specified data access requests to be handled
UK Information Commissioner Elizabeth Denham at IAPP (International Association of Privacy Professionals) Europe Data Protection Intensive event 18th Apr 2018. “Myth: the biggest threat to organization under GDPR is massive fines”. Photo Credit: UK ICO Twitter post. Photo Credit: UK ICO Twitter.
“without excessive delay”, wording broad enough that countries set their own reasonable time limits for response - but GDPR sets a deadline of one month (with exceptions). Another is where previous rules allowed countries to set maximum fees in responding to requests - but GDPR rules that information be provided free of charge unless requests are “manifestly unfounded or excessive”. GDPR also imposes mandatory data breaches reporting to the individuals whose data was lost, and to a supervisory authority within 72 hours. Under the old regime, there was no specific breach notification obligation, leaving individual countries to set their own rules.
does not preclude tax authorities from processing
similar product offerings, with an easy-to-select
personal data for the purpose of collecting tax and
choice of online opt-out).
combatting tax fraud, and was a legitimate basis
What are the financial penalties?
Less common grounds are where processing
Headline grabbing figure of €20 million, or 4% of the
for processing of personal data under the Data
is “to protect an interest which is essential for the
worldwide annual for non-compliance had attracted
Protection Directive.
life of the data subject or that of another natural
much attention.
But EJC emphasized that even where there
person” (e.g. for humanitarian purposes, including for
is a legitimate basis, processing must meet the
monitoring epidemics), or for tasks “carried out in the
lower, depending on the nature of data breached
principle of proportionality, and necessary to
public interest or in the exercise of official authority”.
(e.g. number affected, duration of infringement,
achieve stated purpose. These key principles of “legitimacy”,
But the penalty to be handed down may be
damage), and “the degree of responsibility of the What Rights do Data Subjects have?
“proportionality” and “transparency” in the EU Data
controller or processor having regard to technical and organisational measures implemented by them”
Protection Directive of 1995, are retained in the
The recent ruling by a UK court that Google’s
(e.g. actions taken to mitigate damage to data
GDPR Article 5 – Principles relating to processing of
listing of a businessman’s past computing hacking
subjects, preventative measures).
personal data:
activities breached his Right to be Forgotten
1. 2. 3.
cooperative the firm has been with the supervisory
Lawfulness (Data must be processed lawfully,
array of rights that can be enforced against
authority are also considered as the commitment of
fairly and in a transparent manner);
organisations that own or process personal data.
the organisation in complying.
Purpose limitation (Data must be collected for
5.
The right of individuals to access their data is
specified, explicit and legitimate purposes);
already an important part of the existing EU data
Data minimization (Data should be limited to
protection law.
what is necessary); 4.
Past administrative corrective actions and how
illustrates how GDPR gives data subjects a wide
GDPR takes this further with enhanced rights
What do all these mean in practice? GDPR is principle-based to cater for the varying
Accuracy (Data should be accurate and up to
for data subjects and new obligations on entities
processing and technological approaches. Flexible
date);
that hold personal data.
though explicit, the interpretation depends on social
Storage limitation (Data should be kept for no longer than is necessary);
Examples are the Right to request rectification of inaccurate personal information; the Right to restrict the processing (where the accuracy of the
and cultural attitudes to privacy. For example, “fair” in Germany may not be regarded as “fair” in Spain. Differences in the resources and attitudes of
“Tasks carried out in the public interest” is one of
data is contested, or when the processing is no
national supervisors are likely to result in variations
the six lawful grounds for meeting these principles.
longer necessary, or when the data subject objects
in enforcement.
Clear-cut grounds are where processing is necessary for the “performance of a contract” (e.g.
to it). GDPR also introduces the Right to data
an e-commerce store processes a consumer’s
portability, seen as an important tool to facilitate
address for delivering an ordered item), or “is based
the exchange of information necessary in the digital
on a legal obligation to which the controller is
era. This right to transfer personal data from one
subject” (e.g. a bank processes an account holder’s
organization to another, or to the data subject, in a
data to comply with anti-money laundering laws).
structured, commonly used and machine-readable
Lawful grounds that require more robust controls are where “processing is based on data
format also encourages healthy competition between EU data controllers.
subject’s consent” (e.g. an airline’s online offer to existing customer via an opt-in tick-box, to a
Some other key changes?
loyalty program); or for “the legitimate interests of the controller” (e.g. a retailer, using only the contact
Where individual EU members had the ability to
information provided by a customer at point-of-sale,
set specific detailed regulations in the old regime,
to serve him/ her direct regular mail marketing of
GDPR sets explicit rules. For example, old rules
36 | Australian Security Magazine
See the next issue of Asia Pacific Security Magazine for cyber week in London Day 3, 4 and 5 - Part II QUANTUM COMPUTING REPORT by Jane Lo: ONLINE NOW & COMING UP IN THE NEXT EDITION CLICK HERE