What are the Rules on Processing Data under GDPR?
GDPR is fundamentally a new framework for processing personal data. We have previously looked in detail at the lawful grounds for processing data (including consent). But as well as having a lawful basis, the processing must also be carried out properly and securely.
The Regulation sets out a number of principles governing the collection and use of personal data, following the overall philosophy of “data protection by design and by default”. The main principles (in Articles 5 unless otherwise stated) are as follow:
You must keep data subjects informed
GDPR sets out (at Article 13) a number of pieces of information which must be provided to data subjects when their personal data is collected. Note that this applies even if you will not be relying on their consent. The information provided must include:
- The data controller’s identity and contact details (as well as those of any data protection officer and/or EU representative).
- The purposes and lawful grounds of the processing (and where legitimate interests are relied upon, what they are).
- Who else (if anyone) the data will be transferred to. If you plan to transfer the data to a non-EU country or an international organization, you must also include the grounds relied upon to justify this (which we will look at in a later article).
- The period for which the data will be stored (or how this period will be determined).
- The data subject’s rights to access their data, have it rectified, erased or transferred, or restrict or object to processing (all of which will be considered in the next article).
- The data subject’s right to withdraw consent (if consent is relied upon).
- The data subject’s right to complain about processing to a supervisory authority (see our article on penalties).
- Whether the data subject is required to provide the information, including if it is a legal or contractual requirement, and any consequences of failing to provide it.
- Whether the data will be used for any automated processing (including profiling) and if so, the logic of the processing and its significance and consequences for the data subject.
You do not need to provide information which the data subject already has. Where you intend to process the data for purposes other than those for which it was originally collected, you must update data subjects with the new purposes, and restate the information listed above.
Clearly, it will be possible to set out most of the above in a standard privacy notice, although some of it will vary with the circumstances of collection. The information must be given in a manner which is clear, concise, intelligible and easily accessible.
Similar requirements apply if you obtain personal data other than directly from data subjects (under Article 14). In this case, you must usually contact data subjects to provide the above information, as well as:
- The categories of personal data received.
- The source of the data (including if it is from publicly accessible sources).
You must do so within a reasonable period, and in any case by the earliest of (i) your first communication with them, (ii) any further transfer to another party or (iii) a month after receipt of the data.
There are exceptions where the data subject already has the information, where providing the information would be impossible or involve disproportionate effort, and where EU or national law otherwise permits.
You must keep the minimum data necessary
You should collect and keep only the data necessary for the specified purposes of the processing. You will need to think through each piece of data you collect and consider how it contributes to your goals.
There is an overlap between this and the lawful grounds, most of which only justify processing which is necessary (to the performance of a contract, for your legitimate interests etc.). However, this requirement makes clear that even if you have consent to processing, you will still need to think about whether each piece of data collected is necessary for the stated purposes.
You need not be certain that every piece of data will in fact be used, but you should be able to show that there is at least a reasonable chance that they will be necessary. For example, you may only need to collect phone numbers in order to contact clients if there is an issue with their order or account. Although you will not actually use the vast majority of the numbers you collect, it is still likely to be considered necessary data.
You must keep the data accurate
Personal data which you collect, and use should be kept accurate and up to date. This means that you need to take all reasonable steps to correct or delete any inaccurate data.
As we saw above, there is an obligation to inform data subjects of their right to have their data rectified. However, this principle will in some cases go further, requiring a proactive approach to correcting your data. In any case, you should make it easy for them to update their data, and you should process any updates speedily.
The nature of “reasonable steps” will depend on the nature of the processing. If it takes place some time after the data was initially collected, then the risk of inaccuracy increases, and it may be proper to check with data subjects that the information is still correct. This is especially true if the processing will have a significant impact on their freedoms, rights and responsibilities.
The reasonable steps has not been clearly defined and it would be smart to pay attention to court rulings, lawyers, and thought pieces that come out in the coming months as this gets scoped.
