personal data processing activities is what matters. On top of consent, the other legal grounds for lawful processing of personal data are depicted below. They are contractual necessity, legal obligations, vital interests, public interest and legitimate interests.

GDPR lawfulness processing personal data - 6 legal grounds for processing GDPR Article 6
The six main legal grounds for lawful processing

A quick look at each of them except consent which we just covered. Moreover, for consent, explicit consent, the legal grounds for lawful processing and so forth there are more articles we point to in this GDPR compliance guide.

Contractual necessity

Contractual necessity, as the name implies, is indeed a legal ground for lawful processing where the performance or steps to take in order to enter in a contract require the processing of specific personal data.

It’s clear that in several types of contracts it’s pretty hard to have one in place if you don’t know with whom you have a contract. Gaining the essential data to make the contract happen is a form of processing and as these data are personal data, the GDPR applies.

This isn’t new and existed in the predecessor of the GDPR so it won’t affect existing contracts too much. However, do make sure that the personal data you ask in order to enter in a contract are needed for the contract (don’t go beyond the strictly needed data in the scope of the contract), check all data processing activities you conduct in the scope of contracts, check for examples of contracts in specific business functions (e.g. HR) or industries, get help in case of doubt and make sure you don’t mix several purposes and legal bases in one contract if one of them is consent. Do also check out the GDPR Articles and the GDPR Recitals for specific industries, business activities, data processing activities and stipulations regarding contracts.

Legal obligations

Legal obligations, also as the name implies, means that in order to fulfil their legal duties data controllers simply have to process certain personal data.

This already existed as a legal ground, just like legal obligations. However, the GDPR limits legal obligations to those in the scope of laws of the EU or EU Member States.

While this isn’t new and you should already have this in place, once more check for compliance with the GDPR, list the various data processing activities in the scope of legal obligations, see when it plays as a legal ground and do look for your industry. Moreover, the limitation to the laws of the EU and its Member States does come with consequences.

Vital interests

Vital interests in essence is when you need to acquire some personal data in order to help a natural person and don’t have time to even think about rules and regulations.

In other words: essentially matters of life or death or of potential disasters for people when you don’t act as in immediately. Examples could be when you need urgent information from people who have just been in an accident and in the process of trying to help them that information is simply vital. Moreover, in cases where it’s really a matter of life or death and literally of vital interests, some of these data can serve public interest. Really do think disasters here.

Public interest

Public interest is mainly a legal basis in the context of the tasks and duties of public authorities and the duties controllers have in the public interest or towards public authorities and the public interest. 

Public interest isn’t new either so to most it will already be known and it does exist in non-EU data privacy laws as well. Scientific research and public health are some of the activities that come in the picture here.

Legitimate interests

Legitimate interests is one of the most mentioned alternative for consent in several circumstances. It isn’t new in the GDPR but you need to be very careful when considering to do so as there are exceptions and tiny little details that are easy to overlook.

An example of a legitimate interest is when there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. Legitimate interests are often used as alternatives for consent in the scope of marketing where there is also the question whether the GDPR means that you need to reconsent; meaning: ask customers to consent again. In general you don’t if you already worked according to the rules of the predecessor of the GDPR. The devil, however, is in the details: this only goes if what you did before was in line with the GDPR. So, check twice.

Other examples of legitimate interests such as network and information security reasons, and more on each of these legal grounds via the button below.

Legal grounds for lawful processing

 

Processing personal data: principles of transparency, lawfulness, fairness and more

On top of the legal grounds to lawfully process data there are the general principles of transparency, fairness and lawfulness in personal data processing.

So, do check out Article 5 and Recital 39 of the General Data Protection Regulation as it covers the essence of transparency, lawfulness and fairness in the processing of personal data under the GDPR and several consequences for organizations processing these data.

The Recital and Article go more into detail with regards to transparency (e.g. why the personal data will be processed, the obligation to make it easy to find and understand for the data subject, the obligation to use clear and plain language) but also looks at the essential rules regarding the limitation in time of personal data store and fundamental obligations to ensure that data subjects can exercise the several rights they have under the GDPR (principles of transparency, purpose limitation, storage limitation etc.).

Personal data processing principles under the GDPR - principles relating to the processing of personal data GDPR Article 5

Consent of the data subject and in several cases other legal grounds are the basis of the lawful processing of personal data under the GDPR and, as a general rule (with the usual exceptions) it is up to the organization (or the controller) to be able to demonstrate that the data subject did give consent for the processing of his/her personal data or that there is another basis for lawful processing. It is also up to the controller to make sure that compliance with the several data processing principles occurs and is demonstrated. (the principle of accountability).

More about the principles of personal data processing (so, not the legal grounds for processing but the principles of actual processing which are mentioned in GDPR Article 5 too; lawfulness, fairness, transparency, fairness, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality and accountability) via the button below.

GDPR personal data processing principles

 

Personal data breach notification duty

The GDPR has clear rules on when and how to report personal data breaches that pose a risk to data subjects. GDPR compliance means being able to meet that duty.

The breach notification duty implies several things. First it means that personal data breaches need to be communicated to the so-called supervisory authority. This personal data breach notification should happen within undue delay and not later than 72 hours after the controller is aware of it, if feasible.

If it takes the controller longer than 72 hours to submit a personal data breach notification, the notification needs to be accompanied by an explanation of the reasons for the delay.

If the personal data breach is unlikely to result in a risk to the various rights and freedoms (which are interpreted broader than those in the GDPR alone), all this doesn’t apply.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (GDPR Article 4, Definitions)

In case of a personal data breach with the likely risks for the data subject the processor obviously also needs to notify the controller. However, that must happen without undue delay after becoming aware of the personal data breach. This is explained in GDPR Article 33 where there are also rules about what the personal data breach notification at the least should contain.

On top of the duty of the processor to notify the controller and the controller to notify the supervisory authority when the personal data breach is likely to lead to a high risk to the data subject’s rights and freedoms, the controller must also communicate the personal data breach to the data subject, here again without undue delay.

The essential rules regarding this communication of a personal data breach to the data subject and the cases in which it isn’t required are in GDPR Article 34.

GDPR Article 4, which contains the GDPR definitions, defines what a personal data breach means as you can read in the quote.

Personal data breach notification

 

The special protection of personal data of children

The specific protection of children in the scope of their personal data is established in Recital 38 of the General Data Protection Regulation.

Here, the role of the parent and general rules regarding personal data protection of children are mentioned, mainly in the scope of marketing, profiling and gathering personal data of children for services which target them.

