The Ultimate GDPR Practitioner Guide: Demystifying Privacy & Data Protection

By Stephen R Massey

The Ultimate GDPR Practitioner Guide provides those tasked with implementing Data Protection processes, useful information on how to achieve compliance with GDPR. The book is crammed with advice, guidance and templates and also includes a copy of the full regulation text and the supporting recitals. Topics include:

•   &nbsp

• Language: English
• Publisher: Fox Red Risk
• Release date: Dec 20, 2017
• ISBN: 9781999827229

Stephen R Massey

Stephen Massey is a highly respected Data Protection and Information Security Practitioner with over 20 years of experience. He has developed and directed international information security and operational risk functions in a range of sectors including financial services and commercial real estate. He is an acknowledged specialist in information risk & operational risk management, data protection, and third-party risk governance and has managed the successful implementation of global projects and business initiatives. Experienced with IT security controls and regulatory compliance auditing including business and IT service continuity planning, network and perimeter security, and data privacy. Stephen originally studied Physics and the University of Manchester Institute of Science and Technology (UMIST), holds a 1st Class Honours Degree in Intelligence and Security from the University of Staffordshire and a Master's Degree in Business Continuity, Security and Emergency Management from Bucks University. In addition to Stephen's academic achievements, Stephen is a Certified Information Systems Security Professional (CISSP) in good standing.

Book preview

THE ULTIMATE GDPR PRACTITIONER GUIDE:

DEMYSTIFYING PRIVACY & DATA PROTECTION

STEPHEN MASSEY MSc FIP CISSP

Fox Red Risk Publishing is an Imprint of Fox Red Risk Solutions Ltd (9997987)

27 Old Gloucester Street, LONDON, WC1N 3AX, UNITED KINGDOM

#ultimateGDPRguide

Copyright © 2017 Stephen Massey. Published by Fox Red Risk Publishing.

All rights reserved.

Please direct enquiries to info@foxredrisk.com

This publication contains information licensed under the Open Government Licence v3.0

(http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/).

This publication contain information authorised for commercial and non-commercial reuse. http://eur-lex.europa.eu, © European Union, 1998-2017

This publication contains information licenced under Creative Commons up to and including Attribution-ShareAlike Licence v4.0 (https://creativecommons.org/licenses/by-sa/4.0/legalcode).

Although the author and publisher have made every effort to ensure that the information in this book was correct at press time, the author and publisher do not assume and hereby disclaim any liability to any party for any loss, damage, or disruption caused by errors or omissions, whether such errors or omissions result from negligence, accident, or any other cause.

The information and opinions provided in this book do not address individual requirements and are for informational purposes only. They do not constitute any form of legal advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances and is not intended to be relied upon when making (or refraining from making) any specific decisions.

All terms mentioned in this book that are known to be or are suspected of being trademarks or service marks have been appropriately capitalised. The author and publisher cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark of service mark.

ISBN-13: 978-1999827205

ISBN-13: 978-1999827229 (e-book)

DEDICATION

I dedicate this book to the two most inspirational people in my life:

My late wife Kate and, my best boy Cooper

CONTENTS

PART I: THE ULTIMATE PRACTITIONER - (THE BASICS)

1. INTRODUCTION

Welcome Practitioner!

Why Should I Care about Privacy?

I am not even in the EU, so I definitely shouldn’t care…should I?

Using this Book

Key Terms

2. WHAT IS THE GENERAL DATA PROTECTION REGULATION (GDPR)?

History of Privacy & Data Protection

What is GDPR?

Key Changes

Structure of GDPR

What is Personal Data?

What is Sensitive Data?

Comparison with US Privacy Legislation

Establishing Lawful Grounds for Processing

Consent

Consent and Children

The Controller & the Processor

The Supervisory Authority

Consequences of Non-Compliance

3. QUICK START CHECKLIST

Appoint a Data Protection Officer (DPO)

A Project Approach

No (Wo)man is an Island

Management Systems & Standards

Data is King!

The 12 (initial) Steps to Compliance

4. GDPR PRINCIPLES & DATA SUBJECTS’ RIGHTS

The Six Principles

The Eight Rights

5. THE DATA PROTECTION OFFICER (DPO)

What is the DPO?

Do I need a DPO?

Tasks of the DPO?

Qualities of a DPO?

