June 21, 2018
GDPR issue hasn't stopped being a subject of debate for many digital business yet. Although many European-based companies took actions to become compliant before 25th of May, a shred of doubts stays.
In order to help you rest easy, we drafted a Q&A list comprising the most burning questions you might have as a digital business. Although there's no universal checklist applying to all cases, some issues pop-up more often than others. And these answers will be relevant for the years to come, since GDPR is not going anywhere.
Wondering whether you should trust this list? It was curated and answered by our in-house lawyer Kamila Koszewicz, with eight years of experience in IT law and personal data protection. Monitoring the legislative process of the GDPR since 2012 (and participating in it) allowed her to identify all the relevant areas which should be taken care of in order to ensure compliance with the new regulation.
What's more, our team used those same questions while working on projects for our clients. And it served its purpose. We already shared our experience with getting GDPR compliance in step-by-step application of new rules especially relevant to a medium-size company like Monterail.
So, walk away knowing how to identify data flows within you company, be more GDPR-conscious in your operations and understand where you might still need to apply changes.
Here's the Q&A list.
Answering this question is crucial to determine the scope of your obligations under the GDPR.
Data controllers decide what data is collected, for what purpose, how it is processed and for how long. This means that you are responsible for meeting a broad scope of obligations, such as securing the data, meeting the objectives of e.g. data minimization and transparency of processing. You’re also the one that is obliged to answer to and facilitate exercising of data subject rights.
On the other hand, if you are a data processor, you process the data on behalf of a controller and only within the scope he determined. Therefore, you cannot make decisions about what personal data is processed and how. Your chief duty is to secure the data you process from unauthorized access, modification, etc.
Note: unless specified otherwise, this document refers to processing personal data by data controllers.
If you use a third-party processing service, you have to conclude a specific agreement in writing (including in electronic form), that has to regulate in particular the subject-matter and duration of the processing, the nature and purpose of the processing, the types of personal data and categories of data subjects, and the obligations and rights of the controller.
Remember that even if you don’t process the data yourself, you remain responsible for the processing. Choose only those processors that guarantee the implementation of appropriate technical and organizational measures of processing to meet the requirements of GDPR and ensure the protection of the data.
If you use a third-party processing service, you have to conclude an agreement.
The fact that you, as a controller or a processor, are entitled to process the data, doesn’t mean that all your employees can access it—it should be only the people whose position within your company requires them having such rights.
Remember to specify the scope of authorization—what kind of data they can access (e.g. client data, data regarding employment), and what they can do with the data. Some people will need to have a full access, including right to enter, modify or erase the data, while for others only the right to view the data will suffice.
The GDPR’s objective of data integrity/accountability requires that you, as a controller or a processor, have appropriate technical or organizational measures in place to be able to tell exactly who and when does all of that—regardless of whether it’s someone within your company or the data subject itself.
The way you collect data determines the scope of information you need to provide the data subject with.
Also remember that when obtaining data from a third party, not only does it have to obtain the data lawfully, but you too are responsible to have a legal basis of processing in place.
GDPR introduces special regulations regarding the processing of personal data of children under 16, in relation to providing information society services directly to a child.
Complying with them can be challenging, and it seems that the most troublesome in practice may be the obtaining of consent for / authorization of a consent for such processing from the child’s parent or legal guardian. To avoid unnecessary costs, remember to take a close look at these regulations and identify solutions addressing them at the very outset of designing a service/an app.
Checking all the ways you collect data is a necessary step, and one of the first that you need to take to properly audit your data flows and verify whether you’re satisfying all the legal obligations imposed on you, such as obtaining proper consents for processing, providing data subject with the information specified by GDPR, etc.
By “category” we mean name, address, IP, etc. This is an essential step in auditing your data flows, it will also allow you to create a document called a “record of processing activities”, where you have to describe the categories of data subjects and personal data you collect.
Processing sensitive data is prohibited by default and can happen only under specific circumstances described in GDPR, so one general recommendation would be to avoid processing such data altogether. If that’s not possible, seek legal advice to identify solutions that would provide you with a legal basis for the processing of such data.