The precise details are further established in the text. In Article 8 (Chapter 2 of the GDPR text) the age of 16 years is introduced although EU Member States can foresee laws for lower ages in specific conditions whereby that lower age can never be below the age of 13 years.

The special protection of children is so essential in the scope of the GDPR that it should absolutely rank high on your GDPR compliance list.

GDPR compliance and the Data Protection Officer

Data controllers and processors need to appoint a Data Protection Officer in certain conditions.

This is a pretty specific matter so we decided to dedicate a separate page to the circumstances in which you need a Data Protection Officer or DPO, what are his/her responsibilities, duties, skills and so forth.

It also contains links to all the GDPR Articles and stipulations which are essential in appointing and empowering a data protection officers as well as his/her tasks and the rules to avoid he/she cannot be influenced or withheld from doing what a DPO must do properly. And that means obligations for organizations that process personal data too with, among others the duty to give the data protection officer access to personal data and far more.

GDPR compliance - when do you need a data protection officer and what are the duties tasks and skillsets of the DPO
GDPR compliance – when do you need a data protection officer and what are the duties tasks and skillsets of the DPO
Data Protection Officer

Data subject rights and GDPR compliance

The GDPR takes over several data subject rights from its predecessor, the Data Protection Directive. However, on top of expanding and tightening the rules regarding some data subject rights, the General Data Protection Regulation also introduces new data subject rights. We tackle several of them in depth across our site. Below are some.

It’s clear that GDPR compliance means that you have done everything what you could to enable data subjects to exercise these data subject rights. And that’s not even enough. GDPR compliance also means that you have properly informed data subjects in a transparent and clear way about those rights.

Data subject rights

 

Data subject rights: the right of access and to information

The right to access is also a right of information, transparency and also of (withdrawal) of consent.

Data subjects can ask the data controller whether personal data concerning them are processed or not, why, where and how this is done, and get an electronic copy.

Data subject rights: the right to be forgotten or data erasure

Data subjects can ask data controllers to erase their personal data. Moreover, if a clear consent exists to disseminate the data and/or third parties process the data, this consent can be withdrawn. However, there are conditions that apply.

A closer look at the right to data erasure or right to be forgotten. Data subjects have the right to ask erasure of personal data regarding him or her in specific conditions.

The grounds on which that right to be forgotten can be invoked (and whereby the controller must erase the data without undue delay and also report on it) are:

  • The fact that the personal data are no longer needed in relationship to the purpose for which they were gathered or processed,
  • The withdrawal of consent in case consent is chosen as the basis for lawful processing (or explicit consent in the case of special categories of data) with the additional stipulation that there is no other legal ground for processing besides consent,
  • The data subject objects to the processing (with the right to object being another data subject right) as is stipulated in the first paragraph of GDPR Article 21 with the general rules on that right to object or where the personal data are processed for direct marketing (including profiling in the scope of direct marketing),
  • The personal data which are asked to be erased have been processed in an unlawful way to begin with,
  • There is a legal obligation the controller is subject to and that requires the erasure in order to be compliant with that legal obligation,
  • The personal data concern children and have been collected to offer information society services directly to a child as is mentioned in paragraph 1 of Article 8 of the GDPR.
When the right to erasure can be invoked
When the right to erasure can be invoked

Additionally, if the personal data which are asked to erase have been made public one way or the other by the controller (e.g. putting personal data on the Internet where others can consult them), the controller must try to make sure that links to that data, copies and replications are removed too.

However, this is not absolute: it must take into account the technology that exists to do so and the cost of implementing it and the efforts of the controller must be ‘reasonable steps, including technical measures’.

Exceptions to the right to be forgotten or right to erasure include following reasons for which processing (in proportion) is needed:

  • The exercise of the right of freedom of expression and information,
  • Processing activities to meet a legal obligation,
  • Reasons in the scope of public health,
  • Purposes of archiving in the public interest, purposes of scientific or historical research, and statistical purposes,
  • The establishment, exercise or defence of legal claims.

The full text – with links – regarding the right to erasure or right to be forgotten in GDPR Article 17.

Right to erasure

 

Data subject rights: the right to data portability

The right to data portability is a new concept that comes with the GDPR. In a nutshell: data subjects have a right to receive personal data about them (as mentioned) under specific conditions but on top of that also have a right to transmit it to another data controller; this only goes when data processing is done using automated means.

The right to data portability gives the data subject a right to receive personal data concerning him or her in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another organization. It’s a data subject right for digital data and the digital age.

  • It is the duty of the controller to make this possible so the data subject can transmit his personal data to another controller.
  • It is also the duty of the controller to make this possible without any hindrance.
  • If it is technically possible, a data subject should also be able to directly transmit those data from controller A to controller B. In other words: without the need of the controller to intervene but, again, only when technically feasible.

The right to data portability implies that:

  • either the processing happens because the data subject has given consent (and thus consent is used as a basis or lawful processing) or, if it concerns special categories of personal data, the data subject has given explicit consent;
  • either the processing is needed for the performance of a contract where the data subject is a party (a second basis for lawful processing);
  • the processing is done using automated means (so, digital and electronic).
Right to data portability

 

We already mentioned other key aspects such as the higher fines (penalties) and the adoption of the privacy by design principle.

Other key elements and/or changes in the GDPR

The list above is far from exhaustive. In the resources, infographics and other material in this article you find plenty more changes and elements.

In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default (GDPR)

These, among others, include:

  • Privacy by design and data protection by default are two key principles which have an impact on many areas as we’ll see. As an example, privacy by design plays on the level of records management.
  • The so-called one-stop shop which means that international organizations de facto have to work with one supervisory data protection authority.
  • Flexibility regarding specific articles. As opposed to popular belief, there are several areas where national regulators can interpret and/or elaborate on stipulations in the GDPR. This is among others the case in the context of sensitive data.
  • International data transfer principles are part of the GDPR.
  • Organizations need be able to demonstrate that adequate technical and organizational measures have been taken. Certifications such as ISO 27001 can help in demonstrating this.
  • Lawful processing: as said, consent is put forward in the GDPR; however there are more elements that matter in the broader context of lawful processing.
  • Specific measures to decrease risk, with encryption being the main one, are ‘promoted’ by the GDPR. As said, also rendering data pseudonymous is a way to decrease risk.
  • New rules regarding DPIA’s: there are several cases in which a Data Protection Impact Assessment is mandatory, again with a focus on ‘new technologies’.

GDPR compliance strategies and GDPR checklists

Optimization, (restoring) trust, a more holistic approach and turning security and information better into the enablers of digital transformation are just a few benefits that smart organizations can achieve with frameworks such as the GDPR (you’ll find more below).