Relationship with the Supervisory Authority

A Protected Species

Data Protection Officer as a Service (DPOaaS)

PART I: THE ULTIMATE PRACTITIONER (IMPLEMENTATION)

6. AWARENESS

Stakeholder Analysis

Communications Planning

Communications Plan Template

Awareness through Learning

Lesson Plan Template

7. DATA PROTECTION POLICIES AND PRIVACY NOTICES

Standardised Terminology

Policy Framework

Policy Life-Cycle

Drafting Policy

Procedures, Guidelines, Standards, Methodologies & Templates

Policy Enforcement

The Data Protection / Privacy Notice

Example General Data Protection Policy

Example Privacy Notice

8. INFORMATION AUDITS & PROCESS MAPPING

The Information Audit

Record Keeping

Process Mapping

9. DATA PROTECTION IMPACT ASSESSMENT

What are the minimum requirements for a DPIA?

When is a DPIA Required?

Exceptions

Consultation

Codes of Conduct

Standalone or Integrated?

The DPIA Process

Example Data Protection Impact Assessment (DPIA) – Initial and Full Reports

Example Initial DPIA

Example Full DPIA

10. INFORMATION SECURITY

What is Information Security?

Know your Environment

The CIRAN Paradigm

Information Risk Management (IRM)

Information Security Management Systems(ISMS)

Defence Detect Manage (DDM)

Security Assessment

Security Metrics

11. DATA PROTECTION BY DESIGN & BY DEFAULT

Information Life-Cycle & Records Management

Information Classification

Systems Development Life Cycle (SDLC)

End User Computing Applications (EUCA)

Consent Mechanisms

Data Minimisation

Privacy Dashboards

Just-in-time Privacy Notices

Pseudonymisation

Encryption & other Cryptographic Techniques

Identity and Access Management (IAM)

Data Protection and APIs

OWASP Top 10

Data Protection and Database Design

Artificial Intelligence / Big Data / Analytics

Computer Vision & CCTV

Data Protection Design Specification Template

12. INCIDENT MANAGEMENT & BREACH NOTIFICATION

What is a Data Breach?

The Incident Response Life-Cycle

Calculating Data Breach Severity

Notification to the Supervisory Authority

Notification to Data Subjects

13. DATA SUBJECT ACCESS REQUESTS (DSAR)

What is a Data Subject Access Request (DSAR)?

Key changes to Data Subject Access Requests

FOI or DSAR?

Exemptions

Common concerns raised by Data Subjects

The Subject Access Request Process

14. THIRD PARTIES & OUTSOURCING

The Controller-Processor relationship

Data Protection through the Procurement and Supply Life-Cycle

Example Data Protection Detailed Specification

15. THIRD COUNTRIES AND ORGANISATIONS OUTSIDE THE EU

Adequacy

Safeguards

Derogations

Designating a Representative

PART II: THE EU GENERAL DATA PROTECTION REGULATION

I: GENERAL PROVISIONS

Article 1: Subject-matter and objectives

Article 2: Material scope

Article 3: Territorial scope

Article 4: Definitions

II: PRINCIPLES

Article 5: Principles relating to processing of personal data

Article 6: Lawfulness of processing

Article 7: Conditions for consent

Article 8: Conditions applicable to child's consent in relation to information society services

Article. 9: Processing of special categories of personal data

Article. 10: Processing of personal data relating to criminal convictions and offences

Article 11: Processing which does not require identification

III: RIGHTS OF THE DATA SUBJECT

Article 12: Transparent information, communication and modalities for the exercise of the rights of the Data Subject

Article 13: Information to be provided where personal data are collected from the Data Subject

Article 14: Information to be provided where personal data have not been obtained from the Data Subject

Article 15: Right of access by the Data Subject

Article 16: Right to rectification

Article 17: Right to erasure (‘right to be forgotten’)

Article 18: Right to restriction of processing

Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing

Article 20: Right to data portability

Article 21: Right to object

Article 22: Automated individual decision-making, including profiling

Article 23: Restrictions

IV: CONTROLLER AND PROCESSOR

Article 24: Responsibility of the Controller

Article 25: Data protection by design and by default

Article 26: Joint Controllers

Article 27: Representatives of Controllers or Processors not established in the Union

