Understanding GDPR: Key Principles, Data Subject Rights, and Controller Responsibilities - Part 1
Devs must understand these basic GDPR requirements.
Join the DZone community and get the full member experience.Join For Free
In this part of the series, we are going to talk about GDPR, who should care, key principles, data subject rights, and controller and processor responsibilities towards complying with GDPR. In the final part of this series, we will get into the best practices an IT team needs to follow to comply with GDPR, so stay tuned!
Let’s jump right in and see what GDPR is, why it’s important, key principles, and the rights of the data subject.
What Is GDPR?
The General Data Protection Regulation is a European Union Regulation. At its core, GDPR is a new set of rules designed to give EU citizens more control over data that belongs to them. It aims to simplify the regulatory environment for business so that both citizens and businesses in the European Union can fully benefit from the digital economy.
It aims to protect people's fundamental rights to their data and ensures a free market in the EU for goods and services.
In the last 20 years, the way we live has totally changed. We are connected to any form of technology right now, and to a large extent, our lives depend on technology. So, it becomes very essential that we have some strict regulations to protect the data of the people.
Who Should Care About GDPR?
GDPR is going to change the way we design, develop, and maintain our systems. It applies to any organization operating within the EU, as well as any organizations outside of the EU that offer goods or services to customers or businesses in the EU.
What Does GDPR Say?
- Data use is fair and expected
- Just have data that is necessary
- All data must be accurate
- Delete when finished
- Keep data secure
- Be accountable
Why Should I Comply With GDPR?
- Administrative fees — 20 million EU or 4 percent global turnover
- Liability risk
Key Data Protection Terms
The protection of natural persons in relation to the processing of personal data is a fundamental right.
Everyone has the right to the protection of personal data concerning him or her. It is important to note here that it is not “the right to the protection of personal data of natural person.” In that case, someone could walk to a loan disbursement company after taking loan amount and say: “Okay, now don’t store anything related to me or delete all the data related to me.”
But, that’s not how it should be, right?
So, GDPR says that everyone has the right to the protection of personal data concerning him or her. Therefore, if a data controller has a legitimate reason to have your personal data, then they can well keep it.
A 'Natural Person' in GDPR Means:
- A living human
- Not a zombie, dead person, or an organization
What Does Processing Mean?
Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
This basically means ANYTHING that has to do with data.
So, we can change the statement we made here to:
This regulation lays down rules relating to the protection of LIVING HUMANS with regard to doing anything with PERSONAL DATA.
What Is Personal Data?
Any information relating to an identified or identifiable living humans.
This is not the same as Personally Identifiable Information (PII), which only talks about a few things like SSN or tax reference number.
Personal Data in GDPR includes any and all sorts of information, which is not necessarily the direct things like SSN, etc.) but can be used to get the name of a person.
Three Key Terms in GDPR:
The living human that data it is about or relates to.
An entity that determines the purposes and means of the processing of personal data. The definition of a controller from GDPR is a bit longer:
A controller is a person, public authority, agency, or another body, which, alone or jointly with others, determines the purposes and means of processing of personal data.
An entity that processes personal data on behalf of the controller.
A processor is a person, public authority, agency, or another body that processes personal data on behalf of the controller.
Controllers decide to process or do anything with the personal data of data subjects (living humans).
Both data controllers and data processors process personal data.
Key Principles in GDPR
Below are few key principles in GDPR that we (people from the IT/software field) should be aware of:
Principle No. 1: Data Use Should Be Transparent, Fair, and Lawful
Transparency: Controllers should tell people what they are going to do with their data and why.
Fair: Properly balancing the fundamental rights and freedom of the person whose data it is, with the rights of the entity processing the data.
Lawful: Processed for one of six specified reasons:
- Legal obligation
- Vital interests
- Public interest/official authority
- Legitimate interests
Principle No. 2: Purpose Limitation
The controller should only use data for the purpose they obtained it for and not for other purposes.
Principle No. 3: Data Minimization
Adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed. Get the data that is needed, nothing more.
Principle No. 4: Accuracy
Data should be always kept accurate, and up-to-date
Principle No. 5: Storage Limitation
This principle is about how long controllers store the data.
