GDPR issue hasn't stopped being a subject of debate for many digital business yet. Although many European-based companies took actions to become compliant before 25th of May, a shred of doubts stays.
In order to help you rest easy, we drafted a Q&A list comprising the most burning questions you might have as a digital business. Although there's no universal checklist applying to all cases, some issues pop-up more often than others. And these answers will be relevant for the years to come, since GDPR is not going anywhere.
Wondering whether you should trust this list? It was curated and answered by our in-house lawyer Kamila Koszewicz, with eight years of experience in IT law and personal data protection. Monitoring the legislative process of the GDPR since 2012 (and participating in it) allowed her to identify all the relevant areas which should be taken care of in order to ensure compliance with the new regulation.
What's more, our team used those same questions while working on projects for our clients. And it served its purpose. We already shared our experience with getting GDPR compliance in step-by-step application of new rules especially relevant to a medium-size company like Monterail.
So, walk away knowing how to identify data flows within you company, be more GDPR-conscious in your operations and understand where you might still need to apply changes.
Here's the Q&A list.
1. Are you a data controller or a processor—do you determine the purposes and means of the processing of personal data, or process personal data on behalf of another party?
Answering this question is crucial to determine the scope of your obligations under the GDPR.
Data controllers decide what data is collected, for what purpose, how it is processed and for how long. This means that you are responsible for meeting a broad scope of obligations, such as securing the data, meeting the objectives of e.g. data minimization and transparency of processing. You’re also the one that is obliged to answer to and facilitate exercising of data subject rights.
On the other hand, if you are a data processor, you process the data on behalf of a controller and only within the scope he determined. Therefore, you cannot make decisions about what personal data is processed and how. Your chief duty is to secure the data you process from unauthorized access, modification, etc.
Note: unless specified otherwise, this document refers to processing personal data by data controllers.
2. Do you perform all the processing activities yourself or use third-party processing services, such as renting servers?
If you use a third-party processing service, you have to conclude a specific agreement in writing (including in electronic form), that has to regulate in particular the subject-matter and duration of the processing, the nature and purpose of the processing, the types of personal data and categories of data subjects, and the obligations and rights of the controller.
Remember that even if you don’t process the data yourself, you remain responsible for the processing. Choose only those processors that guarantee the implementation of appropriate technical and organizational measures of processing to meet the requirements of GDPR and ensure the protection of the data.
If you use a third-party processing service, you have to conclude an agreement.
3. Who can access the personal data within your company? Are there different levels of access for different positions?
The fact that you, as a controller or a processor, are entitled to process the data, doesn’t mean that all your employees can access it—it should be only the people whose position within your company requires them having such rights.
Remember to specify the scope of authorization—what kind of data they can access (e.g. client data, data regarding employment), and what they can do with the data. Some people will need to have a full access, including right to enter, modify or erase the data, while for others only the right to view the data will suffice.
4. Do you have a system of logs that records who and when enters personal data you process, modifies, erases or accesses them?
The GDPR’s objective of data integrity/accountability requires that you, as a controller or a processor, have appropriate technical or organizational measures in place to be able to tell exactly who and when does all of that—regardless of whether it’s someone within your company or the data subject itself.
5. Who do you get the data from—a data subject or from a third party?
The way you collect data determines the scope of information you need to provide the data subject with.
Also remember that when obtaining data from a third party, not only does it have to obtain the data lawfully, but you too are responsible to have a legal basis of processing in place.
6. Do you collect the personal data of children?
GDPR introduces special regulations regarding the processing of personal data of children under 16, in relation to providing information society services directly to a child.
Complying with them can be challenging, and it seems that the most troublesome in practice may be the obtaining of consent for / authorization of a consent for such processing from the child’s parent or legal guardian. To avoid unnecessary costs, remember to take a close look at these regulations and identify solutions addressing them at the very outset of designing a service/an app.
7. How do you collect data—by e-mail, electronic forms, activity tracking, etc.?
Checking all the ways you collect data is a necessary step, and one of the first that you need to take to properly audit your data flows and verify whether you’re satisfying all the legal obligations imposed on you, such as obtaining proper consents for processing, providing data subject with the information specified by GDPR, etc.