Article 28: Processor

Article 29: Processing under the authority of the Controller or Processor

Article 30: Records of processing activities

Article 31: Cooperation with the Supervisory Authority

Article 32: Security of processing

Article 33: Notification of a personal data breach to the Supervisory Authority

Article 34: Communication of a personal data breach to the Data Subject

Article 35: Data protection impact assessment

Article 36: Prior consultation

Article 37: Designation of the data protection officer

Article 38: Position of the data protection officer

Article 39: Tasks of the data protection officer

Article 40: Codes of conduct

Article 41: Monitoring of approved codes of conduct

Article 42: Certification

Article 43: Certification bodies

V: TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

Article 44: General principle for transfers

Article 45: Transfers on the basis of an adequacy decision

Article 46: Transfers subject to appropriate safeguards

Article 47: Binding corporate rules

Article 48: Transfers or disclosures not authorised by Union law

Article 49: Derogations for specific situations

Article 50: International cooperation for the protection of personal data

VI: INDEPENDENT SUPERVISORY AUTHORITIES

Article 51: Supervisory Authority

Article 52: Independence

Article 53: General conditions for members of Supervisory Authority

Article 54: Rules on the establishment of the Supervisory Authority

Article 56: Competence of the lead Supervisory Authority

Article 57: Tasks

Article 58: Powers

Article 59: Activity reports

VII: COOPERATION AND CONSISTENCY

Article 60: Cooperation between the lead Supervisory Authority and the other supervisory authorities concerned

Article 61: Mutual assistance

Article 62: Joint operations of supervisory authorities

Article 63: Consistency mechanism

Article 64: Opinion of the Board

Article 65: Dispute resolution by the Board

Article 66: Urgency procedure

Article 67: Exchange of information

Article 68: European Data Protection Board

Article 69: Independence

Article 70: Tasks of the Board

Article 71: Reports

Article 72: Procedure

Article 73: Chair

Article 74: Tasks of the Chair

Article 75: Secretariat

Article 76: Confidentiality

VIII: REMEDIES, LIABILITY AND PENALTIES

Article 77: Right to lodge a complaint with a Supervisory Authority

Article 78: Right to an effective judicial remedy against a Supervisory Authority

Article 79: Right to an effective judicial remedy against a Controller or Processor

Article 80: Representation of Data Subjects

Article 81: Suspension of proceedings

Article 82: Right to compensation and liability

Article 83: General conditions for imposing administrative fines

Article 84: Penalties

IX: PROVISIONS RELATING TO SPECIFIC PROCESSING SITUATIONS

Article 85: Processing and freedom of expression and information

Article 86: Processing and public access to official documents

Article 87: Processing of the national identification number

Article 88: Processing in the context of employment

Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Article 90: Obligations of secrecy

Article 91: Existing data protection rules of churches and religious associations

X: DELEGATED ACTS AND IMPLEMENTING ACTS

Article 92: Exercise of the delegation

Article 93: Committee procedure

XI: FINAL PROVISIONS

Article 94: Repeal of Directive 95/46/EC

Article 95: Relationship with Directive 2002/58/EC

Article 96: Relationship with previously concluded Agreements

Article 97: Commission reports

Article 98: Review of other Union legal acts on data protection

Article 99: Entry into force and application

PART III: THE RECITALS

THE RECITALS

1:37 - General Provisions

38:57 - Principles (38:57)

58:73 - Rights of the Data Subject

74:100 - Controller and Processor

101:116 - Transfers to Third Countries or International Organisations

117:131 - Independent Supervisory Authorities

131:140 - Cooperation and Consistency

141:152 - Remedies, Liabilities and Penalties

153:165 - Processing Relating to Specific Processing Situations

166:170 - Delegated Acts and Implementing Acts

171:173 - Final Provisions

LIST OF EUROPEAN UNION DATA PROTECTION AUTHORITIES

ABOUT THE AUTHOR

ACKNOWLEDGMENTS

This work would not have been possible without all the people I have interacted with over my career as an information security and data protection professional. The questions I have asked and have been asked of me; the projects I have worked on or supported and; the curve balls batted at me or batted away; have all shaped the content of this book in some way. Without these experiences, this book would not be quite so ‘Ultimate’.

I would, however, like to single out some people who have been especially noteworthy in regards to making this book possible.

I would like to thank Judith Milne, for scrutinising the copy of this book with a hawk-like eye. There is only so much automated grammar, and spell checkers can do – and they can never tell you whether the content actually makes sense!