As another example, say that you are an online vendor, and a client with an existing account makes a purchase. It would probably count as a reasonable step (and would certainly be good practice) to remind the client of the delivery address and payment details you have on record and give them an opportunity to amend them before purchase, to avoid problems completing the order.
You must delete data which is no longer needed
As a complement to the principle of keeping no more data than needed, you should also keep data for no longer than necessary for the specified processing purposes.
Again, this will depend on the nature of the processing and your relationship with the data subjects. If they are ongoing clients, then there is unlikely to be an issue with keeping their relevant details. Do consider whether you actually need to keep, for example, previous addresses and contact details, as they are unlikely to be needed anymore.
Key Point: One way to show compliance with this requirement (in appropriate situations) would be to implement a deletion policy for lapsed clients or users. After a set length of time without contact (which will depend on the nature of your relationship and your organization), you could email them to ask if they would like to stay on your records. If you do not get a positive response within a reasonable time, you would then delete their personal data.
There will of course be other legal requirements governing the need to keep certain types of data, for example financial data for tax purposes. These will feed in to how long you need to keep the data for GDPR purposes.
There is an exception to this requirement for archiving in the public interest, for historical or scientific research or statistical purposes. Note that if the data is stripped of identifying information, leaving only non-identifying (e.g. aggregate demographic) data, this is no longer a concern.
You must keep data secure
It is a core requirement of GDPR that you must keep all personal data secure. This includes protecting it against unauthorized and unlawful processing and accidental loss, using “appropriate technical and organizational measures”.
What is appropriate will depend on the nature, scope, context and purposes of processing, as well as the costs of implementation and what is in fact possible. Particular thought should be given to the risks should a breach occur. Article 32 spells out a number of possible steps which could be taken to keep data secure:
- Encryption and pseudonymization of data.
- Backing up data, and being able to restore from backup in a timely manner.
- Regular testing, assessment and evaluation of your processes.
In terms of unauthorized processing, you should consider not just illegal access from outside of your organization, but also rogue employees and agents who may steal, sell or tamper with data to which they have access. To keep these risks to a minimum, you should look to restrict access to personal data to individuals who actually need it, rather than keeping it in a shared space available to all. It may also be wise to put in place measures to record access to and use of data even for authorized individuals.
You must build data protection into your processes
Underlying all of the above is the principle (in Article 25) of “data protection by design and by default”. This means that data controllers should design their processes with data protection in mind from the beginning (rather than attempting to bolt it on afterwards).
In practice, this means going through and rewriting your processes (or creating them if they do not yet exist) with principles like data security, data accuracy and data minimization firmly in mind. It also means making sure that these apply by default, rather than requiring specific action in each case.
You must keep records
Finally, a recurring theme throughout GDPR is the importance of keeping records (Article 30). Organizations must generally keep records of the processing activities for which they are responsible, the categories of data subjects involved and the measures taken to demonstrate compliance with the above principles (as well as the other principles discussed in this series). You will need written policies explaining how you implement these principles, and what to do if things go wrong.
Technically, the general obligation to keep records does not apply to organizations which employ fewer than 250 people, unless the processing (i) is more than occasional, (ii) is likely to involve a risk to the rights and freedoms of data subjects or (iii) involves special categories of data or data about criminal offense and convictions (see our article on lawful grounds for processing).
However, the Regulation’s other obligations affect everyone, the burden of proof will always be on you to demonstrate compliance, and documentation will often be the only way to do so. Therefore, rather than leaving it and trying to deal with data protection issues only when they become a problem, it is well worth taking the time to get your policies and records in place first, before GDPR takes effect on 25 May 2018.
Now that we have gone through some of the general principles which govern the processing of personal data, we will look at some specific areas: firstly the rights of data subjects over their data, and secondly the steps which need to be taken if a breach occurs.
Get all 10 articles in our series about GDPR in our e-book for free by clicking the link below: