General Data Protection Regulation¶
The ADAPT Centre is funded under the SFI Research Centres Programme (Grant 13/RC/2106) and is co-funded under the European Regional Development Fund.
Course Structure¶
| Part | Perspective |
|---|---|
| Part 1 | Individual Perspective |
| Part 2 | Organizational Perspective |
Objectives — Part 1: Individual Perspective¶
- The aims of the General Data Protection Regulation (GDPR)
- GDPR Principles
- Individual Perspective: Your rights under GDPR
Part 1: The Individual Perspective¶
The Fundamental Right of Data Protection¶
Data protection is a fundamental right set out in Article 8 of the EU Charter of Fundamental Rights, which states:
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority.
General Data Protection Regulation¶
- The General Data Protection Regulation (GDPR) came into force on 25 May 2018.
- General application to the processing of personal data in the EU.
- Sets out extensive obligations on data controllers and processors and provides strengthened protections for data subjects.
- GDPR is directly applicable as a law in all EU Member States.
- Certain issues have further effect in national law — in Ireland, this is the Data Protection Act 2018.
Key Roles in GDPR¶
| Role | Definition |
|---|---|
| Data Subject | Any person whose personal data is being collected, held or processed. |
| Data Controller | A person, company, or other body which decides the purposes and methods of processing personal data. |
| Data Processor | A person, company, or other body which processes personal data on behalf of a data controller. |
Controllers and Processors are accountable for processing of personal data to the Supervisory Authority.
Key Roles: Supervisory Authority¶
- Supervisory Authority: Independent public authorities responsible for monitoring the application of GDPR in a member state.
- In Ireland, the Supervisory Authority is the Data Protection Commission.
- The Commission monitors the application of the GDPR in order to protect the rights and freedoms of individuals in relation to processing.
- Commission responsibilities include:
- Promoting public awareness of risks, rules, safeguards, and rights
- Handling data subject complaints
- Cooperating with other data protection authorities in other EU Member States
- Penalties: Violators of GDPR may be fined up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.
What is Personal Data?¶
Personal data means any information concerning or relating to a living person who is either identified or identifiable (i.e. the "data subject").
An individual could be identified, directly or indirectly, in particular by reference to an identifier such as:
- A name or an identification number
- Location data
- An online identifier (such as an IP address)
- One or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual
Special Categories of Personal Data¶
Certain types of sensitive personal data are subject to additional protection under the GDPR:
- Personal data revealing racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data and biometric data processed for the purpose of uniquely identifying a natural person
- Data concerning health
- Data concerning a natural person's sex life or sexual orientation
What is Data Processing?¶
"Processing" refers to any operation or set of operations performed on personal data.
Processing includes:
- Storing
- Collecting
- Retrieving
- Using
- Combining
- Erasing
- Destroying
Processing can involve automated or manual operations.
Principles for Personal Data Processing¶
Personal data shall be:
- Lawful, fairness & transparency — Processed lawfully, fairly and in a transparent manner.
- Purpose limitation — Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimisation — Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy — Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without delay.
- Storage limitation — Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity & confidentiality — Processed in a manner that ensures appropriate security of the personal data.
Lawful Basis for Personal Data Processing¶
Article 6 of the GDPR sets out the complete list of lawful reasons for processing personal data:
- Consent
- To carry out a contract
- Legal obligation — In order for an organisation to meet a legal obligation
- Vital interests — Where processing is necessary to protect the vital interests of a person
- Public interest — Where processing is necessary for the performance of a task carried out in the public interest
- Legitimate interests — In the legitimate interests of a company/organisation (except where those interests contradict or harm the interests, rights and freedoms of the individual)
Consent¶
Some types of processing are carried out on the basis that you have given your consent.
Under the GDPR, consent to processing must be:
- Freely given
- Specific
- Informed
Requirements:
- You cannot be forced to give your consent.
- You must be told what purpose(s) your data will be used for.
- You must show your consent through a "statement or a clear affirmative action" (e.g. ticking a box).
Rights under GDPR¶
| Right | Description |
|---|---|
| Right of Access | Know what data is held and why |
| Right to be Informed | Clear, transparent information about processing |
| Right to Rectification | Correct inaccurate or incomplete data |
| Right to Erasure | "Right to be forgotten" |
| Right to Portability | Obtain and reuse your data |
| Rights on Automated Decision Making | Not be subject to purely automated decisions |
| Right to Object to Processing | Object to certain types of processing |
| Right to Restriction | Limit how your data is processed |
Right of Access¶
You have the right to obtain:
- Confirmation of whether or not personal data concerning you is being processed.
- A copy of your personal data where it is being processed.
- Additional information, including:
- Purpose(s) of the processing
- Categories of personal data
- Any recipient(s) of the personal data (including in third countries or international organisations) and information about appropriate safeguards
- The retention period, or if not possible, the criteria used to determine it
- The existence of rights to rectification, erasure, restrict processing, object, and how to request these
- The right to raise a concern with a supervisory authority (in Ireland, the Data Protection Commission)
- Where personal data is not collected from you, any available information as to its source
- The existence of automated decision-making, including profiling, and meaningful information about how decisions are made, their significance, and consequences
Right to be Informed¶
It should be clear and transparent to individuals that personal data concerning them are collected, used, consulted, or otherwise processed — and to what extent.
