The General Data Protection Regulation is active now for three days and so many companies spammed me with a request to review their new policies on the security and consent, that it is really no fun anymore to check every single mail about this topic. If you ignoring this than off course you take the risk that your data will be removed and when you still want to use the service provided by these firms you have to register yourself all over again, which is really another hassle to take.
In the Netherlands this is the Personal Data Protection Act “Wet Bescherming Persoonsgegevens” (WPB)
In Germany this is called “Datenschutz-Grundverordnung, DSGVO”
In all remaining countries known as “General Data Protection Regulation, GDPR”
The GDPR applies to all personal data that is collected in the EU, regardless of where in the world it is processed. Any database containing personal or sensitive data collected within the EU will be in scope, as will any media containing personal or sensitive data. Any organization that has such data in its systems, regardless of business size or sector, will have to comply with the GDPR.
Personal data is anything that can identify a ‘natural person’ and can include information such as a name, a photo, an email address (including work email address), bank details, and posts on social networking websites, medical information or even an IP address.
Is it anticipated that the DPA (1998) will be rewritten?
Extremely unlikely – the UK government has confirmed that the GDPR will apply even after leaving the EU, and, as the legislation is in the form of regulation, it has direct effect and there is no need for the UK to implement further legislation to give effect to its provisions. The DPA, which was enacted to meet the requirements of the EU Data Protection Directive, is therefore superseded by the GDPR.
In Germany, an employee’s work email and telephone numbers are considered PII, but I don’t believe that is the case here in the UK. From 25 May 2018, how are global companies with staff in Germany as well as the UK going to proceed to best ensure they abide by the new law? Should they apply the more stringent approach?
The point of the GDPR is to standardize data protection regimes across the EU. The variation between regimes within the EU that existed prior to the GDPR was due to the fact that data protection legislation took the form of a directive, which gives Member States the flexibility to implement their own laws to give effect to the provisions of the Directive.
The GDPR eliminates this situation because it is a EU regulation. EU regulations have direct effect in all EU Member States, so the definition of ‘personal data’ is consistent across all Member States. The GDPR also creates a ‘consistency mechanism’ to ensure consistent definitions and approaches across member states and thus levels the playing field for data controllers and processors, as well as for data subjects. We will have to wait and see what actually happens.
The GDPR does authorize Member States to vary the special categories of data (aka sensitive data). In this case, global companies may need to process sensitive data in accordance with the law of the Member State where the data subject resides. Keep alert to the changing data protection environment!
The ICO has implied that the focus of the GDPR is more on B2C rather than B2B or business-to-employee engagements. Is this so?
Any processing of personal data within territorial scope is within the remit of the GDPR. In that respect, organizations operating B2B, B2C or business-to-employee models will all have the same obligations to fulfill under the legislation. However, the GDPR also recognizes that the processing of certain data is necessary for some organizations to perform their functions – such as processing employee payment details for payroll purposes or sharing an address with a credit agency on an individual who has gone into arrears. For cases such as these, the GDPR specifies the lawful grounds on which organizations can process personal or sensitive data. You will need to consult your legal advisers for specific guidance to match your circumstances.
Is there an industry standard definition of personally identifiable information (PII)?
‘PII’ is originally a US term, defined in NIST SP 800-122 as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information” (Article 4).”
This definition of PII and its use in the USA does not precisely match the GDPR definition of ‘personal data’, which is the preferred term. Personal data is defined as “any information relating to an identified or identifiable natural person”, whether it relates to his or her private, professional or public life. As a general rule, any information that can be used to identify an individual – either on its own or when combined with another piece of information – is classified as personal data. This can include biometric, genetic and location data. IP addresses and email addresses also fall within this definition.
What is an online personal identifier?
Personal identifiers (PIDs) are a subset of personal data. They identify a unique individual and can permit another person to assume that individual’s identity without their knowledge or consent. This can occur when PID data elements are used either alone, combined with a person’s name, combined with other PID data elements, or combined with other personal data. Personal identifiers include, for instance, account numbers, PINs, passwords; voice scans and credit card numbers.
Do utility bills, driving licenses and passport details qualify as sensitive personal data?
No. Under the GDPR, sensitive data is any personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation are also categories of sensitive data.
We are a construction company looking at capturing time and attendance data of our subcontractors using biometrics. We would also hold details of the operatives’ addresses to calculate travel distances. Does the GDPR apply?
Yes. If you collect biometrics, then you are processing sensitive data and are bound by the strict requirements of the GDPR for doing so, including obtaining the data subject’s explicit consent.
How does the GDPR apply to health data?
Health information is treated as sensitive data under the GDPR, as it was under the DPD. As under the Directive, organizations processing health data must have a lawful ground to do so, which is most likely to be the explicit consent of the data subject.
Health data controllers/processors typically choose to rely on consent. They can, however collect and use health data without consent if the processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care or treatment, management of health or social care systems and services, or under a contract with a health professional or another person subject to professional secrecy under law. Additionally, consent is not required if the processing is necessary for public health reasons, or if the organization can argue that the processing is necessary for scientific research. If you think any of these grounds might apply to your organization, ensure you discuss with your legal advisers how you will approach the consent issue.
Does the GDPR mean that equal opportunities forms cannot be collected?
No. Equal opportunities forms should, in any case, be optional. Under the GDPR, sensitive data can be processed if the data subject has consented to it. However, you must ensure that the consent you obtain for collecting equal opportunities forms is explicit, informed, specific and freely given. If you think that you have a contractual, statutory or other basis for collecting this information without explicit consent, you should discuss with your legal advisers how you would address the issue.
What kind of regulations applies to universities? How does the GDPR affect schools? Do they have to comply as well?
The GDPR applies irrespective of sector or activity. As long as personal data is being processed, and the processor/controller is established in the EEA or the processing affects EEA data subjects, the GDPR applies. Universities and schools are no more exempt than any other institution. In addition, schools may have to deal with the issue of obtaining parental consent for processing the personal data of children.
Is compliance required if the data is not resident on a company’s systems (e.g. remote access to live data is granted to a support organization, but that organization does not store it)?
If the remote person would be able to identify a natural person, write down what they read, photograph it or share it with someone, then it’s within the scope of the GDPR.
If personal data is encrypted throughout its life-cycle using strong/approved algorithms, is it out of scope for GDPR compliance?
Encryption can take personal data out of scope of the GDPR. Article 32(1)(a) sanctions it as an appropriate security technique. However, there is still uncertainty around this point, particularly regarding how strict the ECJ will be in its interpretation of anonymization. It is possible that some encryption techniques may not be sufficient to put the personal data out of scope of the GDPR. Controllers should review their encrypted data and assess the reasonable likelihood of that data being decrypted, taking into account future technologies.
Is there a difference between how the GDPR applies to business-to-business engagements and business-to-consumer engagements? For example, would the GDPR apply on the same level if I were to approach an individual within a company based on publicly available information as to when I seek to maintain personal data on a CRM system?
While you do not have to obtain consent to process personal information that someone has deliberately made public, you will be required to inform the data subject of your intentions to process their data and provide them with an opt-out route. Article 14 sets out the requirements of how this sort of information has to be handled.
Does the GDPR apply to hobby organizations (e.g. hobby groups with membership)?
The scope of the GDPR excludes data processed by natural persons for purely personal reasons. It’s not yet clear the extent to which this applies to hobby organizations. It will most likely depend on the scale of the organization, what data is being collected, and whether or not the organization has grown beyond what can be classed as personal activity.
How does the GDPR affect mobile phones and email data held on them while travelling?
Personal data is personal data, wherever it’s held. If a mobile device that contains personal data and is breached while travelling, it is as much a data breach under the GDPR as one affecting a database within the EU.
An individual can be hidden behind an external IP of a company’s firewall; is that IP then relevant?
If the IP address can, on its own or with other information, be used to identify a natural person, then yes, it is relevant.
Does credit card information of a corporate like a corporate credit card come under the ambit of Personal Information? We are a company providing service and we may take corporate credit card details for paying our vendors/ or receiving payment from our customers? So need to know whether corporate credit card details come under Personal Information?
The GDPR defines personal data as “any information relating to an identified or identifiable natural person”, but another regulation, the PCI DSS, refers specifically to payment card information. You can read about complying with both standards here.
Does a computer name constitute personal data?
Only if it can be used either on it’s own or alongside other information to identify someone.
If an employee leaves the company “the right to be forgotten” is it than an adequate request according to GDPR? Does the organization have to delete all his/her emails he/she sent and received from all mailboxes?
What about all the logs and records that an organization keeps about that user?
What about all office documents that notes the name of the author?
Understanding the right to be forgotten/right to erasure is dependent on a number of factors.
Article 17 of the EU General Data Protection Regulation (GDPR), the “right to erasure” (also known as the ‘right to be forgotten’), allows individuals to request the removal of personal data that an organization holds on them. Individuals can exercise this right when:
The controller no longer needs the data for the purpose that it was originally collected;
The individual withdraws consent;
The individual objects to the processing and the organization has no overriding legitimate interest in the data;
The controller or processor collected the data unlawfully;
The data must be erased to comply with a legal obligation; or
The data was processed in relation to the offer of information society services to a child.
Organizations can refuse to comply with a request for erasure if:
The right to freedom of expression protects the processing of this data;
Processing the data is necessary to comply with a legal obligation for the performance of a public interest task or exercise of official authority;
The data is for health purposes in the public interest;
The data is being used for archiving purposes in the public interest, scientific or historical research, or statistical purposes; or
The processing is necessary to exercise or defend legal claims.
What does this mean for data processors and controllers?
Data protection specialist Carl Gottlieb believes that the exceptions to the right to erasure will apply often. Organizations should therefore keep a close eye on the details of each request and find a way to quickly identify whether an exception applies.
Gottlieb writes: “Erasure is an area where there is no black and white on what must be done. Every organization, every record and every piece of technology used will require a case-by-case assessment. For example, some processors provide more granular control of deletion of individual records in cold backups. Some provide none.
“The key is to focus on what your rationale would be if you were stood in front of the regulator […] or a judge in court. Would you be confident that you had a justifiable position on doing the ‘right thing’ by the data subjects, doing the best you could and had given this enough focus and documented thought?”
There’s much more to learn
The right to erasure is one of eight data subject rights enforced by the GDPR. My blog covers the introductory details, but those who want an in-depth understanding of the GDPR and data subject rights should consider to visit EU General Data Protection Regulation Foundation (GDPR/DSGVO) website is in English and German for more details.