On the other hand, there is the hard work that is needed in order to become GDPR compliant. As said, strategic approaches, looking at all aspects of the business, are key.

Various organizations, often in a collaboration with others which have subject matter expertise in one or more specifc areas of the practical implications of the GDPR have come up with such strategic approaches. As a matter of fact, this is also part of the whole GDPR reality. The GDPR foresees Data Protection Impact Assessments.

They all, more or less, have the same steps in common, and are part of any GDPR compliance checklist or data protection and risk detection checklist you will find, such as the one below.

GDPR data protection and risk detection checklist infographic by Trustmarque - source large image and more information
GDPR data protection and risk detection checklist infographic by Trustmarque

GDPR compliance step 1: EU GDPR awareness

Obviously organizations need to be aware of the GDPR and its implications. That’s part of what we do in this overview and, as mentioned, there are quite some organizations that lack awareness and/or won’t be ready.

However, in the strategic approach to GDPR compliance, awareness means something else (too): your staff, management, IT team, security people, information managers and so forth also need to be aware of what the GDPR in practice means for them. This is typically done in workshops and trainings to move from being aware to acting aware, from understanding to acting accordingly.

Data protection requires an ongoing effort, evaluation, monitoring and controlling.

Note that it’s important to have people that are responsible for creating this awareness and that education will be a recurring theme as new people join the company. The GDPR also foresees several roles.

The GDPR also shouldn’t be seen as a single big effort to be ‘ready’ by May 25th, 2018 of course. Data protection, in the scope of the GDPR and beyond, requires an ongoing effort, evaluation, monitoring and controlling. Moreover, it’s not as if tomorrow you won’t be leveraging new technologies with, again, new questions.

Finally, awareness also means fully understanding the GDPR and its impact, otherwise it’s hard to see where the gaps are between where you stand now and where you need to be of course.

GDPR awareness

 

GDPR compliance step 2: GDPR assessment/audit: discovery and gap analysis

These gaps bring us to a second part in all strategic approaches: there is a stage of assessment/audit with discovery and gap analysis. In order to get somewhere you need to know where you stand today, it’s a universal given.

And to assess where you stand today – and thus also look at the gaps – this stage is one of discovery and mapping pretty much anything that is relevant in the scope of the GDPR.

So, you need to gain insights in your current practices on various levels such as audit capabilities/methods, where data sits (data discovery), which processes are involved, how you process data, how your privacy and security practices function, who is responsible and accountable today, what kinds of systems, networks and databases come into the equation and so on.

When conducting a risk assessment, look at the risks for individuals’ rights and privacy.

In practice, assessment/audit and awareness, as you can imagine overlap somewhat. Seeing what you do can lead to awareness regarding aspects you might have overlooked and vice versa.

In practice, an assessment and discovery stage also needs to lead to an analysis of the gaps. As said, this obviously also means that you already know the GDPR and its full impact as a sort of benchmark that guides you in assessing in a prioritized way with the gaps in mind.

An audit further includes a gathering and analysis of all current document policies in the organization as they exist now: from security and business continuity policies to acceptable use and privacy policies.

Some additional GDPR audit tips:

  • Audit to map risk. It is adviced to take all elements of risk and classify them from a prioritization perspective. When conducting a risk assessment, don’t (just) think about your organization’s risks. The GDPR wants you to look at the risks for individuals’ rights and privacy.
  • Assess all frameworks, organizational aspects, strategies and security/data/incident/reporting management practices.
  • Focus on people: it’s not just about the risks in current practices, processes, systems and frameworks, it’s also about organizational culture towards personal data protection and skillsets.
  • Get the documents. Make sure you have access to all other data and documents which contain information on your latest security assessments and incidents and so on.
  • Listen. As we all know there is often a world of difference between documented policies and real-life practice. This inevitably means that you need to talk with people about how they work in practice, regardless of any documents and policies.

GDPR compliance step 3: Planning/strategy – preparing the GDPR actions to be taken

Once you know where the gaps are it’s time to get really strategic and planning what needs to be done to close the gaps and taking all the other measures which you’ve identified.

The goal of a plan is to execute it and requires a full picture of the gaps, various involved areas and roles and responsibilities.

As the GDPR touches upon so many areas you will essentially need to plan in an integrated and holistic way too. Planning and, next, acting in a holistic way is one of those benefits you can achieve as you go to a GDPR compliance exercise. After all, digital transformation, security, information management, marketing, customer service and so forth need a holistic view to succeed as well. And we do still live in a reality with many silos.

In practice, you’ll plan across several functional and practical areas, however. These include:

  • Information management and governance
  • Security (and ICT as security needs to be guaranteed everywhere)
  • Human resources
  • Legal
  • Marketing, management of online presences and advertising (note that the GDPR will be complemented by a new EU ePrivacy Regulation).
  • Customer service and contact center
  • Etc.

You will also have to look at the ecosystem of your business, with among others third-party data partners and business process outsources (BPOs) and thus at SLAs too (vendor management).

In the planning stage (and also in the audit stage) you’ll have to look at, among others:

  • The practical aspects of moving to a ‘privacy by design’ organization.
  • “New” information governance plans.
  • Implementation plans regarding information management, security and privacy initiatives.
  • Plans regarding access policies, role management and the security controls which need to be put in place.
  • Plans to solve the potential vulnerabilities you detected in the assessment/audit stage.
  • Policy plans for the mobile workforce and action plans to tackle shadow IT.
  • Plans regarding audits and roles and responsibilities (e.g. the Data Protection Officer).
  • Plans regarding the roll-out of technologies that help improve security and privacy.
  • The plans regarding information audits, data retention, Master Data Management (MDM), device management (mobile phones of workers,…), etc…
  • Very specific plans in the many very specific aspects of security and technology: GDPR and cloud, GDPR and IoT, the list goes on.

GDPR compliance step 4: Taking action: doing what you’ve planned

Have a plan? Time to get practical, roll it out and deploy across all the areas you’ve identified and planned for.

As promised below we dive a bit deeper into two areas with links to additional resources which tackle various implications and actions to take in these areas.

However, as mentioned the various components need to be seen in a holistic way. As said earlier, many see the GDPR as an accelerator of the integration of security, privacy, information governance, compliance and more. And that is indeed a benefit.

GDPR compliance -step 5: Managing/evaluating and improving/adapting

Once the plans are rolled out, the work is not done. In fact, if we forget the EU GDPR as such and look at the integrated approach regarding security, privacy, information governance etc., you’ll notice that we’re actually looking at a cycle.

