GDPR – What does it all mean? Nuts and Bolts

In last week’s article, I provided an overview of GDPR and covered the basics – GDPR Overview – Do they mean me?  This week I want to look in detail at some of the technical elements and requirements of GDPR and what it means to your business.

As we learned last week GDPR has 99 articles, divided into these sections:

  • General provisions (1-4)
  • Principles (5-11)
  • Rights of the data subject (12-23)
  • Controller and processor (24-43)
  • Transfers of personal data to third countries or international organisations (44-50)
  • Independent supervisory authorities (51-59)
  • Cooperation and consistency (60-76)
  • Remedies, liability, and penalties (77-84)
  • Provisions relating to specific processing situations (85-91)
  • Delegated acts and implementing acts (92-93)
  • Final provisions (94-99)

As you can see, there is plenty to go around here. Before you go running for the hills the key areas that I would recommend you are familiar with are covered in:

  • Principles (5-11)
  • Rights of the data subject (12-23)
  • Controller and processor (24-43)

That’s not saying that the others aren’t important, but these are the core ones you’ll probably return to in your on-going GDPR compliance work. Notice I say ‘on-going’ because it will be something that needs to be maintained and monitored in your business. In many ways, it’s best to think of it and develop it as a GDPR attitude.


If you are struggling with GDPR Compliance and don’t know where to start Buzz Web Design & Consultancy has put together a helpful pack to get you started on the road to compliance by 25th May 2018 – GDPR Compliance Pack 


Principles – Why am I gathering and processing this data?

 

As a business, you need to understand why you are gathering and processing data. On a simple contact form, you may ask for a telephone number. Analyse why you are asking for this data. This is where ‘principles’ come into effect – GDPR has six principles under which you can gather and process data lawfully.

  1. Consent – the data subject has given clear consent for a specific purpose(s) which can be revoked at any time by the data subject. For example, signing up for a newsletter on a website.
  2. Contractual necessity – the processing is necessary for the performance of a contract that the data subject has entered into. For example, employee payment data, required to enable the employer to comply with a legal obligation (social security data). Ask yourself is this required to deliver an agreement with an individual?
  3. Legal obligation – processing of data is a legal obligation to which the data controller is subject to. For example obligations for employment and social security reasons. Ask yourself am I required to do this by law?
  4. Protect vital interest – to protect the vital interest of the data subject or another person. An example might be a psychiatrist. Your data is private unless you are harming yourself or to others. Ask yourself am I doing this to protect someone’s life?
  5. Public interest – processing is necessary for the performance of a task carried out in the public interest. Examples might be for taxation or public health reasons.  Ask yourself is the processing required for a legally defined public purpose?
  6. Legitimate interest – this would be a compelling reason for businesses that work with one another and have to transfer data between each other. An example might be an intra-group transfer of employee/client data for admin purposes. Or direct marketing – promoting special offers to an existing customer via post. In these cases, the legitimate interest of the business might prevail as it’s not unreasonable for a business to promote offers to existing customers or have a need to transfer data between businesses within a group. There is little impact on the individual in these cases. Ask yourself would this processing surprise the individual, given our relationship?

Being familiar with these principles will help keep your business lawful and on the right side of GDPR.

 

Rights of the data subject – Know your customer’s rights

 

The next area to be up to speed on are the rights of data subjects, your customers. There are five rights to be familiar with:

  1. Right to be forgotten – this is one that will crop up a lot. The data subject can request to be deleted or forgotten. GDPR states it shall be as easy to withdraw consent as it is to give it. Deletion is allowed when processing no longer has a lawful basis (i.e., none of the six principles above apply). Data can sit in storage after its used, and some data subjects may want it deleted rather than leave it under someone else’s custody.
  2. Right to object – data subjects have the right to object to the processing of their data in most situations. Direct marketing may be one such example. Once a request for objection is received, the controller must stop their processing activities.
  3. Right to rectification / correct – data subjects have the right to rectify data that is inaccurate or to have any incomplete data completed. If the inaccurate information was disclosed to a third party, the controller must inform the third party of that correction where possible. Controllers must correct inaccurate or incomplete information upon request by the data subject.
  4. Right of access – data subjects have a right to access their data. Unless the quantity of requests is excessive, you cannot charge for this. They have a right for a copy of this data and also to understand how long the data will be or has been stored.
  5. Right of portability – data subjects can receive their data and have the right to transmit that data to another controller without hindrance upon request. Data should be transferred anywhere it is technically feasible, without prejudice.