Check carefully if processing of the categories of data you want to collect is not prohibited.
One of the chief rules of personal data protection is data minimization. It compels the controller to limit—by default—to the necessary minimum the amount of personal data collected, as well as the extent of their processing, the period of their storage, and their accessibility.
Remember to take it into consideration both when auditing your databases, and when designing new data flows (creating forms, making decisions on activity tracking, etc.).
Data can be only processed for specified, explicit, and legitimate purposes and cannot be further processed in a manner that is incompatible with those purposes.
Every processing of personal data has to be legitimized by a valid legal basis. The bases for processing regular categories of data (not “sensitive”) are:
It should be—the data controller has to facilitate the ability of the data subject to exercise their rights.
Be careful. The consent clause, if not constructed properly, does not constitute a legal basis legitimizing the processing of personal data. If you include a few processing purposes in a single consent clause, the data subject cannot agree to only some of them, therefore it is impossible to tell whether consent to each purpose was given freely, which is a condition of its validity.
When designing a service remember about the principles of processing of personal data such as transparency, data minimization, integrity, and confidentiality
Remember that the legal definition of personal data processing includes storage, so you can keep the data only as long as you have a valid legal basis to do so.
These are your duties under the GDPR rule of data accuracy. Make sure you implemented mechanisms and procedures that will keep you on the safe side in this particular matter.
Anonymization is a solution that allows you to store statistical data for as long as you wish—even after the legal basis that allowed you to collect the data in personal form is no longer valid. It also helps you remain compliant with the data minimization rule, so when it comes to processing personal data, it's good practice to anonymize as much of it as you can while still achieving the purpose of processing.
You should provide the data subject with such information at the time when you collect the data from them.
If you obtain the data from another party, you should inform the data subject, no later than at the moment of first communication with them or at the time of disclosure of the data to another recipient, and always within a reasonable period after obtaining the data, no later than within one month.
The information should be easily accessible and easy to understand, in clear and plain language.
When you are the data controller, sharing data with other entities may take two forms:
Many countries outside the EU do not have as strict personal data protection regulations as GDPR. Therefore such transfers need to be legitimized using, for example, an adequacy decision issued by the European Commission, implementation of approved binding corporate rules, or the explicit consent of the data subject. Make sure to secure a legal basis for the data transfer before it occurs.
The data subject can request from the controller a copy of their personal data undergoing processing. When this right is exercised for the first time, the controller should provide such a copy free of charge, but in case of further requests, the controller may charge a reasonable fee based on administrative costs.
Unless otherwise requested by the data subject, if the request is made by electronic means, the information also should be provided in electronic form.
In preparation for data subject exercising their data rights, the controller must ask themselves a handful of important questions, the most important being:
The above will not be repeated in the answers to the following questions, so remember to copy it and use it as a first step while working on solutions regarding each data subject right.
The right to data portability can be exercised If the data subject has provided data to a controller, the processing is carried out by automated means, and is based on one of the following legal bases—the consent of the data subject, or a contract to which the data subject is a party.
It allows the data subject to request a copy of their data in a structured, common, and machine-readable format. The GDPR does not provide further specification of such format, so it’s on the controller to choose it, bearing in mind that the data subject can request that the data be transmitted directly to another controller.
This right allows the data subject to obtain rectification of inaccurate personal data concerning them, and to request that any incomplete data are completed.
From the controller’s point of view, it is important to remember that in case this right is exercised (the same as in the case of right to erasure/right to be forgotten or right to restrict processing), it has to be communicated to each recipient to whom the personal data have been disclosed, unless it’s impossible or involves disproportionate effort.
If the right to erasure, right to be forgotten or right to restrict processing is exercised, the controller should communicate it to each recipient to whom the personal data have been disclosed
The restriction of processing can be requested in cases when one of the following applies:
If the data subject exercises their right to restrict processing, the controller cannot continue processing their personal data and can only store it. Since the obligation to restrict processing is temporary by default (unless data can be again processed or needs to be erased), the possibility of “turning processing on and off” should be addressed when the system in which the data are processed is designed, along with option of marking data with explicit indication that their processing is restricted.
