In comparison to previous data protection laws, the GDPR1 gives individuals greater control over how organizations process their personal data.
Personal data consists of anything that could identify a living person, such as names, locations, emails, addresses, photos, birth date and health records to name a few.
Swiss organizations should as well consider complying with the GDPR even if not processing data of European data subjects - the Swiss Law is being reviewed in a way that will be compliant with GDPR.
Organizations that fail to comply with the GDPR requirements could face fines up to 20 million euros or 4% of annual global turnover, whichever is greater.
But complying with the GDPR is not only penalties.
By giving individuals more control, it increases accountability.
By making processes more transparent, it increases public trust.
With its implementation organizations can therefore improve their reputation and relationships with partners and clients, as well as their information governance and cyber resilience.
Personal data is any information about an identifiable natural person, including names, location data, online identifiers and anything about their physical, economic or social identity.
Data Processing is any set of operations performed on personal data, whether by automated means or not.
Data controllers are responsible for determining the purposes and means of the data processing.
Data processors are responsible for processing personal data on behalf of data controllers.
Data controllers are responsible for, and must demonstrate compliance with six data processing principles (Art. 5 GDPR):
- Lawfulness, fairness and transparency
Personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose limitations
Personal data must be collected for explicitly specified and legitimate purposes.
- Data minimisation
Personal data must be adequate, relevant and limited to what is necessary.
Personal data must be accurate and kept up to date.
- Storage limitation
Personal data must be retained only for as long as necessary.
- Integrity and confidentiality
Personal data must be processed in an appropriate manner to maintain security.
Data controllers must make sure that personal data is only processed when at least one the following applies (Art. 6 GDPR):
- if the data subject gives their explicit consent;
- to meet contractual obligations or to enter into a contract with the data subject;
- to comply with the data controller’s legal obligations;
- to protect the vital interests of the data subjects;
- to perform tasks carried out in the public interest or to exercise the authority vested in the data controller;
- for the purposes of legitimate interests’ pursuit by the data controller, except where overridden by the interests or fundamental rights and freedoms of the data subject.
If data processing is based on explicit consent, the data controller must ensure that data subjects can withdraw it at any time, via any medium, with the same ease as they were giving it.
When consent is withdrawn the data controller is obliged to erase the individuals data if requested, unless they can demonstrate a lawful reason to retain it.
This makes the consent the weakest lawful basis for processing, and it’s therefore always worth determining whether another lawful basis for processing can apply.
Whichever lawful basis for processing is determined to be appropriate for each processing activity, organizations must keep a record of it.
This will also help in writing privacy notices which must be provided to data subjects as part of their right to be informed when their personal data is collected, whether it’s collected directly or indirectly.
Chapter 3 of the regulation defines the rights of the data subject. These are
- the right of information;
- the right of access;
- the right to rectification;
- the right to erasure (‘right to be forgotten’);
- the right to restriction of processing;
- the right to data portability;
- the right to object;
- the right not to be subject to a decision based solely on automated processing, including profiling.
Among other requirements, data controllers and data processors must implement appropriate and proportionate technical and organizational measures to protect personal data.
Reporting of a data breach is mandatory. Data processors must report all breaches of personal data to the data controllers and data controllers are required to report to the authorities within 72 hours of their discovery if there is a risk to data subjects rights and freedoms.
Data subjects must also be notified without undue delay if there is a high risk to their rights and freedoms.
The risk may be reduced or eliminated if the data is anonymized or encrypted to the extent that it is no longer possible to identify data subjects.
Demonstrating compliance with the regulation involves taking a risk-based approach to data protection.
This means ensuring appropriate policies and procedures are in place and building a culture of data privacy and security.
If you need help on your GDPR compliance journey, contact us.