A-C
Access Rights
|
You can request that an organisation tells you whether they are processing your personal data and, if they are, to give you a copy of it. This has to be done within a month and free of charge unless your request is “manifestly unfounded or excessive, particularly if it is repetitive”. However, the data controller should only charge what it cost them to satisfy the request - it is not meant to be a profitable exercise. (see Article 15 or the ICO guidance)
|
Accountability
|
One of the fundamental principles of the GDPR. It places responsibility for complying with all the data protection principles squarely on the controller. It is an ongoing responsibility.
This principle underpins much of the rationale of the GDPR. There is a good deal of latitude for organisations but they have to justify what they are doing and provide evidence of their decision making if the ICO investigates: that is be held accountable if they are found to be flouting the rules. See Article 5.2 of the GDPR and the ICO guidance. |
Anonymisation
|
Anonymisation is the removal of indicators from personal data that could lead to identification. There are several ways of doing this, none of which are risk-free.
Data masking involves either removing obvious identifiers (like name); removing partial data while leaving other identifiers (removing name and address but leaving date of birth) or data quarantining (disclosing certain data on the basis that the recipient is unlikely to be able to obtain additional data that would enable identification). Pseudonymisation: The ICO recommends that to comply with best practice organisations should use anonymised data when conducting profiling, but whether this is practical will inevitably depend on the circumstances: read more here (and see also the separate entry below) |
Article 29 Working Party
|
The Article 29 Working PArty was, until 25 May 2018, an advisory body offering independent advice to the EU on all things DP and their guidance helps people understand what the regulation means - or, at least, what the Working Party thought it meant. In some cases, their guidance appears to “gold plate” the bare legislative requirement.
The body was replaced on 25 May by the European Data Protection Board (EDPB) - see below (This entry updated 11/06/2018) |
Automated Decision Making
|
The use of an algorithm or other automated process to evaluate individual personal data in order for decisions to be made (e.g. direct marketing, credit searches). Under the GDPR individuals have the right to be informed when automated decisions which produce legal or other significant effects are being made using their personal data, to request human intervention, to challenge a decision and to access and edit the information being used. See separate entry as it relates to Profiling.
|
Breach
|
If personal data is hacked, lost or stolen then the data controller has to inform the ICO within 72 hours of becoming aware of the incident if the breach could result in a “risk to people’s rights and freedoms”. The ICO describes it as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.”
Exactly what is meant by a risk to people’s right and freedoms is likely to be tested in the courts but the ICO gives an example that the theft of customer database would need to be reported but the loss of the staff telephone list would not. Recital 85 of the GDPR gives the background. |
Brexit
|
If you’re thinking that Brexit will mean GDPR will not apply it should be clear by now, that’s not true. Firstly, the UK will still be in the EU when GDPR comes into force on 25 May and if or when Brexit finally comes in March 2019, organisations which wish to process data of EU data subjects will need to continue to comply with the GDPR.
It is likely that the government will also want our laws to be regarded as adequate, so that EU data subjects’ personal data can be transferred easily to the UK and, to do that, our laws will need to broadly equivalent to the GDPR. |
Children
|
Children have the same rights over their personal data as adults. With regard to online services, the UK has set the age of consent at 13. Otherwise consent must be obtained from the parents, or whoever holds parental responsibility, unless the online service being offered is a counselling or preventive service.
Social media platforms are already responding with WhatsApp (owned by Facebook Inc) raising their minimum age limit to 16 in the EU while Facebook is opting to ask teenagers aged 13-15 to nominate a parent or guardian to give permission for them to share their info on the platform. |
Consent
|
If consent is given by an individual then you can process their personal data. However, that consent must be specific. Just because someone agrees to sign up for an email, does not mean they have given someone permission to call them. It must also be positive and opt-in. The conditions for consent are set out in Article 7 of the GDPR and further guidance on Consent has been published by the ICO. Note that consent is not the only basis for the processing of personal data, and that it is rarely the most suitable basis.
Read the guidance on Consent |
D-G
Data Controllers and Data Processors
|
A data controller is someone who decides what they do with the personal data they have collected. For example, an online shop is the data controller for any information collected on their customers.
