The General Data Protection Regulation is a piece of legislation from the European Union that constitutes a shift in thinking regarding the regulation of personal data. Next to promoting standards and practices for data-protective measures, it establishes a broad framework under which the processing of personal data is considered legal. Additionally, the law affords a number of rights to individual citizens regarding personal data that is linked to them.
A major shift is that the the application of the law is not dependent on where the data is processed, but rather whether the the data owner is a European citizen. Thus, if a non-European organisation wants to cater to European citizens, they must follow the GDPR.
But what is it that organisations must comply with? Next to a host of specific details (ie. consult your lawyer), for the purpose of this whitepaper, we'll zoom in on two specific GDPR concepts: Lawfulness of Processing and Data Subject Rights.
Under the GDPR, each processor (or data-processing organisation) must prove they have a valid reason for processing personal information. These valid reasons are known as processing grounds and the resulting list of data and reasons is known as a data processing register. These processing grounds are covered by Article 6 of the GDPR. The six grounds for legal processing are as follows:
- 1.the data subject (or individual) gives consent for processing
- 2.processing is necessary for a contract
- 3.processing is necessary for legal compliance
- 4.processing is necessary to protect the vital interests of someone
- 5.processing is necessary for a task in the public interest
- 6.processing is in the legitimate interest of the processor, unless it violates the rights and freedoms of the data subject
The last one is slightly vague, and subject of ongoing discussion. Yet, we're not here to make judgements. After an organisation determines what data they process, based on which legal ground, they must share this with their data subjects. Then, they are free to process this data, with the limitation of lawsuits, legal intervention, etc.
In return for allowing the processing of their personal information, individuals (or data subjects) gain a number of rights. These rights are supposed to give individuals a sense of transparency and control over data that is essentially theirs. These rights are covered by Chapter 3 of the GDPR. We will cover them summarily as follows:
Also, data processors must communicate clearly about their data practices. Article 22 extends this right to automated decision making, more commonly known as artificial intelligence, machine learning, or more generally algorithms.
Finally, organisations must make it easy and accessible for data subject to excercise their data rights. This includes clear communication and notification, per Article 19. Lastly, exercising data rights is always free.
Per Article 15 of the GDPR, data processor must allow individuals to get access to personal information that is being processed of them. Processors must be able to hand over a copy of the data being processed belonging to the data subject. Following Article 20, this data must be provided in a commonly-used, and machine-readble format.
Per Article 16, the data subject has the right to rectify incorrect or incomplete information. Moreover, per Article 17, the data subject has the right to have parts of their personal information be removed. While there are restrictions to the application of this right, in most cases, revoked consent covers the basis of this right.
If organisations fail to comply with these, or other obligations they have under the GDPR, a local Data Protection Authority may impose a fine for the breach of obligations. The maximum for this fine is set at either €20M, or 4% of global annual turnover, whichever is higher. The potential for staggering fines is high, and over two years since becoming active, at least €259M in fines have been awarded to date.
While the General Data Protection regulation is specific to the European Union, it has inspired other pieces of legislation in the world. At least the California CCPA and Brazilian LGPD contain similar provisions and rights as the GDPR does. Several other US states, Canada, India and Australia are considering new personal information legislation, which are likely to find inspiration in the GDPR (source). Thus, investing in the GDPR is a safe bet, even if it at present only applies to a subset of customers.