GDPR says that a controller should not keep data for longer than necessary. This means that once they are done with the data of a customer and if a customer chooses to leave their business, then data concerning the customer should be deleted.
A retention policy for all the data should be clear and distinct.
Data should be deleted mandatorily beyond its retention period (whenever you are done with processing the data of that customer).
Principle No. 6: Integrity and Confidentiality
Data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental losses, destruction, or damage using appropriate technical or organizational measure.
To comply with these, we can do any or all these points:
Pseudonymise the data — controllers should not give data as-is when they are sharing it with any of their employees, stakeholders, or users. Always encrypt them or pseudonymize them so that only they can make sense of it, but if it goes to the wrong hands, they can’t.
Save spreadsheets or PDFs need to be made password protected files.
Data Subject Rights
These are the rights that people have over the data concerning them. Let’s look at the rights that the data subjects have as part of GDPR
1) Right to Know How Data Will Be Processed
The data controller is bound to provide the following information to the data subject as part of this right (article 13, 14):
- Who is the data controller? What’s the name of the organization?
- Contact details of the person responsible (DPO)
- Purpose and legal basis
- What are the legitimate interests?
- Other recipients
- International transfers
The data controller also needs to provide the following information:
- Retention period
- Statement of rights
- Special rights if content used
- Notification of the right to complain
- Whether obligated to provide data
- Use of automated decision-making/profiling
This information needs to be provided when you get the data from the data subject. Also, this information needs to be given within 30 days of the data subject request and should be free of charge.
2) Tell Me What You Have Got (Article 15)
The data subject can ask for the data/information about them to the data controller.
DSAR (Data Subject Access Rights)
- Is the data being processed?
- If so, a copy of all the data
- All the information you would give on collection
- Where you got the data from?
- Without affecting someone else's privacy
3) Right of Rectification
The data subject can direct the data controller to the correct data about them (if inaccurate) (article 16). The right of rectification — inaccurate data should be corrected at the request of the data subject.
4) Right to Erasure
In specific cases, the data subject can ask the controller to erase or delete their data (article 17):
- Also known as the "right to be forgotten"
- Qualified right — not all data can be forgotten. Only data that, as a data controller, we don't need should be allowed to be deleted.
For instance, under below circumstances, the data should surely be deleted:
- If the data controller doesn’t have any legitimate grounds to hold the data
- If the data subject withdraws the consent (which was given by him/her earlier)
- It is not lawful to hold some data of a data subject
5) Right to Restrict Processing
The data subject can direct the controller to stop doing something with their data. This right gives the data subject an option to direct the controller to say: I would like you to stop everything with this data apart from storage as it might be a legal obligation.
Typically, this scenario can occur if, let’s say, the data of a data subject is inaccurate. So, the data subject can tell the controller: I would like you to correct that data. Until then, please stop doing anything with my data.
This most of the times will occur during secondary processing.
6) Right to Data Portability
The data subject can ask the controller to give them back the data that they had given them in an electronic format. This right enables the data subject to ask for a copy of their data in an electronic format.
Or, the data subject can also inform the controller to have a copy of their data transmitted directly to another controller.
The below two data subject rights are restrictive rights.
7) The Data Subject Can Object to Processing (Article 21)
8) Automated Decision-Making and Profiling (Article 22)
Right not to be subjected to automated processing & profiling which might produce legal or similar effects.
Consequences and Remedies
Before we conclude this part of the series, let’s talk about the consequences that a controller might have to face if they do not comply with GDPR.
In every EU country, there will be a supervisory authority.
If a data controller doesn’t acknowledge or respond to the rights of data subject effectively, then the supervisory authority can put a hefty fine on them. And this fine can be quite large. Administrative penalties 4 percent of global turnover or 20 million euros.
Data subjects have the right to enforce rights in court and complain to the supervisory authority. Data subjects have the right to claim damages because a right wasn’t acknowledged.
In the next part of this blog series, we will discuss more on data controllers and processors responsibilities, including the key roles in GPDR.
To write up with this blog series, I went through this GDPR Pluralsight course.
Published at DZone with permission of Martijn Vrencken. See the original article here.
Opinions expressed by DZone contributors are their own.