So, on top of managing what we’ve done, evaluating our efforts with clear KPIs there will always be a need to improve and adapt.

There are several reasons for this:

  • New employees will enter the organization.
  • New technologies will be deployed and touch upon personal data: whether it’s the cloud, Big Data or the Internet of Things, you’ll need to evolve.
  • Continuous improvement and adaptation is simply a given, certainly in a changing digital ecosystem and a changing legal and geopolitical context.
Microsoft recommends to begin the journey to GDPR compliance with 5 steps - source Microsoft GDPR page on Microsoft Trust Center
Microsoft recommends to begin the journey to GDPR compliance with 5 steps – read more

The GDPR and enterprise information and content management

Information systems, data quality monitoring, information governance processes, business processes and so forth need to be conceived or redesigned with the privacy by design requirements and, among others, the aspects of consent and control of the GDPR in mind.

Governance is one of the many aspects of the information management and data management puzzle. Compliance, nowadays the main driver of the cybersecurity evolutions, means information governance and information management.

But of course there are more information management aspects to the GDPR. As mentioned all fields are converging and, in fact, with several topics we’ve mentioned in the cybersecurity part, we are already in governance and information/data management.

EU GDPR compliance from the information management perspective

Let’s also dive deeper into a benefit again here. We still live in a reality with siloed information sources and data-intensive processes, while integration is key to succeed in digital transformation from an information management perspective.

Moreover, many organizations have challenges to cope with the increase of unstructured data and how to make sense of it. Finally, in many business functions, you need a way to combine various formats and sources of data. Think about contact centers, for instance. Or insurance claims processes. While data lakes offered one solution in this regard, there are specific approaches for these various circumstances. For the contact center there are AI-enabled platforms that can deal with multichannel communications, for insurance claims processing there are case management solutions and so on. All these, by definition integrated, approaches, connecting information and communication silos and leveraging various forms of data, help you improve customer service, response times and simply business.

See the GDPR as a way to move in these better, integrated directions in case you haven’t yet. And then we haven’t even touched upon the benefits of revisiting your retention policies yet or the benefits of making sure that you have methods to make data easily searchable which doesn’t just make lives of your knowledge workers easier but isn’t a bad idea if an individual wants to gain access to his personal data.

Some elements from an information management perspective

  • Mapping and classifying data. Many organizations don’t have clear visibility into the types of data (personal and others) they process. Moreover, insufficient classification makes it hard to implement the necessary policies. Where does all the concerned data sit across the organization and what is needed to have a single view and a fast and efficient way in case of compliance controls and potential questions?
  • Mapping personal data and data flows. While knowing where data and, in the context of the GDPR, personal data sits is important overall, we obviously want to look at the various types of personal data. Some of that data is more sensitive. For example: it’s clear that financial data which can be abused when stolen with major consequences, is a bit more sensitive than some essential data for easy tasks. All personal data is created equal but some is more equal than others, to use George Orwell. Finally, also map the data flows whereby personal data is processed and document the various aspects of these flows: what, why, for whom (access!!!) and how long. With the GDPR people can ask which personal data are processed, where and how so documenting is crucial.
  • The ‘how long’ brings us to data retention and erasure. Personal data sits everywhere. A traditional big challenges revolves around all the unstructured data/information/communications organizations have been hoarding across various repositories. That hoarding comes with many disadvantages as such but in the GDPR context it’s key to look at retention and also erasure (remember elements such as the right to be forgotten, portability and the right of access). What (personal) data do you actively use today, what data do you have and don’t use but could/should use to improve your business and what is ROT (redundant, outdated, trivial information) and can go, thus further decreasing risks?

Move towards a holistic information governance approach, deal with fragmented data and increase visibility.

GDPR compliance and information management technologies and strategies

On the solutions level of GDPR and information management we, among others, note consent management platforms, records management solutions, security solutions and artificial intelligence to name a few.

The latter is particularly interesting from an automatic classification perspective and to simply know where Personally Identifiable Information sits at all times. It’s one of the most powerful ways to be close to GDPR compliance demands although security strategies and information management strategies need to be revised.

As is mentioned in our article on the General Data Protection Regulation as a business strategy and information management challenge, the GDPR’s privacy by design means that you de facto move from an ‘open unless’ to a ‘closed unless’ enterprise information management and enterprise content management approach.

Simply said: instead of having a security model on the level of information management (or having none at all) whereby in principle everything is open for the teams unless decided otherwise for specific folders or resources, you do the opposite: what needs to be closed from the GDPR’s perspective, what can be open and how do we make sure what is open and where it sits.

There is more (much more) and the list with resources on the GDPR and information management (and more) below can hopefully serve you.

 

GDPR compliance and cybersecurity

It is inevitable but also beneficial and about time: there are no more excuses to NOT increase cybersecurity maturity and go beyond outdated security approaches.

The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations (GDPR)

As said earlier, security cannot be an afterthought in an age where data is oil, personal data is whatever is worth far more than oil and digital transformation simply requires better security.

Without diving too deep in the details (for now) this means, among others:

  • Embrace security by design, just as the GDPR requires privacy by design. Security by design means security as an omnipresent given, from the very start of products (imagine how many consumer IoT manufacturers would need to change), processes and people’s activities.
  • Have a proactive and embedded security approach, including all aspects in the ubiquitous security perimeter reality (the perimeter is not gone, it is everywhere) in which all aspects matter (the edge, the network, cloud, the IT systems, data storage, databases, applications, you name it).
  • Take a holistic approach to cybersecurity, starting from awareness and employee education (part of your mobile perimeter at the edge) and going all the way through your systems, processes and close to where (personal) data is generated and processed.
  • Very possibly you will need to redesign your overall cybersecurity infrastructure with a focus on the just mentioned characteristics and in the GDPR context obviously on data flows and any process and risk factor where privacy and personal data can be involved (with breaches being a crucial, yet just one of several, dimensions).
  • Go for real-time security possibilities, among others regarding the enforcement of security policies in areas such as device management, access (to data), the activities of users and so forth. Encryption of personal data also is emphasized by the GDPR.
  • You need a unified view on what happens with data, data processes, Big Data environments (e.g. data lakes), regardless of form and structure, and single visibility for the Chief (Information) Security Officer, IT manager or whomever needs it across all operations, workloads and the IT infrastructure as such.
  • Conduct regular testing. On top of a proactive cybersecurity approach with predictive capabilities that won’t be possible for everyone, pro-activeness also means regular and where possible continuous testing. From ethical hackers to penetration testing and beyond. Do penetration testing, among others on the level of your web applications and web services, deploy a vulnerability scanner on individual devices and the full organization, go for vulnerability management and an integrated approach.
  • Look at mechanisms and solutions to prevent identity fraud (there are specific solutions in some countries, for instance to make sure that stolen identity cards or driver licenses can’t be abused).
  • Conduct social engineering testing. Phishing is still an important way of obtaining personal data. Workers need to be trained on these tactics, social engineering and security overall. Also test how susceptible employees are to social engineering, using one of many phishing simulators.

