In this article, we’ll do a deep dive into some of the key provisions of the GDPR.
The sections of the regulation below were selected for two reasons. First, they speak to the foundational principles of the regulation. Second, they provide you with the most tangible aspects of the regulation for you to act on. While you must understand the regulation fully, the sections we skip topics such as Independent Supervisory Authorities (Art. 51-59) and Cooperation and Consistency (60-76), which are nuanced in legality and enforcement.
These sections won’t help you understand what your business needs to do to comply, but you can check our privacy by design steps or our guide on where to start. If these topics come up in your business, you should seek legal advice from a licensed attorney.
Which sections of GDPR are important to your business?
So then, which sections of the GDPR are important to you? The first sections we will look at are the core pillars or foundation of the entire regulation.
They are Lawfulness of Processing (which includes consent) and Data Subject Rights.
It’s important to note that the term “Data Subject” will be used throughout this course. A Data Subject is simply the person whose data you have collected.
Lawfulness of Processing
Let’s first look at the Lawfulness of Processing. Art. 6 of the GDPR states that all data collection and processing must have a legitimate legal basis to support collecting the data. This section outlines six ways in which the processing will be considered lawful under the GDPR. They are:
Consent, which means that the data subject has given their unambiguous, informed and freely given the approval to have their data collected and processed by your business. Consent is both the most straightforward and, in some situations, most complicated. That is because consent can have a very clear timestamped action. However, to determine what was consented to (see unambiguous) and prove the freely given consent can be a challenge. In situations like newsletter signups or marketing, consent is a solid choice as your legal basis. For other matters such as employee records, this may not be the best option.
I want to take a minute to pause here and go into more detail on the lawful basis of consent. The GDPR includes an additional article to speak to the Conditions of Consent found in Article 7. This section requires that when consent is the legal basis, the business must demonstrate freely given consent. Additionally, where consent applies, the purposes must be clear to the data subject. Furthermore, consent can be revoked at any time by the data subject. The GDPR’s Art. 7 also states that removal of consent should be as easy on the data subject as it was to give the consent.
Performance of a Contract
Performance of a contract: This applies when collecting or processing the data is essential to complete the other contractual obligations your business has. One example is employee contracts. If you need to process personal data to put an individual on payroll, the performance of a contract may be the applicable lawful basis.
Compliance with a legal obligation; if your business has a legal obligation, meaning there are member state laws or other jurisdictional requirements that require you to process the data, you are authorized to do so on this lawful basis.
Protecting the data subject’s vital interests; this applies when the processing of the data can protect the data subject from harm to themselves. The clearest example of this is in a medical emergency. If your business is providing care and the data subject cannot provide consent. Still, they may die if the data isn’t processed immediately, you are authorized to process their data using this legal basis.
Tasks carried out in the public interest are similar to vital interest; however, this speaks to the public at large. If you conduct a research assignment on how individuals can protect themselves during a terrorist attack and process personal data as part of that research, the processing would ultimately be in the public interest.
Legitimate interests this lawful basis is a balancing test. To use this basis, the data controller (rather the company or individual collecting the data) must show that benefits to the data subject are greater or equal to the value to the business collecting the data. Again, various templates can help you determine this available in the research section.
GDPR’s Data Subject Rights
The next major section of the GDPR which businesses need to be aware of is Data Subject Access Rights.
Arguably, this is where businesses should spend a majority of their time when first determining their business’s privacy compliance positioning and risks. The reason is that Data Subject Rights deal directly with the individuals whose data you collect. Most often, this means your customer’s data.
While you likely need to process data from your customers to run your business, it is essential to process data from the EU that understand what rights are available to those individuals.
In addition, the GDPR has mechanisms for a private right to action, meaning individuals can directly file complaints against your business for not complying.
Often these complaints come as a result of not adhering to the rights of the individual. As we go through this section, you will see that there is some overlap with the lawful basis of processing that we discussed in the prior module.
The first concept surrounding subject data rights you should familiarize yourself with is Transparency. This principle is a key tenant to most data privacy laws and outlines the expectation that businesses should provide a mechanism for individuals to be aware of the type of data collected and processed.
You can find specific details on transparency under the GDPR in Articles 12-14.
The GDPR requires you to know what data you have on individuals. Art. 30 specifies a needed data inventory.
Purposes of Data Collection
Article 15 of the GDPR introduces an area that forces organizations to have a solid handle on collecting data. This article speaks to the right of access for data subjects. Essentially, this provision allows individuals to contact you and ask you to tell them if you have data collected on them. This includes:
- the purpose of the data processing;
- the categories of personal data;
- the recipients of the data (if the data leaves your organization);
- the right to correct or delete the data;
- if you did not directly collect the data, the origin of its source; and the existence of an automated decision making that’s begin done on the data (note: this often includes targeted advertising).
This section also allows data subjects to request a copy of any data they may have on the individual. There are some exceptions as to when you will not be required to provide a copy of the data (such as when it is not technically feasible to access it; or if disclosure infringes on the rights and freedoms of others). As a general rule, you should report back to any data subject you exercise their right to data access.
Articles 16 & 17 outlines that data subjects have the right to correct or delete their information. Keeping in mind the overarching premise that the data belongs to the individual, the GDPR outlines that businesses should provide a mechanism for individuals to ensure their data is updated and correct. Similarly, individuals have the right to request businesses delete any information they have on them. There are certain circumstances when an individual can request their data deletion. Some examples of then a data subject has the right to delete are when:
- The data is no longer needed for the collection’s purpose (for example, collecting data to process an order. Following fulfillment of the order, the data is not needed).
- The data subject withdraws the consent, and there are no other legal grounds for processing (for example, if someone signs up for a newsletter and wants to be removed from the mailing list).
- The data subject rejects the data processing, and there is no other legal basis for the processing. Article 21 goes into the details on what data processing the individual is allowed to reject. One example of this is online marketing. Article 21specifcies that the data subject has the right to reject data processing for direct marketing.
One very nuanced section of the data subject rights section is Article 20, which provides data subject’s the right to data portability. This somewhat overlaps with the right to data access. The main difference is that this right is only available when the data is based on consent or automated decisions.
Rejection of Processing
Lastly, the data subject has the right to reject processing on the grounds of automated decision-making.
As you can see, the rights of data subjects are very broad in scope. Therefore, to fulfill your obligation under this section, the first step is to conduct a privacy impact assessment that was previously discussed and document your data inventory (checklist). This will enable you to know where you have data stored so when a request comes in.