The Principle of Transparency¶
Any information on the processing of personal data must be:
- Easily accessible
- Easy to understand
- In clear and plain language — including visualisations
- Individuals should be made aware of risks, rules, safeguards, and rights in relation to the processing of personal data
In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of collection.
Right to Rectification¶
If your personal data is inaccurate, you have the right to have the data rectified by the controller, without undue delay.
If your personal data is incomplete, you have the right to have data completed, including by means of providing supplementary information.
The right of rectification is restricted for important objectives of public interest, and for balance with the right of freedom of expression and information.
Right to Erasure (Right to be Forgotten)¶
You have the right to have your data erased by the data controller if one of the following grounds applies:
- Your personal data is no longer necessary in relation to the purpose for which it was collected or processed.
- You withdraw your consent and there is no other lawful basis for processing.
- You object to the processing and there is no overriding legitimate grounds for continuing, or your personal data is being processed for direct marketing purposes.
- Your personal data has been unlawfully processed.
- Your personal data has to be erased in order to comply with a legal obligation.
- Your personal data has been collected in relation to the offer of information society services to a child (e.g. social media).
Obligations on Controllers¶
The data controller must communicate any rectification or erasure to each recipient to whom the personal data has been disclosed, and inform you about recipients if requested.
Exceptions¶
Processing is still necessary for:
- Exercising the right of freedom of expression and information
- Compliance with a legal obligation or performance of a task carried out in the public interest
- Reasons of public interest in public health, archiving, scientific or historical research, or statistical purposes
- Establishment, exercise, or defence of legal claims
Right to Portability¶
In some circumstances, you may be entitled to obtain your personal data from a data controller in a format that makes it easier to reuse your information in another context, and to transmit this data to another data controller of your choosing without hindrance.
When it applies¶
- Processing is carried out by automated means
- You have consented to processing, or processing is based on a contract between you and the controller
- It does not affect the rights and freedoms of others
Format¶
Data controllers must provide and transmit personal data in a structured, commonly used and machine-readable form.
Rights on Automated Decision Making¶
You have the right not to be subject to a decision based solely on automated processing.
What counts as "automated"?¶
Processing is "automated" where it is carried out without human intervention and produces legal effects or significantly affects you.
Automated processing includes profiling — any kind of automated processing of personal data that involves analysing or predicting your behaviour, habits, or interests.
When is automated processing permitted?¶
- With your express consent
- When necessary for the performance of a contract
- When authorized by Union or Member State law
Safeguards¶
Where an exception applies, suitable measures must be in place to safeguard your rights, freedoms, and legitimate interests. This may include:
- The right to obtain human intervention on the controller's part
- The right to present your point of view
- The right to challenge the decision
Right to Object to Processing¶
You have the right to object to certain types of processing of your personal data where this processing is carried out in connection with tasks:
- In the public interest
- Under official authority
- In the legitimate interests of others
Stronger right for direct marketing¶
You have a stronger right to object to processing of your personal data at any time where the processing relates to direct marketing.
Research¶
You may also object to processing for research purposes, unless the processing is necessary for the performance of a task carried out in the public interest.
Notification¶
Where the right to object applies, data controllers are obliged to notify you of this at the time of their first communication with you. Where processing is carried out online, controllers must offer an online method to object.
Right to Restriction¶
You have a limited right of restriction of processing of your personal data by a data controller.
Effect of restriction¶
Where processing of your data is restricted, it can be stored by the data controller, but most other processing actions (such as deletion) will require your permission.
When it applies¶
- You have objected to processing of your data
- You have contested the accuracy of your data
- Processing is unlawful
- You require data for the purpose of a legal claim
Where you have obtained restriction of processing, the data controller must inform you before lifting the restriction.
Limitations on Individual Rights¶
The right to data protection is not an absolute right. It must always be balanced against other values, fundamental rights, human rights, or public and private interests.
- Your right to access your data should not adversely affect the rights and freedoms of others.
- In limited circumstances, organisations may charge a reasonable fee for responding to a request, or even refuse to respond if the request is manifestly unfounded or excessive.
- Organisations must always respond to requests within one month, even if they plan to refuse it.