Last but not least: bad things happen and we shouldn’t forget the breach notification duty of course.

In practice, this means you need to set up the necessary monitoring, auditing and alerting mechanisms, to do so. This is also a cross-functional task and there are solutions for legal to deal with it. You need incident management processes and a clear view of who needs to do what and where in case of a breach. Testing if they work well is not a luxury.

Below is a list with resources on the GDPR and cybersecurity.

How the EU GDPR can benefit your organization: trust

On top of being the mentioned framework which is needed for growth in a digital economy which transgresses the borders of individual nations, there are several other ways how and reasons the General Data Protection Regulation benefits your organization if you do your GDPR compliance homework properly.

Some of these benefits have to do with optimization opportunities, others are societal and have reached a boiling point throughout 2016 and early 2017. We start with trust.

If data is the new oil, trust is the new oil well

We have reached a point in history where the technological possibilities and innovative capabilities, leveraging these new technologies, are about to explode.

The things we can do, as organizations, governments, individuals, marketers, manufacturers and so forth thanks to technologies in the space of Big Data, analytics, cloud, the Internet of Things, cognitive/AI, social and mobile, to name a few, already seem huge today.

Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed (GDPR)

The truth, however, is that we haven’t seen a thing yet. Despite getting major attention, the Internet of Things, for instance, is still in its early days. The volumes and variety of data which we started to call Big Data, are just some small droplets in the ocean of data that will soon be generated in science alone. Despite looking at this grandiose digital universe of data which we believe we see today and which is the common denominator in all the mentioned technologies and the many others we didn’t mention, we indeed haven’t seen a thing yet.

The many smart people who are working in several of the mentioned fields today know that and, as far as the digital transformation of industries and many aspects of our lives are concerned, they know the potential. For some it is reason for great optimism, for others it’s scary and for those who care it’s a mix of both.

Yet, for all that new oil, there is a big challenge that is happening right now right here and that needs to be addressed: trust.

It’s not just the new oil well but if it gets broken, anything we do in a digital society with that new oil, called data, is failed to doom. Without trust and transparency regarding what we are doing, there will be an inevitable backlash and to continue the oil well image, we might see some oil fields on fire.

With apologies for the doom scenario: the benefits of digital innovations and of data, put at work, are tremendous but we must keep people and trust in mind, because it matters and because the human emotion and ability to stop evolutions or rapidly adopt an entirely shifted mindset beats all data, technological transformation/innovation and predictions, no matter how big the data.

GDPR and trust: the state of trust in the digital age

There all ample signs of a backlash against the way we use data today and, in a broader perspective, of distrust regarding the parties that gather and process data and the digital evolutions as such.

We’ve mentioned it several times before, among others in a context of the importance to restore trust by leveraging trustworthy content (marketing) for trustworthy and transparent communications: the Edelman 2017 Trust Barometer, which shows a declining level of trust in all areas.

Hyper awareness and growing sensitivity toward data exposure appear to have consumers on the verge of making serious changes in their behavior

Other research indicates that even younger generations are increasingly vigilant regarding the ways their data is used and consumers are on the verge of potentially disrupting the state of privacy.

The General Data Protection Regulation, as a framework, offers a possibility to restore trust in the digital economy and, at least as important, enables organizations to improve their current data and security practices, which is crucial anyway in these times of hyper-connectivity where data as said has become more than just a crucial business asset and smooth and transparent processes lead to a perception of trust, efficiency and good business practices. Obviously, improving current practices and processes with security, transparency, efficiency and people in mind, is also good for the bottom line and the effectiveness of the organization (in a digital economy) as such.

Better security and information management lead to higher digital transformation success probability

Research has clearly indicated that involving security from the very start in any digital business transformation project with a role for (new) technologies, leads to more and faster success.

Moreover, security by design, is simply beneficial (and a must) and security is a digital transformation enabler and accelerator. No matter the stage in which your digital transformation is or the aspects you transform (business processes, customer-centricity, the development of new capabilities, tapping into new business models and so forth), things have to run smoothly and in a reliable way, guaranteeing not just business continuity but also protecting those assets that drive the digital economy: data and people.

Moreover, just imagine how better security practices, by design, along with better privacy practices, as the GDPR requires by design as well, would advance various markets where the Internet of Things clearly has transformational potential and leads to tangible outcomes, today mainly in an industrial Internet of Things context. The same applies to other, related sets of technologies and, most importantly, how they are leveraged to reinvent business models or optimize existing processes, customer-facing operations and so forth.

On an information management level, which is also key for GDPR and is closely related with security from the data and governance perspective (among others), the various audits, plans and deployments regarding enhancements for the General Data Protection Regulation, de facto include data discovery, integration of silos, a need to look at what data you “have” and where it resides, smoother reporting and search possibilities, improved data mapping, retention policies and so much more.

It is an undeniable fact that one of the major hurdles in many digital transformation projects revolves around poor data and information management practices.

We’ve reported on this several times so see the General Data Protection Regulation as a way to do better here too.

Holistic (customer) optimization benefits of the EU GDPR

When you do a, by definition holistic, strategic exercise regarding all aspects of how you deal with personal data and thus also customer data, with the interest of the latter in mind you are forced to 1) identify the data (and in the process find unstructured data you haven’t leveraged and/or gain better insights) and 2) revisit the ways you process data.

If you take this exercise seriously with relevance, consent, privacy and the mentioned holistic approach in mind, it’s almost inevitable that you also detect numerous opportunities to optimize several customer-facing activities. Maybe your contact center will finally dispose of all the data required to better serve and service customers, maybe you’ll improve marketing efficiency as your staff will learn not to think about a name and email address on a list as nothing more that that.

We can go on for a while.

Challenges and issues regarding the GDPR

Probably we’ve tackled enough challenges already and in the lists with resources you’ll find plenty more. However, there are challenges, concerns and issues that need to be looked at.

