Ever since its conception, GDPR has caused a strong stir in the legal and compliance world. The new law builds on the previous data protection legislation but at the same time provides more resilient protections for consumers, and more privacy considerations for organisations involved in the processing of personal data. The new EU General Data Protection Regulation (GDPR) in Europe, adopted in 2016, will be applicable starting on May 25, 2018. GDPR comes with significant changes compared to the Data Protection Directive 95/46/EC involving operational changes in organisations.
To say that GDPR is an extension of the previous law will also not be true. It is an add on but a game changer as well in the field of legal and compliance. It has been dubbed as the most important change in data privacy laws in 20 years, leaving the compliance world in a bit of an abyss due to it ever evolving nuance and uncertain nature of applicability. Each country especially countries such as Pakistan need to have their own Data protection (outside EU) as stringent and controlled as the EU’s GDPR as any data coming inside or outside of EU into Pakistan will contractually bind both.
So, what exactly does GDPR apply to? GDPR applies to personal data and personal sensitive data. If you are offering goods or services to EU citizens inside or outside the EU, GDPR will apply. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier, can include for e.g. an IP address, which can amount to ‘personal data’. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For most of the organisations, keeping HR records, employment checks, customer lists, or contact details etc, the change to the definition should make little practical difference. So one can assume that in case an individual or organisation hold information that falls within the scope of the Data Protection Act, it will also fall within the scope of the GDPR. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
It is important to note that the GDPR refers to sensitive personal data as “special categories of personal data” as stated in Article 9. These categories are broadly the same as those in the DPA, but there are some minor changes. For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing. All kinds of background screening and due diligence fall under it.
Another main guide to get ready for GDPR includes first determining whether your organisation processes personal data as a “data controller” or “data processor” The GDPR applies to ‘controllers’ and ‘processors’(Article 19-23). A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller. Incase of a processor, the GDPR places specific legal obligations on you as a processor for example, the requirement to maintain records of personal data and processing activities. There is the result of bearing the onus legal liability if processor is found responsible for a breach.
However, controllers are not relieved of their obligations where a processor is involved as the GDPR places further obligations on controllers to ensure its contracts with processors comply with the GDPR. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
In furtherance of understanding GDPR it is important to know the requirement of Consent under the GDPR (Article 32) must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must be verifiable, and individuals generally have more rights where you as a person or organisation rely on consent to process their data.
For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. These are often referred to as the “conditions for processing” under the DPA. It is important that you determine your lawful basis for processing personal data and document this.
This becomes more of an issue under the GDPR because your lawful basis for processing influences individuals’ rights. For example, if you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted. Data protection officer (DPO) is the person responsible for GDPR compliance. As per article 35 the DPO will be required by an organisation to be hired depending on the size and processing of large volume of special category of data by an organisation. This person will operate independently of the organisation. The principles of accountability and transparency have previously been implicit requirements of data protection law, however the GDPR’s emphasis elevates their significance.
Ultimately, the aim of these measures should be to minimise the risk of breaches and uphold the protection of personal data.