Another right that should be specially addressed at the stage of designing the data processing system is the right to object. GDPR compels the controller providing electronic services to allow data subject to exercise this right by automated means using technical specifications.
In case of IT businesses, the right to object will be usually exercised on grounds relating to a particular situation of the data subject, in case the processing is legitimized by legitimate interests pursued by the controller or by a third party. The controller can refuse to fulfil such a request if they demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or regard legal claims.
This does not apply to the data subject’s right to object to processing for direct marketing purposes, including profiling—in such a case, the processing must cease.
Those questions pertain to the so-called right to be forgotten. Fulfilling the controller’s duties related to that right can in practice entail many difficulties, because, as is often the case, the GDPR does not specify exactly how the matter should be approached technically. The good thing is that the controller is not obliged to do everything possible to identify all the controllers processing the data that was made public, but only the steps that can be deemed reasonable, taking into account the available technology and implementation costs.
You’ll have to fulfil that request in cases when the data subject is entitled to request erasure of personal data, which is if:
Such decisions can be made only in three cases—when it’s necessary for entering into or performing a contract between the data subject and a controller, when it’s authorized by law, or when it’s based on the data subject's explicit consent. Moreover, decisions like these should not be based on sensitive data.
The controller needs to ensure—by setting up an appropriate communications channel and assigning personnel to service it—that a data subject can obtain a human intervention regarding such decision-making, to express their point of view, and to contest the decision.
Whether you are a controller or a processor, under GDPR you will be obliged to notify personal data breaches to supervisory authorities, and in some cases also communicate them to data subjects.
You need to prepare for such situations in advance, because when a breach happens, you won’t have much time—the controller should notify appropriate supervisory authorities within 72 hours after the controller becomes aware of the breach. In case a processor becomes aware of a breach, they need to notify the controller “without undue delay” which means “as soon as possible and practicable”. The controller may decide against informing supervisory authorities only if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. In each case, the breach must be documented by a controller and the report must contain a description of the breach, its effects, and the remedial action taken.
You have to be able to notify a data breach to supervisory authority within 72 hours.
If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall also as a rule communicate it without undue delay to data subjects, although in some cases making a public communication about the breach will suffice.
Both controllers and processors operating in IT may need to designate a data protection officer, particularly in cases where their core business includes processing operations which require regular and systematic monitoring of data subjects on a large scale, or the processing of sensitive data on a large scale.
Such an assessment should be carried out in the case of processing that—taking into account its nature, scope, context and purposes—is likely to result in a high risk to the rights and freedoms of natural persons, in particular because of use of new technologies.
It might be required in particular cases, including:
First of all, both controllers and processors need to maintain records of their data processing activities.
In case of controllers, such records should contain in particular their company details, the purposes of processing, categories of data, recipients to whom personal data are disclosed, transfers of personal data to a third country, time limits for erasure of different categories of data, and a general description of the technical and organizational security measures they have implemented.
For processors, such records should include not only their company details, but also the company details of each controller on whose behalf they are operating, categories of processing carried out on behalf of each controller, transfers of personal data to a third country, and a general description of the technical and organizational security measures they have implemented.
There is an exemption allowing organizations employing fewer than 250 persons to not maintain such records, but it doesn’t apply if the processing is likely to result in a risk to the rights and freedoms of data subjects, is not occasional, or includes sensitive data. In the case of the majority of IT businesses, the processing of personal data is definitely not occasional, so it is advisable to maintain such records anyway.
Both controllers and processors need to maintain records of their data processing activities.
Apart from maintaining records of data processing activities, controllers must also remember to prepare other documents (for example descriptions of implemented procedures) demonstrating their compliance with GDPR rules, for example describing how the principles of processing of personal data are observed (including transparency, data minimization, integrity, or confidentiality).
If you’d like to keep this Q&A in a PDF file, you can download your GDPR question list here.