I would like to thank my father-in-law, Alasdair. Thank you for all the support, the interest you take means a lot!

I would like to thank Andy Johnson for proof-reading the information security and data protection by design and default sections. Without his input, who knows what I would be classifying as encryption!

I would also like to thank the keen legal minds that are Elly Rich & Richard Pooley for their contributions to the Data Protection Policies and Privacy Notices, Outsourcing and Third Country Transfers chapters.

A worthy mention must go out to all the Data Protection and Information Security Practitioners on sites such as LinkedIn who have inspired some of the content of this book and have also give me regular pause to contemplate ‘have I covered that?’

While this book is dedicated to my wife Kate, without her enduring support (and tolerance), it simply would not have been possible. I will try and have a little break before the next ‘project’…maybe…

PART I: THE ULTIMATE PRACTITIONER - (THE BASICS)

1. INTRODUCTION

Welcome Practitioner!

Hi Reader. Thank you for taking the time to read my book on the EU General Data Protection Regulation. I know your time is precious so I will try and keep this introduction reasonably short. This book aims to give Practitioners a ‘one-stop’ reference guide for implementing the requirements of GDPR within their organisation. The style of the book is somewhat conversational. I have read a lot of stuffy textbooks, and they often do not encourage engagement with the material. I have read a lot of academic books too which talk about the ideas behind something but don’t offer the reader a lot in the way of practical help.

I hope to bring my personality and experience into this material and provide something that is both engaging but more importantly, useful! So who am I? Well, I am a practical, pragmatic, problem-solving, personable, passionate and (sometimes) playful Practitioner who wants to share my knowledge on the subject of Data Protection. This experience has been gained over the last 20 years from when I was initially introduced to the data protection back in 1998. Before we get properly going, a quick disclaimer: Reading this book alone will not make you compliant with GDPR. As you read each chapter, it is highly likely you will identify things you need to change with regards to the way your organisation processes personal data. Every organisation will have its way of meeting the spirit of the regulation, and it would not be practical for me to cover every possible way you could achieve compliance in a single book. Additionally, there are some things in the Regulation which we will not discuss in great detail because it is not relevant in an organisational context. A good example, I am not going to spend too much time waffling about things such as article 97’s requirement for the European Commission to write a report on GDPR every four years. What this book aims to do is serve to show you what your obligations are and then suggest ways you can meet these obligations.

Why Should I Care about Privacy?

Ok, so now we have got the disclaimers out of the way, I just wanted to say: It is often common to think of regulatory compliance as a dull and boring tick-box exercise, but I hope you feel privacy is different. Here in Europe, it is an important human right we must strive to protect. When we get privacy and data protection wrong, real lives are affected. When privacy is invaded, it can often leave people feeling violated and distressed. This sense of foreboding is precisely why the governments of Europe have strengthened privacy laws and enhanced the enforcement action which can be imposed on an organisation when rights are violated.

Now, enforcement action, such as a fine, means something has already gone wrong. I am keen to help as many organisations as possible avoid a situation where they are going to be issued a fine or suffer some other form of enforcement action, and that is why I have decided to write this book…but also because they say everyone has at least one book in them…it’s definitely not to make money as a book like this is highly unlikely to end up in the New York Times Bestsellers list!

DID YOU KNOW: Privacy is only mentioned twice in the text of General Data Protection Regulation, and that is in reference to the Directive on Privacy and Electronic Communications.

I am not even in the EU, so I definitely shouldn’t care…should I?

Hang on a minute; my company is not based in the European Union; GDPR is not something I need to pay much attention. Well, maybe and maybe not. If you are operating in an organisation – anywhere in the world – that processes personal data relating to an EU citizen, you need to sit up and take note. The reason you must take GDPR seriously is that GDPR has ‘extra-territorial applicability’. Extra-territorial applicability means the Regulation applies to the processing of EU personal data by Controllers that are not established in the Union, but in a place where Member State law applies by virtue of public international law. So essentially, if you are in a country where the rule of law applies, and you have EU customers, your data processing activities are in scope of GDPR.

