E.U. General Data Protection Regulation
26 May 2018
Scope of GDPR
Both organisations within the EU jurisdiction and those in external jurisdictions which supply goods or services to member citizens of EU. If those those organisations offer services, collect, share or use (process) 'personal data' of natural persons.
Application of DGPR to activities depends on whether personal data is processed. Personal data has to relate to an identified or identifiable individual either directly from the information in question or in combination with other information. [^1]
Personal data could be anything that allows identification, a name, related number (ID, NI), location or less obvious IP address or cookie identifier.
Does not include
- Information about a deceased person.
- Information about companies or local authorities.
- Truly anonymous data.
Cookies as Personal Data
Cookies can be used to identify a person and therefore should be treated as 'personal data'.
The basic principle is simple enough,
- tell people the cookies are there;
- explain what the cookies are doing and why; and
- get the person’s consent to store a cookie on their device.
- explain how cookies can be controlled and deleted by the browser.
Cookies have to be explained both by name an purpose, whether they be session or more persistent.
Consent cannot be implied simply a user navigating a website. Consent to be valid must be freely given, specific and informed.[^2] And requires an unambiguous indication by statement or affirmative action that signifies agreement to 'processing' related personal data.
Processing of Personal Data
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- accurate and, where necessary, kept up to date.
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Lawfulness of Processing
Processing of personal data can only be lawful if at least one of the following applies
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- processing is necessary for the performance of a contract.
- processing is necessary for compliance with a legal obligation.
- processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- processing is necessary for the performance of a task carried out in the public interest.
- processing is necessary for the purposes of the legitimate interests.
Right to Access Your Data
Administrative fines of €20,000,000 or four per cent of a firm's global turnover (whichever is greater) for serious offences and €10,000,000 and 2% for lesser breaches.[^3]
So much for theory but, what is actually happening in the big data industry?
Facebook Mas exodus From Ireland
Facebook as outlined in this article is moving service agreements out of Ireland to the more lenient USA. A move which could potentially save billions if ever they fall fould og GDPR.
UK Controlling Authority is (ICO) Information Commissioner's Office
European Commission: 7 steps for business
European Commission: Data Protection
European Commission: Rules for business and organisations
European Commission site: Cookie Statement
footnotes [^1]: Article 4 (1) Definitions 'personal data'
[^2]: Article 4 (11) Definitions 'consent' [^3]: Article 83 "General conditions for imposing administrative fines"