8. What categories of personal data do you collect?
By “category” we mean name, address, IP, etc. This is an essential step in auditing your data flows, it will also allow you to create a document called a “record of processing activities”, where you have to describe the categories of data subjects and personal data you collect.
9. Do you collect sensitive data—such as health records, data on racial or ethnic origin, religious or philosophical beliefs, etc.?
Processing sensitive data is prohibited by default and can happen only under specific circumstances described in GDPR, so one general recommendation would be to avoid processing such data altogether. If that’s not possible, seek legal advice to identify solutions that would provide you with a legal basis for the processing of such data.
Check carefully if processing of the categories of data you want to collect is not prohibited.
10. Is all the data you collect really necessary for the purpose of its processing?
One of the chief rules of personal data protection is data minimization. It compels the controller to limit—by default—to the necessary minimum the amount of personal data collected, as well as the extent of their processing, the period of their storage, and their accessibility.
Remember to take it into consideration both when auditing your databases, and when designing new data flows (creating forms, making decisions on activity tracking, etc.).
11. How is the collected data used—what is the purpose of personal data processing?
Data can be only processed for specified, explicit, and legitimate purposes and cannot be further processed in a manner that is incompatible with those purposes.
12. What is the legal basis for processing personal data?
Every processing of personal data has to be legitimized by a valid legal basis. The bases for processing regular categories of data (not “sensitive”) are:
- consent of data subject to processing for a specific purpose;
- performance of a contract which the data subject is party to, or processing in order to take steps at the request of the data subject prior to entering into a contract;
- legal obligation to which the controller is a subject;
- protecting the vital interests of the data subject or of another natural person;
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
13. If you collect consents for data processing—is withdrawing consent as easy as giving it?
It should be—the data controller has to facilitate the ability of the data subject to exercise their rights.
14. If you process the same data, with consent as legal basis, for multiple purposes—do you collect separate consent for each purpose?
Be careful. The consent clause, if not constructed properly, does not constitute a legal basis legitimizing the processing of personal data. If you include a few processing purposes in a single consent clause, the data subject cannot agree to only some of them, therefore it is impossible to tell whether consent to each purpose was given freely, which is a condition of its validity.
When designing a service remember about the principles of processing of personal data such as transparency, data minimization, integrity, and confidentiality
15. How long will the data be stored for? What criteria are used to determine that period? Will data be erased manually or automatically?
Remember that the legal definition of personal data processing includes storage, so you can keep the data only as long as you have a valid legal basis to do so.
16. Do you have policies in place that ensure that personal data are rectified or erased in case they are inaccurate, and erased as soon as they are not relevant for the purposes for which they are processed?
These are your duties under the GDPR rule of data accuracy. Make sure you implemented mechanisms and procedures that will keep you on the safe side in this particular matter.
17. Do you collect data for statistical purposes in personal or anonymized form?
Anonymization is a solution that allows you to store statistical data for as long as you wish—even after the legal basis that allowed you to collect the data in personal form is no longer valid. It also helps you remain compliant with the data minimization rule, so when it comes to processing personal data, it's good practice to anonymize as much of it as you can while still achieving the purpose of processing.
18. Do you inform the data subject about your identity, contact details, and data subject rights? When and how?
You should provide the data subject with such information at the time when you collect the data from them.
If you obtain the data from another party, you should inform the data subject, no later than at the moment of first communication with them or at the time of disclosure of the data to another recipient, and always within a reasonable period after obtaining the data, no later than within one month.
The information should be easily accessible and easy to understand, in clear and plain language.
19. Will data be shared with any third parties, including within your capital group? When, how, on what legal basis?
When you are the data controller, sharing data with other entities may take two forms:
- processing will be carried out on your behalf, you specify its purpose, duration, the obligations of the processor, and so on—in this case you need to conclude a contract regulating all of these issues with the processor, and you don’t have to ask the data subject for their consent to do so;
- you lose control over the data you share and its processing, and the recipient becomes an independent controller of that data—in this case you will need a legal basis to share personal data (e.g. consent of the data subject specifying who you share the data with and what for).