Using this Book

Naturally, I would recommend reading the whole book first before doing anything but I know not everybody will do that, so I have laid this book into three main parts. The aim is to give three different types of Practitioner the best possible experience. If you are the kind of Practitioner who is completely new to the topic, then you can keep to PART I and work on the principle the Practitioner guidance aims to implement the Regulation in a relatively generic way. Once you have got to the stage where you have a basic, boilerplate programme, I would then recommend reading PART I in conjunction with PART II and PART III to tweak your basic programme to better suit the needs of your organisation. Don’t worry too much if you keep to just this part of the book as there are references to the other parts where relevant.

If you are a more experienced Practitioner or the kind of Practitioner who wants to check the regulation as you go, in order to tweak and modify the guidance in PART I, you can delve into PART II. This part of the book contains a replication of the General Data Protection Regulation (GDPR) text – all ninety-nine articles! In this part of the book, you can get the exact wording of the Regulation, so you can make your own interpretations as to how you should implement a specific clause, in a way that best suits your organisation. As mentioned earlier, it is not possible to give a perfect solution to every scenario in one book, so it is important, as a more experienced Practitioner, to be able to delve into the text of the Regulation.

It is also useful to have a physical copy of the text available because having the ability to show someone in your organisation offline can be a lifesaver. Just showing a person precisely what the text says, can be the simplest way to clarify why you are asking them to do something in a certain way. I did toy with the idea of merely referencing to the online locations of the GDPR and associated recitals, but with the kind permission of the Publications Office of the European Union, I have included them in full. It is not to pad out the pages but because many of us read on the train on the way into work or, may not be near an Internet connection when the ‘challenging’ question gets raised.

The final audience I had in mind for this book is the Zen Practitioner. If you are a Zen Practitioner, you not only want to know the letter of the Regulation but, also the spirit of the Regulation and how it has been interpreted thus far. As such you should use all sections of the book including: ‘PART III: THE RECITALS’. Part III explains what the lawmakers, who created the GDPR, intended when they included specific prose. A Zen Practitioner understands when you combine all parts of the book you get a deeper understanding of the GDPR and how it is most likely to affect you and your organisation. Throughout the book, I have placed some questions and short summaries in boxes. These are to encourage self-reflection or drive home the importance of a particular concept. In addition to these boxes, there are also grey boxes ‘Did you know’ items and examples. These nuggets of information, identified during the research for this book are included for interest and deeper understanding. Whichever Practitioner type you are, and however you use this book, I am sure you will get at the very least something out this book so without further ado, let’s get started!

What type of Practitioner do you want to be?

Key Terms

The following definitions are crucial to understanding the General Data Protection Regulation. When dealing with personal data, you must keep the following definitions in mind as they will be vital to understanding your data protection roles and responsibilities. This list is not exhaustive and more terms will be described throughout the book but initially, the most useful are as follows:

Natural Person: Essentially an EU citizen who is alive. A Natural Person may also be referred to as a Data Subject.

Child: For the purposes of GDPR is a Natural person who requires parental consent, usually if they are below 16. The EU Member States can, however, reduce the requirement for consent to those no younger than 13 (i.e. if the Natural Person is over 13 parental consent would not be required).

Personal Data: any information relating to an identified or identifiable Natural Person (or ‘Data Subject’); an identifiable Natural Person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Natural Person.

Sensitive Data: special categories of information relating to an identified or identifiable Natural Person (or ‘Data Subject’). Examples include racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, sex life of sexual orientation.

Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a Natural Person, in particular to analyse or predict aspects concerning that Natural Person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Consent: any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

EU Member State: any country party to the founding treaties of the European Union (EU) and thereby subject to the privileges and obligations of membership. Member States are subject to binding laws in exchange for representation within the common legislative and judicial institutions.

Third Country: any country which is not an EU Member State (e.g. USA, India, China or the Philippines)

Supervisory Authority: the regulator within a European country who will provide regulatory oversight for GDPR, provide guidance and advice and, where necessary impose corrective actions or administrative fines.

Information Security: The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Data Protection Impact Assessment (DPIA): An assessment of the impact of the envisaged processing operations on the protection of personal data and the rights and freedoms of natural persons.

Subject Access Request (SAR): A request, made by a natural person, to access personal data held by a Controller or Processor,

Data Protection Officer (DPO): a person with expert knowledge of data protection law and practices who assists the Controller or Processor to monitor internal compliance with GDPR. Such data protection officers, whether or not they are an employee of the Controller, should be in a position to perform their duties and tasks in an independent manner.