It won’t come as a surprise that there are frequent calls from all kinds of industry organizations to clarify not just the sometimes somewhat vague terms in the GDPR (such as “disproportionate effort”) but also to look closer at some practical issues that arise.

We’re not naive and it’s clear that, while the General Data Protection Regulation offers benefits, it also comes with loads of uncertainties, practical challenges and for some industries more than for others with serious inconveniences to say the least.

Several industry associations look at these issues as they learn them from their members and experts and also lobby for flexibility or de facto changes.

While we can’t cover all challenges, issues and initiatives it’s good to look at the issues as they are raised a bit everywhere and see whether they apply to you as well. By way of an example we covered four General Data Protection Regulation issues as they were raised in March 2017 by a few marketing/advertising associations. Some can be of help for your business too.

GDPR concerns in marketing – and beyond

 

A list of GDPR resources and guides

For more (much more) explanations of all the legal and regulatory components of the General Data Protection Regulation and the used terminology, as well as the full text, check out the list with resources below.

Disclaimer: some resources might point to stipulations that have been amended. This guide is a source of information and can contain outdated information. Feel free to tell us.

More articles on the EU GDPR and GDPR compliance

GDPR fines, GDPR staff awareness, GDPR compliance, controllers and data subjects. Are you lost? Then also check out the following resources on the GDPR.

 

GDPR compliance: a strategic business and information management view

This article in fact combines two important aspects with regards to the GDPR, which we have briefly tackled before.

3 stages in an end-to-end strategic business information management GDPR compliance approach: 1) an awareness stage to empower your people and users, the weakest link in any ECM and security project; 2) an assessment and methodology stage to detect the risks and make a plan to solve them and 3) an implementation stage: rolling out, monitoring and improving.
  • On one hand it looks at the strategic business aspects of the General Data Protection Regulation and offers a no-nonsense approach of how to become as GDPR compliant as much as possible with a prioritization of what to do first and how to progress, showing that you did as much as you could to minimize personal data risks and thus also GDPR fines.
  • On the other hand it looks at GDPR compliance and the various strategic steps to take from mainly a personal data and information governance and information management perspective. Starting from the essential stage (and quick win) of General Data Protection Regulation awareness to risk analysis, effectively implementing privacy by design, enabling the right of erasure with retention schemes and records management and for really advanced GDPR compliance: automatic classification!
GDPR: strategic business and information management view

 

GDPR awareness and GDPR staff awareness

Given the fact that GDPR compliance really should start with GDPR awareness and GDPR staff awareness, this article dives deeper into the why and how.

Whether companies will successfully navigate the GDPR regulation hinges on their willingness to embrace privacy by design. They must also understand that good security and privacy processes can provide a substantial competitive advantage and be a driver in gaining consumer trust, in addition to being driven by regulatory requirements (Peter Gooch, cyber risk partner, Deloitte)

While GDPR awareness is low-hanging fruit and a quick win on the road of GDPR compliance it does require executive involvement and a clear focus on people and involving all employees as personal data protection is a matter of the whole organization. Unfortunately, as the article explains, the departments that are most often involved in GDPR compliance are IT, security and legal.

So, what is needed to have a culture that supports privacy by design and a cross-organizational GDPR awareness whereby the value of personal data is really understood? Knowing that consumers do expect personal data protection (and in case of breaches there are more consequences for your business reputation than fines) and knowing that a culture of personal data protection even must stretch beyond the organizational borders (because you have partners, suppliers and so forth who also need to be in order to avoid liability discussions and more), it’s an important read.

GDPR awareness and staff awareness

 

GDPR compliance failure starts with wrong perceptions

Many organizations are quite confident that they are GDPR compliant. Unfortunately, there are disconnects on various levels which lead to failure in complying with GDPR.

Under the GDPR, responsibility lies with multiple internal and external stakeholders. Many organizations are unclear about where ownership should fall. That ambiguity is hindering the processes that need to be put in place to be compliant (Proofpoint, December 5, 2017)

It starts from a lack of understanding (one disconnect) the General Data Protection Regulation and goes to a lack of executive buy-in as also found in this article on GDPR and cloud and a lack of having the essential data governance strategies in place.

Do not become one of many organizations where there is a disconnect regarding perceptions about how GDPR compliant you are and the reality of your General Data Protection Regulation compliance. Check out if you are indeed properly prepared instead of trusting on perceptions over facts.

GDPR compliance perception versus compliance reality

GDPR and personal data protection: everything about data subjects, personal data, sensitive data, personal data identifiers and more

The General Data Protection Regulation is about the protection of personal data of data subjects. That much is clear.

Examples of personal data processing include the storage of personal data, gathering and collecting personal data (regardless of means), aggregating, recording, exchanging, analyzing, publicizing, digitizing, enriching, structuring, changing, searching, leveraging, deleting, structuring, destroying, uploading and simply using/keeping personal data.

However, in practice we find that many people don’t know the meaning and importance under GDPR of personal data, the identifiers that the data subject even more identifiable and/or make personal data sensitive data, the importance and meaning of pseudonymisation, encryption, all the new identifiers and even what a data subject is under GDPR.

This article takes a really deep dive and makes all those terms and their role and meaning clear!

Data subject, personal data and identifiers

 

GDPR fines and penalties: guidelines

We talked about the GDPR fines previously. There are two groups of administrative fines in the GDPR: for one category there is a maximum of up to 20 million euros or 4 percent of annual worldwide turnover, for a second category it’s 10 million euros or 2 percent.

The practice of applying administrative fines consistently across the European Union is an evolving art. Actions should be taken by supervisory authorities working together to improve consistency on an ongoing basis (Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, October 2017)

For both groups the additional stipulation is that the highest of both will be applied. The GDPR text does has specific articles on the general rules with regards to both sets of fines. They can be found in Article 83 of Chapter 8 of the text.

However, many find it rather unclear. In October 2017 the so-called Article 29 Working Party came up with guidelines for supervisory authorities for the application of fines and penalties under the General Data Protection Regulation. You can find them in this article on GDPR fines and penalties. Furthermore, we look at whether companies think they are financially prepared to pay potential GDPR penalties and at the value and usage of cyber insurances. And of course there are some reminders on how to avoid GDPR fines and start getting GDPR compliant.

If you want to know what the GDPR text says about fines and penalties then you might want to check out the mentioned Chapter 8 of the text which is all about GDPR remedies, liabilities and penalties and contains Articles 77 to 84.

GDPR fines

GDPR compliance and becoming GDPR compliant: FAQ

We often get questions about the EU GDPR that might seem obvious at first sight but do deserve an answer of course. Many of these questions concern GDPR compliance, what is the deadline for General Data Protection Regulation compliance and what happens when you’re not GDPR compliant in due time.

What is GDPR compliance?

GDPR compliance means that an organization adheres to the rules of the General Data Protection Regulation and is capable of meeting the data subject rights and organizational duties which are stipulated in it. When people speak about GDPR compliance they often mean that personal data breach risk protection measures and all the other risks and rules to comply with are perfectly covered.

However, there is no perfect security or protection in the digital age where sometimes hackers even outsmart security companies, hacks are sometimes organized by criminal groups and there are even state-sponsored attacks. With data and technology being so important some countries use technology for cyber warfare.

Moreover, data can never be 200% perfectly protected and there are myriad other reasons why breaches and non-compliance could occur with people being the weakest link. Even if you take all possible precautions one of your workers could make a mistake and, for example, have his laptop stolen.

Therefore, organizations must be able to prove they did and continue to do (also after the date when GDPR applies) everything they can to be as compliant as possible. This includes knowing where personal data sits in the organization, making sure (and being able to prove) that consent is given under the legal conditions foreseen in the General Data Protection Regulation, being able to protect the obtained, processed, stored and – under specific conditions – shared personal data against breaches, abuse and misuse and being able to respond to the requests and rights of data subjects. If any of these abilities are not in place, the fines and penalties can be high.

When does GDPR apply and what is the GDPR deadline for compliance?

The General Data Protection Regulation has been adopted by the EU Council on 8 April 2016 and adopted by the European Parliament on 14 April 2016. The official texts are available since 4 May 2016. Since that data the GDPR text can also be consulted in 24 official languages.

The General Data Protection Regulation already entered into force in fact but it applies as from 25 May 2018. The GDPR deadline for compliance is 25 May 2018 as well.

However, it doesn’t stop then. Being GDPR compliant is an ongoing effort. Moreover, as we saw in the road towards GDPR compliance and the reality in the field it’s certain that a lot of companies will not be GDPR compliant. That’s why it matters to have a plan and build upon that plan from the risk perspective and with the ability to demonstrate you took – and still are taking – GDPR compliance steps. But of course in case of a personal data breach or control it’s best to at least be as compliant as you possibly can by May 25th 2018.

While the General Data Protection Regulation already entered into force it will apply from 25 May 2018 which means the official GDPR deadline for compliance is also on 25 May 2018
While the General Data Protection Regulation already entered into force, GDPR applies from May 25th, 2018, which means the official GDPR deadline for compliance is also on 25 May 2018

What if an organization is not GDPR compliant by the EU GDPR compliance deadline?

Unfortunately, despite being officially published two years ahead of the deadline a large number of organizations is far from close to being compliant with the General Data Protection Regulation.

While it is certain that there will be cases of severe fines to set an example it is also certain that organizations need to continue – and in some cases even start – with efforts to get as compliant as possible and to continue doing so after 25 May 2018. Ideally, this starts with a stage of GDPR awareness in a broader plan. As fines and stipulations of the GDPR are related with the risks from the data subject perspective and a focus on particular categories and usages of personal data, among others in industries where many personal data are processes, it is important to start from the viewpoints of risks and have a clear plan of action with documented steps. A risk analysis is key, as is a strategy and staff awareness. The General Data Protection Regulation also starts from the risk and data subject perspective.

The crucial role of GDPR awareness in GDPR compliance
GDPR compliance starts with GDPR awareness

Some organizations prefer to insure themselves but even then working towards compliance is important as you don’t want to be that company that is known to its customers and the world as being totally not GDPR compliant, let alone suffering from a breach with an additional clear lack of understanding of and focus on personal data protection, which is as much about leadership, culture, people, processes and respect as it is about security, information management and other technological ways to work towards compliance.

The GDPR compliance readiness disconnect

 

Are there specific ways that help in demonstrating GDPR compliance?

The GDPR Articles are full of rules regarding compliance with the Regulation and the duty to demonstrate GDPR compliance. If you add the recitals of the final GDPR text to it, there is even far more on not just compliance duties but also on those various ways that help organizations (controllers and processors) to show they took the necessary steps in demonstrating that compliance.

These ways of demonstrating GDPR compliance obviously are as important as becoming GDPR compliant as such. It is not as if on May 25th all organizations will be checked for GDPR compliance. However, when controls are done, complaints of data subjects are lodged, personal data breaches occur, there are clear infringements with regards to the principles of data privacy (by design and by default) and personal data protection, demonstrating GDPR compliance becomes essential.

In each GDPR compliance strategy, the ways to demonstrate compliance should be taken into account and the perspective of risk with regards to the rights and freedoms of data subjects are key in it. We’ve covered ample known and less known ways to demonstrate GDPR compliance before. Asking a DPIA is seen as a way to demonstrate compliance, asking advice to supervisory authorities as well, then there is adhering to approved codes of conduct or certification, the list goes on. We’ll add some more as the deadline of GDPR compliance approaches. We’ve talked about the DPIA and other ways so here is a bit more information on two ways to demonstrate GDPR compliance: those codes of conduct and certifications.

Adhering to an approved code of conduct to demonstrate GDPR compliance

Codes of conduct can be drafted by supervisory authorities and by private associations who represent categories of controllers or processors which conduct similar data processing activities or are active in specific industries which allow for such a code of conduct.

A code of conduct needs to be approved and once it is an approved code of conduct controllers and processors can decide to adhere to it. If they do so it is not just a factor that is explicitly taken into account as a way to demonstrate GDPR compliance but also offers additional benefits, among others in areas such as the perceived reliability of processors towards controllers who will select processors based upon their degree of sufficient safeguards and GDPR compliance and cross-border transfers.

Do note that adhering to a code of conduct comes with responsibilities as well of course. It would be too easy to adhere to a code of conduct as a demonstration of compliance and then not care too much anymore. That’s why there are also monitoring bodies who check if you live up to the code of conduct.

Certifications to demonstrate GDPR compliance

The General Data Protection Regulation rules regarding certifications are relatively comparable with those regarding approved codes of conduct. However, a certification of course is not the same as a code of conduct. What both have in common in the scope of GDPR compliance is that also certifications are ways to demonstrate GDPR compliance and explicitly recognized as such.

You might have followed some sort of GDPR certification course already or intend to. Do note, however, that certification needs to meet certain specifications, as do codes of conduct so beware of the how and where.

Just like codes of conduct, certifications are ‘promoted’ by the General Data Protection Regulation as ways to not just demonstrate compliance but also as a token to any stakeholder that your organization is aware of what it needs to do in order to conduct lawful processing of personal data.