A data processor is a third-party processing data on behalf of a data controller. So, if the online shop owner uses third party ecommerce service to host their shop, the ecommerce software provider is a data processor when processing data on behalf of the controller. This is just a very simple example, in the more complex world this distinction may not so clear cut. In the above example the e-commerce provider may also be a controller in their own right in respect of other information which they collect, such as web server logs as it is possible to be both a controller and processor. See Article 4.8 |
Data Portability
|
Individuals have the right to request that a data controller supplies them with some personal data in “structured, commonly used and machine-readable format” or even that they should send that data to another controller. This right applies to data which the data subject has provided to the controller. The Article 29 Working Party interprets this widely, arguably going beyond what the GDPR itself says. The idea is to make it easier to switch to another service for example if you want to stop using Facebook and start using another social network. Two questions leap to mind: which other social network and will it actually work such as what happens to your Facebook likes? (see Article 20 and the ICO guidance)
|
Data Protection Act 2018
|
A separate piece of legislation that adds some additional bits to the GDPR for our own domestic needs, such as setting the age at which a child can consent to processing at 13 (see Children above). It also applies the GDPR to some activities which are outside its remit, such as national security, as well as for the situation in which the UK leaves the EU. The GDPR would have come into operation regardless of this new legislation because EU Regulations are directly applicable in every state and do not require the individual states to draft legislation to implement them, unlike the current Data Protection Act 1998 which was born out of an EU Directive not a Regulation.
The Act received Royal Assent on 23 May 2018. You can read it here. [This entry updated 24/05/2018] |
Data Protection Officer (DPO)
|
All public authorities and any organisations whose “core activities” involve large scale, regular and systematic monitoring of individuals or sensitive data, including criminal convictions, must appoint a data protection officer (DPO).
The ICO says they must be “independent, an expert in data protection, adequately resourced, and report to the highest management level.” See section 4 of the GDPR, Articles 37-39 |
Erasure
|
Often referred to as the ‘right to be forgotten’ (whether this equivalence is strictly accurate is up for debate). Essentially you have a right to have your personal data erased if it is no longer needed for the purpose for which is was originally collected (ie. you signed up for a service to which you no longer subscribe) or you withdraw your consent (unsubscribing from a newsletter or opting out of direct marketing). However, if the controller still needs to process the data for certain reasons, for example to comply with a legal obligation, or in connection with a legal claim, the right to erasure does not apply.
|
European Data Protection Board (EDPB)
|
The European Data Protection Board (EDPB) is the body in charge of the application of the General Data Protection Regulation (GDPR). It took on that role with implementation of the GDPR on 25 May 2018, replacing the Article 29 Working Party.
According to the EU Europa website the EDPB will “be at the centre of the new data protection landscape in the EU. It will help ensure that the data protection law is applied consistently across the EU and work to ensure effective cooperation amongst DPAs. The Board will not only issue guidelines on the interpretation of core concepts of the GDPR but also be called to rule by binding decisions on disputes regarding cross-border processing, ensuring therefore a uniform application of EU rules to avoid the same case potentially being dealt with differently across various jurisdictions.” The Board's website will publish its news, guidance and opinions. |
Exemption from document processing
|
GDPR will apply to any organisation that processes the personal data of data subjects in the EU so SMEs and sole traders are not exempt. If you hold personal data from your customers, suppliers or employees (past or present) then you’ll need to comply with the regulation. This applies regardless of where the data is held (computer network, spreadsheet, mobile phone, cloud).
Smaller organisations (250 employees or less) may not need to record how they process data where that processing is likely to result in a risk to the rights and freedoms of data subjects, is not occasional, involves special categories of data or personal data relating to criminal convictions and offences. A position statement from the European Data Protection Supervisor has stated that risk means any risk, not a high one, so few organisations will escape the need to record activities entirely though the ICO guidance on this says you may only need to record those activities that are covered by the definition, you don’t have to document everything you do. Member States have some wiggle room when it comes national and public security, civil law enforcement and protecting judicial independence and judicial proceedings. Read more on the ICO site. |
General Data Protection Regulation (GDPR)
|
The source of all this. The General Data Protection Regulation has been a long time in the making. It was first proposed in 2012, adopted by the Council of Europe and the European Parliament in April 2016 and finally comes into force across all member states of the European Union on 25 May 2018.
Any organisation that processes the personal data of a person in the European Union needs to comply so Facebook, Google and the other Silicon Valley tech giants are in the same boat as well. The full text of the Regulation is available online. |
H-M
ICO (Information Commissioner's Office)
|
The Information Commissioner’s Office is the body in the UK with responsibility for ensuring compliance with the GDPR. Each individual member state has to have one and they are known as the supervisory authority. The ICO will handle any complaints about data misuse and malpractice, have the power to impose penalties where misuse of data has been found and organisations which have suffered personal data breaches need to report to them. They also provide guidance and help on how to comply so their site should be your starting point for help in implementing the Regulation.
|
Lawful Processing
|
Personal data must only be processed lawfully, which means the processing satisfies of the conditions set out in Article 6.1. They are in short that:
|
Legitimate Interest
|
Another way in which data can processed lawfully for the purposes of the GDPR and one that many will rely on. This one is a bit of a balancing act. You can process personal data if, in short, you are confident that you have a legitimate interest (which can be commercial), that the processing will not impact on the rights of the data subject, that the objective cannot be achieved without processing the data and that you have informed the data subject that you may rely on this as a ground for processing.
Most likely this basis of processing will be used when there is an existing relationship between the data controller and the data subject such as an existing customer or member of a club (although, in these cases, where the basis of lawfulnesss of “necessity to perform a contract” is available, a controller is likely to be better off relying on that). In its guidance the ICO says legitimate interests are broadly defined and so stating that you ‘have a legitimate interest in marketing our goods to existing customers to increase sales’ is acceptable. Remember though the weaker your legitimate interest, the easier it is for the balance to tip in favour of the data subject. Remember too that data subjects have the right to object to processing carried out on a legitimate interests basis, and have the absolute right to object to direct marketing. See Article 6(1)(f) or the ICO guidance here. |
Legitimate Interest Assessment
|
The ICO recommends you under take a legitimate interests assessment (LIA) whenever you rely on legitimate interest as a basis for processing. The term is not mentioned in the GDPR, nor is undertaking such an exercise required by it, but the ICO suggests it as best practice so you have a clear audit trail.
There are three tests to consider:
|
N-Q
Objection Rights
|
Individuals have the right to object to the processing of their personal data. Objection can be made regardless of whether or not the data is being processed for legitimate interests, direct marketing, profiling, scientific or historical purposes. An organisation may be exempt from complying with an objection if the processing is performed in the public interest.
Organisations must inform individuals of their right to object from the point of first communication and in their privacy policy. |
Penalties
|
Much has been made about potential fines of £17 million or 4% of turnover for infringements of the regulation. While its true that the regulators will have the power to impose much bigger fines than under the current Data Protection Act Information Commissioner Elizabeth Denham, in a blog post dated August 2017, said “the ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
|
Personal Data
|
This is information relating to a person that can identify, directly or indirectly, that person. For example, name, address, genetic information, date of birth, location, online identifier, ID number and so forth. The GDPR applies to personal data held digitally and via a manual filing system.
See also the separate entry for Sensitive Data |
Privacy & Electronic Communications Regulations (PECR)
|
When it comes to some marketing, the GDPR meshes with another piece of legislation, the Privacy and Electronic Communications (EC Directive) Regulations 2003. These regulations set additional protections for consumers when it comes to receiving marketing emails, cold calling and other aspects of the business to consumer relationship.
A key point to note is that even if you have established a legitimate interest in sending a marketing email to someone under the GDPR, that legitimacy would be worthless if the message did not also comply with the PECR. The ICO also policies compliance and has some guidance here. |
Privacy Information
|
Whenever you collect personal data you must provide the data subject with certain pieces of information about who you are, what you will do with their data and what rights they have, for example to stop you processing it or make a complaint. This is referred to in Articles 13 & 14 of the GDPR as ‘privacy information’. A full list of what you should provide is on the ICO website.
