The GDPR introduces a set of core requirements for organizations controlling or processing personal data for EU residents. The overall intent is to protect the rights of natural people with respect to their personal data, and compliance with the GDPR will require both organizational and technological measures.
Providing an exhaustive summary of the requirements of the GDPR is beyond the scope of this white paper, but relevant provisions are highlighted below. Please note that the purpose of this white paper is not to provide legal advice for specific organizations, and all organizations affected by the GDPR are encouraged to seek competent legal advice from either Corporate Counsel or an external law firm.
In the final analysis, which is a good place to start, organizations have to be able to demonstrate compliance with the GDPR, a task that covers both organizational and technological measures. Article 24 sets the general obligations for a data controller (“the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary”), and Article 28 for data processors (who must “implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”). Any measures implemented in line with the GDPR may reduce the severity of any fine levied for non-compliance. For example, supervisory authorities are required to take into account the organizational and technological measures that have been implemented (Article 83(2)(d)), and adherence to “codes of conduct” or “approved certification mechanism” (Article 83(2)(j)).
LEGAL BASIS FOR PROCESSINGS
The right to process personal data must be lawful, with six categories of lawfulness listed in Article 6, the first of which is that the data subject has “given consent to the processing ... for one or more specific purposes.” Other lawful bases include contract performance, compliance with a legal obligation, and protection of the vital interests of the data subject. Among other implications, organizations will need to be explicitly clear on the lawful basis of all processing activities, and have the ability to comply with any request from the data subject to cease processing if consent is withdrawn (where consent was the only lawful basis).
SPECIAL CONDITIONS WHEN PROCESSING SPECIAL CATEGORIES OF DATA
The GDPR has elevated protection for special categories of personal data. Article 9(1) states the general prohibition as such: “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.” Article 9(2) then lists ten separate exclusions to this general prohibition, including consent from the data subject, the protection of vital interests of the data subject, and where the data subject has made such information public, among others.
Note that the GDPR extends beyond a general prohibition on the processing of special categories of personal data and enshrines the principle that the use of data itself may be sensitive. For example, examining the name of an employee's partner could be used to reveal sexual orientation, which could be used to cause harm to the data subject, and is thus also prohibited.
RECORDS FOR KEEPING TRACK OF ALL PROCESSING ACTIVITIES
Article 30 requires that controllers “shall maintain a record of processing activities under its responsibility,” and lists seven types of information to be maintained, including the purpose of the processing, a description of categories of data subjects and personal data, and who will see the personal data after processing, among others. Processors have a similar requirement to record all categories of processing activities. Both controllers and processors are required to keep these records in written form, with electronic form permitted under Article 30.
Under GDPR, organizations need to know the legal basis of controlling or processing personal data. One such legal basis is the consent of the data subject, but gaining consent has an elevated standard compared with the earlier Directive. Specifically, as defined in Article 4(11), consent must be “by a statement or by a clear affirmative action.” This therefore prohibits the use of opt-out consent (assumed consent), and GDPR also prohibits making consent a condition of participation. Note too that the data subject has the right to withdraw their consent to processing of his or her personal data.