Below is a basic overview of some of the key GDPR requirements.
The GDPR changes way organisations collect data, as well as how they obtain, document, and manage the legal basis for processing.
GDPR Overview #
The GDPR became enforceable as law in all EU member states on the May 25th, 2018. This replaces the separate member state implementations of data protection law, streamlining compliance by providing a single set of principles to follow.
The new regulation’s scope encompasses all organisations that process the personal data of EU residents or monitors individual’s behaviours conducted within the EU, regardless of the entity’s physical location.
The terms processing and personal data are defined: processing involves “any operation or set of operations which is performed on personal data” and personal data means “any information relating to an identified or identifiable natural person (‘data subject’).” The GDPR outlines requirements for Controllers (entities who determine the purposes and means of the processing of personal data) and Processors (entities who process personal data as directed by a Controller).
Data Protection by Design and Default #
Controllers and Processors must incorporate data protection into new products and services that involve processing of personal data (Design) and consider data protection issues in all business decisions (Default).
Lawfulness of Processing #
Processing must be based on consent, performance of a contract, legal obligation, protection of vital interests, tasks carried out in the public interest, or legitimate interest balanced against the fundamental rights of data subjects.
Conditions for Consent #
Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action. Security of Processing Controllers and Processors shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Data Subject Rights & Information #
Controllers shall provide the information outlined in Articles 13 & 14 to Data Subjects and Data Subjects may access, correct, delete, restrict processing of, and transfer their personal data, as well as object to automated decision-making based on their personal data.
Data Inventory #
Controllers and Processors must create centralised repositories containing records of processing activities carried out on personal data.
Data Protection Impact Assessments #
Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, prior to processing Controllers must carry out assessments of the impact of the envisaged processing operations on the protection of personal data.
Data Protection Officer #
Controllers and Processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or large scale processing of special categories of data must appoint a Data Protection Officer.
Controller-Processor Relationships #
Controller and Processor relationships must be governed by binding contracts that set the terms of the processing to be performed and provide Controllers the right to object to Sub-Processors engaged by the Processors.
Data Breach Reporting #
In the event of a breach involving personal data, the Controller shall, where feasible, notify the relevant Supervisory Authority within 72 hours after becoming aware of it and, if there is a likely high risk to the rights and freedoms of natural persons, the affected data subjects without undue delay.
Helpful GDPR Resources #
Here are some links to GDPR resources which we will continue to update as regulatory authorities issue additional guidelines.
Text of the GDPR formatted, with links to relevant Recitals.
Article 29 Working Party: Definition of Consent (wp187)
EU Reform of Data Protection Rules
UK’s ICO Consultation Draft: GDPR consent guidance, March 2017