There are slightly different requirements if you are getting the information from a third party. In that case you must provide the individual with your privacy information either within a month, when you first communicate with them using that information or when you first disclose the data to someone else. Much of this information is set out in a privacy policy, but remember the GDPR requires that you must make sure people can access and understand any information provided so it should be written in plain English. Again the ICO provides some useful hints for presenting privacy information on their site. |
Privacy Shield
|
The Privacy Shield, adopted in 2016, is a set of agreed binding privacy principles that provide a framework for companies operating on both sides of the Atlantic to comply with EU DP requirements when transferring personal data from the EU to the US. The agreement was required as US privacy laws do not match the standard expected in the EU and a previous safe harbour arrangement was found to be insufficient by the European courts..
Despite some uncertainty it seems that as these basic principles are in accordance with the new GDPR principles it will qualify as a method of cross-border transfer after 25 May. However, some experts predict it will soon be struck down, and so having a fall-back plan in place might be sensible. |
Processing
|
Essentially any action performed on a piece, or pieces, of personal data (collection, storage, evaluation, erasure, etc.). It applies to manual and automated processing.
|
Profiling
|
Profiling is the automated collection and evaluation of personal data. The purpose is to understand an individual’s behaviour and preferences. The results of any profiling may then be used to undertake automated decision making based upon those assumptions the most obvious example being those times when you see endless ads for mattresses in your internet browser just after you’ve bought a new bed online.
Profiling will still be allowed under the GDPR but with certain caveats: individuals should be informed of any automated processing of their personal data and have the right to object and have their data deleted where the profiling or the automated decision taking results in a legal, or similarly significant, effect. Profiling is prohibited in relation to children irrespective of their age. |
Pseudonymisation
|
A technique whereby a ‘pseudonym’ is applied to an individual’s personal data so they cannot be identified (using a reference number rather than name, address, date of birth etc.).
|
R-Z
Rectification
|
Another fundamental individual right is to rectification. In other words, if an organisation holds incorrect or incomplete information about you, you have the right to request that they correct or complete it. You can make the request verbally or in writing and the organisation has one month in which to respond.
According to the ICO the draft Data Protection Bill proposes some exemptions for organisations largely based around the reasons for processing the data. While vague at this stage it seems sensible to conclude they will be based on the interests of national and public security, civil law enforcement and protecting judicial independence and the privilege of judicial proceedings (see Exemptions). |
Restriction Rights
|
One of the key rights accorded to individuals under the GDPR. It is closely linked to the right to object and the right to rectification and can be an alternative to erasure.
A restriction can be requested if the data is inaccurate, has been unlawfully processed (see Lawful Processing), a right of objection has been exercised or if the data needs to be retained but not used (say in the case of a legal claim). Once a restriction is in place the data can only be stored and no further processing or alteration can be carried out until the restriction is lifted. Organisations do not have to comply with a restriction request if the processing is in the public interest, for the protection of someone’s rights or is required for the purposes of a legal claim. |
Right to be Informed
|
A cornerstone of the GDPR is greater transparency and the individual’s right to be informed about the collection and use of their personal data is a key element of this. Organisations will be obliged to share this ‘privacy information’ with an individual preferably at the time of collection but no later than one month afterwards. ‘Privacy information’ is the purpose for which the data is being collected and processed, how long it will be retained and with whom it will be shared.
|
Sensitive Data
|
This is data that relates to your genetic or biometric identity or data that reveals details about your racial/ethnic origin, health, sexual orientation, sex life, political opinions, religious or philosophical beliefs or whether or not you belong to a Trade Union.
|
Vital Interests
|
These are interests essential to someone's life - matters of life and death. The ICO sites Recital 46 when offering their definition which in turn states “when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.” No room for interpretation there then…
|
|
The Society for Computers and Law is a registered charity
A company limited by guarantee 1133537 | Registered Charity No. 266331 | VAT Registration No. 115 4840 85 | Registered in England and Wales | Registered office: Unit 4.5, Paintworks, Arnos Vale, Bristol, BS4 3EH. |