2. WHAT IS THE GENERAL DATA PROTECTION REGULATION (GDPR)?

In this chapter, we will look at the General Data Protection Regulation in more detail. We will look at the origins of privacy and how data protection developed from idea to legislation. We will look at the key changes GDPR brings into European Law and discuss the structure and related instruments. We will then look at the criteria an organisation must use to confirm their processing activities are lawful. Finally, we will delve into the consequences should processing be determined unlawful.

History of Privacy & Data Protection

Before diving into the GDPR itself, it is useful to understand how we got to a stage whereby we need such a comprehensive piece of legislation. It is essential to know why is privacy so important to EU citizens and others across the world. People may be surprised to know that the concept of privacy is not new. Privacy concerns, in reasonably crude form, can be traced back to at least 1499 C.E. in terms of an old axiom which purports "An Englishman’s home is his castle". The premise is that a person – well at that time an English man – was protected by the law of the land from a servant of the Crown entering their property and either confiscating items or taking their liberty. A case in the 17th century, Semayne v Gresham [01 January 1604] clarified the Crown did have the right to enter a person’s house but should let the resident know they are coming and the reason - before breaking down the doors! At this stage in history, citizen’s concerns about privacy tended to focus on issues such as trespass. People were not typically concerned about privacy in regards to information. There are many reasons which could explain this, but it is possible literacy played the most prominent part.

Johannes Gutenberg had invented the printing press circa 1440, which dramatically increased the spread of information across the world. However, illiteracy rates remained as high as 50% well into the mid-18th century for men, and women’s illiteracy was, dreadfully, a lot higher at 75%¹. As literacy rates improved at the turn of the 20th century, so too did people’s attitudes to the paradigm of information privacy. It is no coincidence at the same time governments realised both the importance of information and the need to protect information. The idea of data protection as a component of privacy had now been conceived.

Johannes Gutenberg (1398-1468) – Father of Mass Communication ²

For those with a global view, privacy is not an issue solely in Europe. In the United States, census data has been collected since at least 1790³, and at that time there were only four questions on the form. By 1890 the number of questions had mushroomed considerably, becoming more and more intrusive in nature. What made this issue concerning at the time was the practice of making copies of the census data freely available to facilitate error checking. Given census information contained significant amounts of personal data, it was not too long before people began to raise concerns resulting in the practice of publishing census data becoming illegal in 1919. As history went on to show, it is clear the concerns of US citizens were valid. 1930s Europe saw what is probably the clearest example of how personal data in the wrong hands can lead to unspeakable atrocity. According to the book ‘IBM and the Holocaust’⁴ by Edwin Black, Nazi Germany formed a strategic alliance with IBM, which involved the leasing, custom design and support of a punch card and card sorting ‘computer’ to organise census data to identify Jewish citizens systematically.

Hollerith D-11 Card Sorting Machine⁵

This automated data processing enabled Nazi Germany to dramatically increase the efficiency of their extermination campaign to the extent approximately six million Jews were killed. It cannot be understated how much this event shapes the way Europeans value privacy.

Shortly after the war on the 10 December 1948, the UN General Assembly adopted the Universal Declaration of Human Rights. Within the declaration is Article 12, which enshrined the right to privacy. In 1950 this right to privacy was also enshrined within Article 8 of the European Convention on Human Rights (ECHR). The ECHR introduced a means for seeking judicial remedy through the European Court of Human Rights. Data protection was by then at the embryonic stage. Up until the 1960s, privacy was still very much centred around family life and a person’s home. There was, however, growing concern a person’s privacy in the home could now be interfered with through the use of technology, namely through phone-tapping and other forms of surreptitious observation. These concerns ultimately led in 1968 to the publication of Recommendation 509 which recommended a study, the topic of which was whether the Member States adequately protected its citizens’ rights under Article 8 of the ECHR and if the Member States did not, what courses of action should be taken. The proceeding study identified multiple issues which led to resolutions 73 (22)⁶ and 74 (29)⁷. Around the same time, a US Advisory Committee Report on Automated Data Systems was published making similar recommendations. From this point Data Protection as we know it today was born.