GDPR compliance with codes of conduct

 

GDPR text: GDPR Articles Search 

Below you find an overview of all the Articles in the text with a search function to only see GDPR Articles for your particular query (the search function looks inside the titles and actual text of the Articles and returns the GDPR Articles containing them).

General Data Protection Regulation Articles Search Tips

  • Use quotation marks to find all GDPR Articles containing an exact combination of words in the text. E.g. “data protection officer”.
  • To see all Articles again after a query, empty the search field and enter the find button.






  • GDPR Article 1 – Subject-matter and objectives
  • GDPR Article 2 – Material scope
  • GDPR Article 3 – Territorial scope
  • GDPR Article 4 – Definitions
  • GDPR Article 5 – Principles relating to processing of personal data
  • GDPR Article 6 – Lawfulness of processing
  • GDPR Article 7 – Conditions for consent
  • GDPR Article 8 – Conditions applicable to child’s consent in relation to information society services
  • GDPR Article 9 – Processing of special categories of personal data
  • GDPR Article 10 – Processing of personal data relating to criminal convictions and offences
  • GDPR Article 11 – Processing which does not require identification
  • GDPR Article 12 – Transparency and the exercise of the rights of the data subject
  • GDPR Article 13 – Information to provide where personal data are collected from the data subject
  • GDPR Article 14 – Information to provide where personal data have not been obtained from the data subject
  • GDPR Article 15 – Right of access by the data subject
  • GDPR Article 16 – Right to rectification
  • GDPR Article 17 – Right to erasure (‘right to be forgotten’)
  • GDPR Article 18 – Right to restriction of processing
  • GDPR Article 19 – Notification obligation rectification, erasure and restriction
  • GDPR Article 20 – Right to data portability
  • GDPR Article 21 – Right to object
  • GDPR Article 22 – Automated individual decision-making and profiling
  • GDPR Article 23 – Restrictions
  • GDPR Article 24 – Responsibility of the controller
  • GDPR Article 25 – Data protection by design and by default
  • GDPR Article 26 – Joint controllers
  • GDPR Article 27 – Representatives of controllers or processors not established in the Union
  • GDPR Article 28 – Processor (general obligations)
  • GDPR Article 29 – Processing under the authority of the controller or processor
  • GDPR Article 30 – Records of processing activities
  • GDPR Article 31 – Cooperation with the supervisory authority
  • GDPR Article 32 – Security of processing
  • GDPR Article 33 – Notification of a personal data breach to the supervisory authority
  • GDPR Article 34 – Communication of a personal data breach to the data subject
  • GDPR Article 35 – Data protection impact assessment
  • GDPR Article 36 – Prior consultation
  • GDPR Article 37 – Designation of the data protection officer
  • GDPR Article 38 – Position of the data protection officer
  • GDPR Article 39 – Tasks of the data protection officer
  • GDPR Article 40 – Codes of conduct
  • GDPR Article 41 – Monitoring of approved codes of conduct
  • GDPR Article 42 – Certification
  • GDPR Article 43 – Certification bodies
  • GDPR Article 44 – General principle for transfers
  • GDPR Article 45 – Transfers on the basis of an adequacy decision
  • GDPR Article 46 – Transfers subject to appropriate safeguards
  • GDPR Article 47 – Binding corporate rules
  • GDPR Article 48 – Transfers or disclosures not authorised by Union law
  • GDPR Article 49 – Derogations for specific situations
  • GDPR Article 50 – International cooperation for the protection of personal data
  • GDPR Article 51 – Supervisory authority
  • GDPR Article 52 – Independence
  • GDPR Article 53 – General conditions for the members of the supervisory authority
  • GDPR Article 54 – Rules on the establishment of the supervisory authority
  • GDPR Article 55 – Competence
  • GDPR Article 56 – Competence of the lead supervisory authority
  • GDPR Article 57 – Tasks
  • GDPR Article 58 – Powers
  • GDPR Article 59 – Activity reports
  • GDPR Article 60 – Cooperation between the lead supervisory authority and the other supervisory authorities concerned
  • GDPR Article 61 – Mutual assistance
  • GDPR Article 62 – Joint operations of supervisory authorities
  • GDPR Article 63 – Consistency mechanism
  • GDPR Article 64 – Opinion of the Board
  • GDPR Article 65 – Dispute resolution by the Board
  • GDPR Article 66 – Urgency procedure
  • GDPR Article 67 – Exchange of information
  • GDPR Article 68 – European Data Protection Board
  • GDPR Article 69 – Independence of the European Data Protection Board
  • GDPR Article 70 – Tasks of the Board
  • GPR Article 71 – Reports
  • GDPR Article 72 – Procedure
  • GDPR Article 73 – Chair
  • GDPR Article 74 – Tasks of the Chair
  • GDPR Article 75 – Secretariat
  • GDPR Article 76 – Confidentiality
  • GDPR Article 77 – Right to lodge a complaint with a supervisory authority
  • GDPR Article 78 – Right to an effective judicial remedy against a supervisory authority
  • GDPR Article 79 – Right to an effective judicial remedy against a controller or processor
  • GDPR Article 80 – Representation of data subjects
  • GDPR Article 81 – Suspension of proceedings
  • GDPR Article 82 – Right to compensation and liability
  • GDPR Article 83 – General conditions for imposing administrative fines
  • GDPR Article 84 – Penalties
  • GDPR Article 85 – Processing and freedom of expression and information
  • GDPR Article 86 – Processing and public access to official documents
  • GDPR Article 87 – Processing of the national identification number
  • GDPR Article 88 – Processing in the context of employment
  • GDPR Article 89 – Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
  • GDPR Article 90 – Obligations of secrecy
  • GDPR Article 91 – Existing data protection rules of churches and religious associations
  • GDPR Article 92 – Exercise of the delegation
  • GDPR Article 93 – Committee procedure
  • GDPR Article 94 – Repeal of Directive 95/46/EC
  • GDPR Article 95 – Relationship with Directive 2002/58/EC
  • GDPR Article 96 – Relationship with previously concluded Agreements
  • GDPR Article 97 – Commission reports
  • GDPR Article 98 – Review of other Union legal acts on data protection
  • GDPR Article 99 – Entry into force and application
  •  

    Top image: Shutterstock – Copyright: symbiot – Alarm clock image: Shutterstock – Copyright: Carlos Amarillo – Awareness image: Shutterstock – Copyright: Kunst Bilder  – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for EU GDPR compliance.