 

Controller and processor – Know your responsibilities

 

The controller and processor articles – specifically – articles 24 and 28. These concern themselves respectively with the responsibilities of the data controller and data processor. Both terms were explained in last week’s article –GDPR Overview – Do they mean me?

The Data Controller – What are my responsibilities? Article 24

Article 24 is important to understand because it outlines the specific tasks a controller is responsible for in that role. There are four primary responsibilities outlined in Article 24. The first is to have appropriate measures in place. These are both technical measures and processes. Documenting those processes and measures can show an organisation’s diligence. Be sure to put in audit mechanisms to be able to show those measures as evidence.

Next is to understand the data being processed. A data mapping exercise will help this. Understand what data the business has and why they have it. Additionally, understand the probability and impact of losing that data. This is to enable you to determine the appropriate measures based on the criticality of the data. Third, is to protect the data. This task is based on the nature of the data or its criticality. An organisation needs to have a policy, and it needs to be communicated and readily available.

Finally, the fourth responsibility is to have a code of conduct. This should also be a written policy. These four tenets are the core responsibilities of a data controller. In the next article, I’ll explain what this means in practice in your business.

The Data Processor – What are my responsibilities? Article 28

Article 28 is important to understand because it outlines the specific tasks a processor is responsible for in that role. There are four primary responsibilities outlined in Article 28. The first is implementing security measures. How this is implemented depends on the nature of the data and how it is being handled.

Second, is the use of subprocessors.This happens when a processor outsources some part or all of the data processing to a third party. A subprocessor is bound by the same data protection obligations set out in the processor’s contract with the controller. The explicit consent of the controller is required to be lawful.

The third is that the processor must ensure there is a contract in place with the controller. Some components to include in the contract should be whose data is being processed, categories of data subjects, which data is included, what is it, and how is it being used? The contract should additionally list out the responsibilities of both the controller and the processor.

Finally, the processor must ensure they only process in scope data. They should have records of their processing activity and logs to review. These logs can be used as evidence in case of an audit. It’s important to note that the processor can be considered accountable, just like the data controller if they violate any of these responsibilities.

These are the four core responsibilities of a data processor.

Finally …

I’ve covered a lot of ground here around the nuts and bolts of GDPR and the areas to be familiar with. In summary, there 99 GDPR articles of which three key areas should be understood:

  • principles – why are you gathering and processing data
  • rights of the data subject – your employee or customer
  • responsibilities of you, as the data controller or data processor

For more information on GDPR :

ICO’s Guide To GDPR

In the next article, I’ll look more closely at how you practically go about assessing your business for GDPR compliance. A step by step approach.


If you are struggling with GDPR Compliance and don’t know where to start Buzz Web Design & Consultancy has put together a helpful pack to get you started on the road to compliance by 25th May 2018 – GDPR Compliance Pack 



If you are unsure about GDPR and what it might mean for your business, feel free to contact me for a free 15-minute chat. Contact Me


Buzz Web Design and Consultancy

Posted in ,

Shop For Products

Subscribe For Latest Updates

Our newsletter is filled with news, resources and insights. Check our Privacy Policy for how we protect and manage your submitted data.

Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.

Free E-Book 5 Things To Fix On Your Website In The Next Week To Increase Leads

Stop wasting time on the Internet!

Like most business owners, you are probably distracted and overwhelmed by the possibilities of doing business online.

It is also true that most of us fail dismally in our online ventures. So here are five things you can do in the next week to get the needle moving in the right direction.

Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.
5-Things-To-Do-On-your-Website-to-increase-leads

More From The Buzz Blog

website-nightmares

What are the tell-tale signs of having a website nightmare?

Commons signs you're having a nightmare with your website. You're just getting enough clients When you ask people how they...
rock-paraplanning-business-card-mockup

Branding, Website and Marketing For Rock Paraplanning

Hot off the press Buzz Web Design and Consultancy have just completed delivering a branding, website design and marketing service...
Gutenberg-Image-Printing-Blocks

Gutenberg – A New Editor For WordPress

A New Editor For Wordpress Is Due To Land If you use Wordpress for your website and regularly write pages...

Subscribe

Buzz Web Design and Consultancy

Subscribe for Latest updates

Our newsletter is filled with news, resources and insights. Check our Privacy Policy for how we protect and manage your submitted data.

Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.

Leave a Comment