In 1980 the Organisation for Economic Co-Operation and Development (OECD), understanding the economic potential of data, issued guidelines on how privacy rights could be protected in the context of data flowing between nation states (not just those in Europe). Following shortly on from the OECD guidelines, in 1981 the Council of Europe published Convention 108, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Convention 108 was the first international legal instrument designed solely for Data Protection. It introduced into European law a formal definition of personal and sensitive data, lawful processing and retention limitations. The convention included Data Subjects’ rights to access and rectification, and limited data flows to countries which did not offer Data Subjects sufficient legal protections. Technology progress in the 1980s rapidly changed the world, and it was clear data protection legislation needed to be updated to keep pace. Not only that, because the Treaty of Rome codified the four freedoms relating to the movement of goods, services, capital and people, it was becoming more and more challenging for companies to operate without equivalence in data protection legislation. To answer this challenge, the European Union published the 1995 EU Data Protection Directive. The 1995 Directive has since been translated into Member State law, but over the last 22 years, technology has once again marched on ahead of the legislation. While other legal instruments have been introduced to offer additional protections, it was not enough, and so, in 2011, the European Data Protection Supervisor kick-started what was to become the EU General Data Protection Regulation (GDPR). Data Protection had now reached maturity!

What is GDPR?

The General Data Protection Regulation (GDPR) is a Pan-European piece of legislation implemented by the European Parliament and Council to significantly strengthen Data Subject’s rights in regards to how their data is used. GDPR applies⁸ to two kinds of data. Personal Data and Sensitive Data. GDPR does not apply to the processing of personal data relating to criminal convictions⁹ and offences, and in some instances, restrictions¹⁰ may apply, for example, national security or defence.

As discussed in the previous section, GDPR is the result an evolution in law over some years to bring data protection legislation into line with the way data is used in the 21st Century. Essentially, this update brings data protection kicking and screaming into the modern world we live in where pretty much every aspect of our daily lives requires the processing of personal data in some form or another. Not only did data protection legislation need updating it also required streamlining. All over the EU, national Data Protection Laws exist as a result of Member States translating the 1995 EU Data Protection Directive into local law. GDPR replaces all these local laws and introduces a single piece of legislation. GDPR now has sharp teeth too. The regulation adds harsher fines for non-compliance and breaches but also gives people much more say over what companies can do with their data.

The primary motivations behind the GDPR are: Firstly, the EU wants to give people more control over how their personal data is used, bearing in mind that many companies like Google and LinkedIn swap access to people's data for the use of their products. Current legislation was drafted before the internet and cloud technology created the novel ways of exploiting data which are ubiquitous in our lives. GDPR seeks to address this imbalance. By strengthening legislation and introducing stricter enforcement measures, the EU is striving to improve consumer trust. Secondly, the EU wants to give businesses a more straightforward, more explicit legal environment in which to operate, making data protection law identical throughout the single market. The GDPR will apply in all EU Member States from 25 May 2018. Because GDPR is a regulation, not a directive, EU nations do not need to draw up new legislation - instead, it will apply automatically. While it came into force on 24 May 2016, businesses and organisations, whether operating physically in the EU or not, have until 25 May 2018 until the law applies. The clock is ticking!

Key Changes

Your exposure to Data Protection legislation will likely depend on what your organisation does and your role within the organisation. If you skipped the history section, you might not know this, but there has been legislation to protect personal data for well over 20 years, however, at the time the current legislation was drafted, the world was quite different. GDPR aims to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the previous 1995 directive was established. So what has changed in the legislation? Well, the key changes included in GDPR are as follows:

Increased Territorial Scope (extra-territorial applicability): One of the most significant changes to EU data privacy comes with the extended jurisdiction of the GDPR - it now applies to all companies processing the personal data of Data Subjects residing in the EU, regardless of the company’s location. If you thought the prior legislation was ambiguous, GPDR now makes its applicability very clear - it will apply to the processing of personal data by Controllers and Processors in the EU, regardless of whether the processing takes place in the EU or not. GDPR will apply to the processing of personal data of Data Subjects in the EU by a Controller or Processor not established in the EU, where the activities relate to offering goods or services to EU citizens - irrespective of whether payment is required. For example, if your organisation provides an app for free but monetises users’ personal data. In addition, Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU. (See Chapter 14).

Consent & Withdrawal of Consent: The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose of the data processing attached to that consent. Consent must be explicit and distinguishable from other matters and must use clear language. GDPR introduces a material change to consent making it a requirement for consent to be as easy to withdraw¹¹ as it is to give.