20. Do you transfer data to countries outside the EU?
Many countries outside the EU do not have as strict personal data protection regulations as GDPR. Therefore such transfers need to be legitimized using, for example, an adequacy decision issued by the European Commission, implementation of approved binding corporate rules, or the explicit consent of the data subject. Make sure to secure a legal basis for the data transfer before it occurs.
21. How can a user request access to their data, including receiving a copy of their personal data undergoing processing? Will this process be conducted manually or automatically? In what format will the copy be provided?
The data subject can request from the controller a copy of their personal data undergoing processing. When this right is exercised for the first time, the controller should provide such a copy free of charge, but in case of further requests, the controller may charge a reasonable fee based on administrative costs.
Unless otherwise requested by the data subject, if the request is made by electronic means, the information also should be provided in electronic form.
In preparation for data subject exercising their data rights, the controller must ask themselves a handful of important questions, the most important being:
- how the request can be placed—using a dedicated website, with a request form and instructions, or maybe, for example, by e-mail;
- will this process be conducted manually or automatically;
- if the former, is there enough sufficiently trained personnel to handle the incoming workload;
- do the procedures and organizational means in place allow the fulfilment of such requests without undue delay.
The above will not be repeated in the answers to the following questions, so remember to copy it and use it as a first step while working on solutions regarding each data subject right.
22. How will the right to data portability be handled? In what format will the data be provided to the data subject or to another controller at the data subject’s request?
The right to data portability can be exercised If the data subject has provided data to a controller, the processing is carried out by automated means, and is based on one of the following legal bases—the consent of the data subject, or a contract to which the data subject is a party.
It allows the data subject to request a copy of their data in a structured, common, and machine-readable format. The GDPR does not provide further specification of such format, so it’s on the controller to choose it, bearing in mind that the data subject can request that the data be transmitted directly to another controller.
23. How can a user request rectification of their data and how is that request handled?
This right allows the data subject to obtain rectification of inaccurate personal data concerning them, and to request that any incomplete data are completed.
From the controller’s point of view, it is important to remember that in case this right is exercised (the same as in the case of right to erasure/right to be forgotten or right to restrict processing), it has to be communicated to each recipient to whom the personal data have been disclosed, unless it’s impossible or involves disproportionate effort.
If the right to erasure, right to be forgotten or right to restrict processing is exercised, the controller should communicate it to each recipient to whom the personal data have been disclosed
24. Have you verified how exercising the right to restrict and right to object will affect your processes, and whether you are able to comply with obligations they entail?
The restriction of processing can be requested in cases when one of the following applies:
- the accuracy of the personal data is contested by the data subject;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing and it’s being verified whether the legitimate grounds of the controller override those of the data subject.
If the data subject exercises their right to restrict processing, the controller cannot continue processing their personal data and can only store it. Since the obligation to restrict processing is temporary by default (unless data can be again processed or needs to be erased), the possibility of “turning processing on and off” should be addressed when the system in which the data are processed is designed, along with option of marking data with explicit indication that their processing is restricted.
Another right that should be specially addressed at the stage of designing the data processing system is the right to object. GDPR compels the controller providing electronic services to allow data subject to exercise this right by automated means using technical specifications.
In case of IT businesses, the right to object will be usually exercised on grounds relating to a particular situation of the data subject, in case the processing is legitimized by legitimate interests pursued by the controller or by a third party. The controller can refuse to fulfil such a request if they demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or regard legal claims.
This does not apply to the data subject’s right to object to processing for direct marketing purposes, including profiling—in such a case, the processing must cease.
25. How can a user request erasure of their personal data? If you’ve made that data public, how do you inform other controllers that copies of the data, replications, and any links to it have to be erased?
Those questions pertain to the so-called right to be forgotten. Fulfilling the controller’s duties related to that right can in practice entail many difficulties, because, as is often the case, the GDPR does not specify exactly how the matter should be approached technically. The good thing is that the controller is not obliged to do everything possible to identify all the controllers processing the data that was made public, but only the steps that can be deemed reasonable, taking into account the available technology and implementation costs.
You’ll have to fulfil that request in cases when the data subject is entitled to request erasure of personal data, which is if:
- the personal data are no longer necessary for purposes for which they were collected or otherwise processed;
- the data subject withdraws consent for processing and there are no other legal grounds for processing;
- the data subject objects to the processing;
- the personal data have been processed unlawfully;
- the personal data have to be erased for compliance with a legal obligation;
- the personal data have been collected in relation to offering information society services directly to a child under 16 years old.
26. Does processing of personal data include making decisions based solely on automated processing, including profiling, which produces legal effects or effects affecting data subjects in a similarly significant manner?
Such decisions can be made only in three cases—when it’s necessary for entering into or performing a contract between the data subject and a controller, when it’s authorized by law, or when it’s based on the data subject's explicit consent. Moreover, decisions like these should not be based on sensitive data.
The controller needs to ensure—by setting up an appropriate communications channel and assigning personnel to service it—that a data subject can obtain a human intervention regarding such decision-making, to express their point of view, and to contest the decision.
27. Do you have a system in place that enables you to detect data protection breaches and a procedure on how to react in case of a breach?
Whether you are a controller or a processor, under GDPR you will be obliged to notify personal data breaches to supervisory authorities, and in some cases also communicate them to data subjects.
You need to prepare for such situations in advance, because when a breach happens, you won’t have much time—the controller should notify appropriate supervisory authorities within 72 hours after the controller becomes aware of the breach. In case a processor becomes aware of a breach, they need to notify the controller “without undue delay” which means “as soon as possible and practicable”. The controller may decide against informing supervisory authorities only if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. In each case, the breach must be documented by a controller and the report must contain a description of the breach, its effects, and the remedial action taken.
You have to be able to notify a data breach to supervisory authority within 72 hours.
If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall also as a rule communicate it without undue delay to data subjects, although in some cases making a public communication about the breach will suffice.
28. Do you have a data protection officer in your company or know whether you need one?
Both controllers and processors operating in IT may need to designate a data protection officer, particularly in cases where their core business includes processing operations which require regular and systematic monitoring of data subjects on a large scale, or the processing of sensitive data on a large scale.
29. Have you verified whether there are processes in your company that require conducting a data protection impact assessment?
Such an assessment should be carried out in the case of processing that—taking into account its nature, scope, context and purposes—is likely to result in a high risk to the rights and freedoms of natural persons, in particular because of use of new technologies.
It might be required in particular cases, including:
- the systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or affecting the natural person in a similarly significant manner;
- the processing of sensitive data on a large scale;
- the systematic monitoring of a publicly accessible area on a large scale.
30. Have you verified what the scope of obligatory documentation you need to prepare is and whether your staff is trained for the GDPR challenges?
First of all, both controllers and processors need to maintain records of their data processing activities.
In case of controllers, such records should contain in particular their company details, the purposes of processing, categories of data, recipients to whom personal data are disclosed, transfers of personal data to a third country, time limits for erasure of different categories of data, and a general description of the technical and organizational security measures they have implemented.
For processors, such records should include not only their company details, but also the company details of each controller on whose behalf they are operating, categories of processing carried out on behalf of each controller, transfers of personal data to a third country, and a general description of the technical and organizational security measures they have implemented.
There is an exemption allowing organizations employing fewer than 250 persons to not maintain such records, but it doesn’t apply if the processing is likely to result in a risk to the rights and freedoms of data subjects, is not occasional, or includes sensitive data. In the case of the majority of IT businesses, the processing of personal data is definitely not occasional, so it is advisable to maintain such records anyway.
Both controllers and processors need to maintain records of their data processing activities.
Apart from maintaining records of data processing activities, controllers must also remember to prepare other documents (for example descriptions of implemented procedures) demonstrating their compliance with GDPR rules, for example describing how the principles of processing of personal data are observed (including transparency, data minimization, integrity, or confidentiality).
If you’d like to keep this Q&A in a PDF file, you can download your GDPR question list here.