- If refusing a request, an organisation must set out clearly:
- Which limitation or restriction they are relying on
- Their reasons for doing so
- The possibility of lodging a complaint
Complaining to the Supervisory Authority¶
There are three types of access request complaints:
- No response to an access request
- Incomplete response to an access request
- Exemptions to withhold data being applied incorrectly
What to provide to the DPC¶
If you believe a data controller has not responded in full to your access request:
- A copy of the access request
- Signed authority from you where a solicitor/representative has made the contact
- A copy of any letter sent to the data controller outlining the specific personal data that has not been provided
- Any evidence you have of the existence of the personal data concerned
- Any other relevant correspondence on the matter
- Details of exemptions being used to withhold data that may be applied incorrectly
Part 2: The Organizational Perspective¶
Objectives — Part 2¶
- Organizational Perspective and Issues
- Privacy Canvas Exercise
- Ethical vs. Privacy concerns
Principles of Data Protection — Data Controllers¶
GDPR sets out seven key principles related to the processing of personal data:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
Controllers need to be aware of and comply with these principles when collecting and otherwise processing personal data.
Accountability Obligation¶
Organisations, and not data protection authorities, must demonstrate that they are compliant with the law.
Relevant measures include:¶
- Adequate documentation on what personal data is processed
- How, to what purpose, and how long data will be processed for
- Documented processes and procedures for tackling data protection issues at an early stage when building information systems or responding to a data breach
- The presence of a Data Protection Officer (if required) who is integrated in organisation planning and operations
Inventory checklist¶
Make an inventory of all personal data you hold and examine it:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties, and on what basis?
Transparency Obligations¶
Businesses and organisations that process personal data must provide individuals with information on the type of processing that is taking place and who is carrying it out.
Minimum required information:¶
- Who you (the organisation) are
- Why you are processing the data
- What legal basis you rely on to legitimise the processing
- Whether or not the data will be transferred to other organisations or individuals
- How long the data will be stored
- The existence of the individual's rights under data protection, including rights to access, correction, erasure, restriction, objection, and portability
Personal Data Breach Obligations¶
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Breaches can result from:
- Accidents (e.g. sending an email to the wrong recipient)
- Deliberate acts (e.g. phishing attacks to gain access to customer data)
A personal data breach negatively impacts the confidentiality, integrity, or availability of personal data — meaning the controller is unable to ensure compliance with GDPR principles.
Two primary obligations:¶
- Notification of any personal data breach to the DPC, unless unlikely to result in a risk to data subjects
- Communication of the breach to data subjects, where the breach is likely to result in a high risk to data subjects
Data Subject Identification¶
A natural person can be considered as "identified" when, within a group of persons, he or she is "distinguished" from all other members of the group.
A person is "identifiable" when it is possible to identify them, even if not yet identified:
- "Singling out" — it is possible to distinguish the data relating to one individual from all other information in a dataset
- Example: There might be only one individual in a dataset who is 160 cm tall and was born in 1990, even though many others share either the height or the year of birth
Anonymisation and Pseudoanonymisation: What?¶
Data can be considered "anonymised" when data subjects are not identified or identifiable, having regard to all methods reasonably likely to be used by the data controller or any other person.
- Irreversibly and effectively anonymised data is not "personal data" and not subject to GDPR.
- If the source data is not deleted at the same time that the 'anonymised' data is prepared, and the source data could be used to identify an individual, the data may be considered only 'pseudonymised' — and thus still 'personal data', therefore still subject to GDPR.
- It is not normally possible to quantify the likelihood of re-identification of individuals from anonymised data.
Anonymisation and Pseudoanonymisation: Why?¶
Anonymisation and pseudoanonymisation can be used to:
- Improve protection for data subjects
- As part of a risk minimisation strategy when sharing data with data processors or other data controllers
- Avoid inadvertent data breaches when staff access personal data
- As part of a "data minimisation" strategy aimed at minimising the risks of a data breach for data subjects
Data Linking¶
Any linking of identifiers in a data set will make it more likely that an individual is identifiable.
Example: Taken individually, the first name "John" and second name "Smith" might not be capable of distinguishing one of a large company's customers from all others. But if the two pieces of information are linked, it is far more likely that "John Smith" will refer to a unique, identifiable individual.
Re-identification from Data Linking¶
A major risk factor leading to identification of individuals from anonymised data is the risk of data from one or more other sources being combined or matched with the anonymised data.
Sources of matching data:¶
- Public registers — Land Registry, Register of Electors, publicly accessible professional registries
- Searchable information on the internet or in online databases — newspaper stories, blog posts, online directories, or data published in previous data breaches
- Statistical data published in anonymised format, which might be combined with certain anonymised data to identify a data subject (particularly concerning in research or statistical publications)
- Information available to the organisation being given access to anonymised data (e.g. Yahoo search log dataset)
- Personal knowledge
Data minimisation and collection techniques — part of the principles of data protection — are helpful in reducing the risk of data matching being successful.
Privacy by Design and by Default¶
Privacy by Design¶
Embedding data privacy features and data privacy enhancing technologies directly into the design of projects at an early stage. This ensures better and more cost-effective protection for individual data privacy.
Privacy by Default¶
User service settings (e.g. no automatic opt-ins on customer account pages) must be automatically data protection friendly, and only data which is necessary for each specific purpose of the processing should be gathered at all.
Ethics Canvas¶
- [Privacy Canvas Exercise]
Data Protection Canvas¶
- [Canvas Reference]