Children and Consent: When it comes to children, there are additional requirements. A child is a Natural person who requires parental consent, usually if they are below 16 years of age. You must make reasonable efforts to confirm parental consent is provided by a person who holds parental responsibility for the child (e.g. the biological mother or father).

Other Additional Rights: In addition to the already mentioned changes, there are also increased rights for EU citizens which we will discuss a little later but include the following:

1.Breach notification: the right to be informed if their data has been compromised

2.Expanded Subject Access: in addition to current rights, rights also include access to information about how their data is being processed, where and for what purpose.

3.Right to be Forgotten: entitles the Data Subject to have the data Controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

4.Data Portability: the right for a Data Subject to receive the personal data concerning them, which they have previously provided in a 'commonly used and machine-readable format' and have the right to transmit that data to another Controller.

So as you can see, there are quite a few changes, and that is going to mean you and your organisation are going to have to work out how this will impact the way you process data and what you need to do to make sure you are compliant with the new regulation.

Structure of GDPR

The General Data Protection Regulation is a legal instrument drafted by the European Parliament. As it is a Regulation, it is not required to be converted into Member State Law. The Regulation replaces¹² Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the ‘protection of individuals with regard to the processing of personal data and on the free movement of such data’. GDPR makes it explicitly clear the processing of data for criminal offences is outside its material¹³ (and territorial) scope. Accompanying GDPR is a separate legal instrument. Directive (EU) 2016/680 on the ‘protection of Natural Persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data’. This Directive has been drafted because the Member States wish to retain more control over the processing of personal data about criminal activity. However, whilst out of the scope of GDPR, GDPR does recommend there should be equivalency in the protection of relevant personal data across all Member States.

DID YOU KNOW: Because 95/46/EC was a Directive, Member States were required to create new legislation or update existing laws. In the case of the United Kingdom, this needed an update of the 1984 Data Protection Act which then became the 1998 Data Protection Act. Local laws also provided the opportunity for the Member States enshrine into the statute books derogations from the Directive and in some cases enhancements. For example, the UK chose not to include a Data Protection Official and Germany decided to make the Data Protection Official a protected role.

In addition to 2016/680, Practitioners should also be aware of 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). You may not be aware of the directive by name, but you are most likely aware of its impact on every website you visit with those lovely cookie notifications. This Directive is due to be replaced with a new ePrivacy Regulation (so again will not require transposition into Member State law) and aims to ensure the same privacy controls, that apply to telecommunications providers currently, will apply to electronic messaging services (e.g. Skype or WhatsApp). The proposed regulation will also introduce the requirement to gain consent for a messaging service to collect metadata (e.g. when and where a message was sent or received), require marketing callers to identify who they are (e.g. through caller ID) and, thankfully, improve the way end users are informed about cookies! Regarding interaction, the ePrivacy Regulation will be lex specialis to GDPR, which means its provisions will override those within GDPR. While it is useful to know Directives 2016/680, 2002/58/EC and the proposed ePrivacy Regulation exist and, how they relate to GDPR, further discussion on content and application is out of the scope of this book.

Now to the primary legislation of this book. GDPR is split into 99 Articles across 11 chapters. The first chapters focus on the Data Subject and rules for data processing. Chapter I deals with general provisions such as scope and definitions. Chapter II covers the data protection principles. Chapter III sets out Data Subjects’ Rights. Chapter IV details the roles and responsibilities of Data Processors and Controllers. This chapter also covers the designation, position and tasks of the Data Protection Officer. Chapter V contains the requirements relating to data transfers to Third Countries outside the European Union. The latter chapters focus more on governance and oversight activities. Chapter VI discusses the roles and responsibilities of the Supervisory Authorities and how an Authority can enforce the Regulation. Chapter VII discusses how the Member States are to cooperate to ensure the regulation is consistently applied and enforced. Chapter VIII details remedies, liability and fines. Chapter IX sets out rules relating to specific situations such as the use of personal data in an employment context or where there are obligations of secrecy. Chapter X codifies certain delegated acts and committee procedural elements. Finally, Chapter IX contains administrative prose relating to the repeal of previous legislation and dates whereby GDPR will come into force and subsequently apply.

What is Personal Data?

Personal Data¹⁴ is: "any information relating to an identified or identifiable Natural Person (or ‘Data Subject’); an identifiable Natural Person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification