GDPR Requires Notifications

GDPR Article 14 is very clear about "Information to be provided where personal data have not been obtained from the data subject ". This would include appending data with demographic overlays showing things like credit status, wealth, income, lifestyle, preferences, social activity, etc.

GDPR Article 14 states;

"1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information: 

(a) the identity and the contact details of the controller and, where applicable, of the controller's representative; 

(b) the contact details of the data protection officer, where applicable; 

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; (d)  the categories of personal data concerned; 

(e) the recipients or categories of recipients of the personal data, if any; 

(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available. 

2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject: 

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; 

(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party; 

(c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability; 

(d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; 

(e) the right to lodge a complaint with a supervisory authority; 

(f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources; 

(g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 

3. The controller shall provide the information referred to in paragraphs 1 and 2: 

(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed; 

(b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or 

(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed. 

4. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2. 

5. Paragraphs 1 to 4 shall not apply where and insofar as: 

(a) the data subject already has the information; 

(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available; 

(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or 

(d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy. 

GDPR Erase ALL MY DATA - But How Do You Know It's Them ?

GDPR explicitly requires the Controller to be certain that the person making the request is the data subject who is asking for access (objection, erasure, rectification, restriction, portability) to their data. 

"The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests. "  [GDPR Citation 64]

"The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means."  [GDPR Article 12, Paragraph (1)].

"Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject."    [GDPR Article 12, Paragraph (6)].

GDPR Data Breach Requirements, Including Communication to Data Subjects

GDPR Article 33 addresses the "Notification of a personal data breach to the supervisory authority", and Article 34 addresses "Communication of a personal data breach to the data subject."

Article 33 states;

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. 

2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach. 

3. The notification referred to in paragraph 1 shall at least: 

(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; 

(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; 

(c) describe the likely consequences of the personal data breach; 

(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. 

4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. 


5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article. 

Article 34 describes when a personal data breach needs to be disclosed to the individuals (data subjects), as well as an exception, if 3 conditions are met.

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. 

2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3). 

3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met: 

(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption; 

(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise; 

(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner. 


4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met. 

GDPR - Keeping Record of Consent

The GDPR specifically state that you must be able to prove that you have received Consent from an individual if you chose this as your legal justification for processing personal data.

"Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation...." [GDPR Citation 42].

And this is reiterated again in Article 7, Conditions for Consent;

"Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data." [GDPR Article 7, Paragraph (1)].

  

GDPR Processing Behavior on Your Web Site

The GDPR exhaustively covers the responsibilities and accountability of a Controller and Processor in several of its Articles, including Transparency, Risk Assessment, Data Protection Management and Individual Rights (Access, Portability, Correction, Objection, Erasure).

By definition, the GDPR defines a Controller and Processor as follows;

" ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; "   [GDPR Article 4, Paragraph (7)]. 


" ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; "   [GDPR Article 4, Paragraph (8)]. 

Basically, on a web site, someone (the Controller) has to give permission and direction to other vendors (the Processors) to process the trove of personal data, which on a web site is seemingly endless.

The GDPR references the use of online identifiers, most of which would be transferred and collected by visiting a web site. "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. "   [GDPR Citation 30 ]

In addition to this, the GDPR specifically addresses the tracking of online activity,  "... In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes."   [GDPR Citation 24 ].  

GDPR States, Direct Marketing May Be a Legitimate Interest

Direct Marketing is mentioned a few times in the GDPR.

In Citation 47, the GDPR does state, ".. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. " [GDPR Citation 47]

Also referencing that the person being marketed to might be a customer.

".. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller." [GDPR Citation 47]

However, the person shall have the rights to object to the direct marketing, 

"Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information." [GDPR Citation 70]

Then Direct Marketing might have a Legitimate Interest, unless there are Special Categories of Personal Data collected, which is where Consent is required as the Lawful reason for processing.

".. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent.." [GDPR Citation 51], and as and exception to when special categories of personal data can be collected, "the data subject has given explicit consent to the processing of those personal data for one or more specified purposes,"  [GDPR Article 9, Paragraph 2(a)]

So, how does the special categories of personal data relate to direct marketing? It is connected in the descriptions. Special categories of personal data are described as;

"Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited." [GDPR Article 9, Paragraph 1]

The key words here are "biometric data".  Biometric data is defined in the GDPR as;

"‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;" [GDPR Article 4, paragarph (14)]

The key words here are "behavioral characteristics", which is tied here to tracking the activities of an individual on the Internet and Profiling.

".. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes." [GDPR Citation 24]

Further, the process of biometric data also triggers the requirement for a Data Protection Impact Assessment.

"A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal data, biometric data.."[GDPR Citation 91]

GDPR and Email Communications with Behavioral Profiling of Opens and Clicks

While the GDPR does not specifically address "email marketing", there are numerous implications that would define its actions as "profiling".

By definition the GDPR, " 'profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; "  [GDPR Article 4, Paragraph (4)].  

When someone is sent and email (email address = personal data), opens it (behavioral action recorded) and clicks on a link (behavioral action, person preference and/or of what was clicked), these actions clearly fulfill the definition of "profiling" in the GDPR. Beyond this, the email recipient's server will be returning other personal data such as IP Address, operating system and version, screen resolution, Flash version , etc.

The GDPR specifically addresses being tracked on the Internet, "... In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes."  [GDPR Citation 24].  

GDPR Has Outrageously High Fines, But What Does It Take To Get There?

The GDPR provides for hefty administrative fines, as reiterate over and over in most media communications and articles. The fact is, there are a lot of factors to be considered before any administrative fines would approach those amounts.

The upper end of the fines are cited in the GDPR as, "Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. [Article 83, paragraph 6]

The GDPR stipulates that if administrative fines are imposed, they shall be, "in each individual case be effective, proportionate and dissuasive."  [Article 83, paragraph 6]  

Proportionate and Dissuasive fines are based on the following, "When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given" (Article 83, paragraph 2) to things like;

"the nature, gravity and duration of the infringement.." [Article 83, paragraph 2a] 

"the number of data subjects affected.." [Article 83, paragraph 2a] 

"the level of damage suffered by them.."  [Article 83, paragraph 2a] 

"technical and organizational measures implemented.."  [Article 83, paragraph 2d] 

"previous infringements.."  [Article 83, paragraph 2e] 

"degree of cooperation.."  [Article 83, paragraph 2f] 

"adherence to approved codes of conduct.."  [Article 83, paragraph 2j] 

"financial benefits gained, or losses avoided, directly or indirectly, from the infringement..."  [Article 83, paragraph 2k] 

Before any administrative fines would reach the extremes, the GDPR stipulates that they shall be, "in each individual case be effective, proportionate and dissuasive."  [Article 83, paragraph 6]  

GDPR states that data must be kept only for its original purpose and not longer than necessary

GDPR states that data must be kept only for its original purpose and not longer than necessary.

"Personal data shall be: ...collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;"   [GDPR Article 5, Paragraph (1b)].  

"Personal data shall be: ..accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;"   [GDPR Article 5, Paragraph (1d)].  

"Personal data shall be: ...kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; :  [GDPR Article 5, Paragraph (1e)]. 

"... In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review..."  :  [GDPR Citation 39]. 

GDPR and Professional Services, Legal - Security - Privacy

GDPR provides a need for many facets of professional services, including legal, security and privacy consultants and representation.

Some of the key areas where professional services are needed, include a Data Protection Impact Assessment  [GDPR Article 35], drafting and execution of Binding Corporate Rules  [GDPR Article 47],  Data Protection Training for Employees  [GDPR Article 47, paragraph (2n)], Security of Personal Data  [GDPR Article 32], Data Protection by Design  [GDPR Article 25], Communication of Data Breach  [GDPR Article 33, Article 34],  Data Protection Officer  [GDPR Article 37], Appropriate Safeguards for Data Transfer  [GDPR Article 46],  Codes of Conduct and Certification  [GDPR Article 40, Article 41, Article 42, Article 43],  Remedies, Liabilities and Penalties  [GDPR Article 77, Article 78, Article 79, Article 80],  Compensation and Liability  [GDPR Article 82], . 

GDPR requires Binding Corporate Rules

The GDPR requires Binding Corporate Rules, a legally binding and enforceable agreement with a public agency, which is deemed to be one of the appropriate safeguards when data is transferred outside of the EU States.  [GDPR Article 46, Paragraph (2)].  

The local, Supervisory Authority shall approve each Binding Corporate Rule, and with approval, the companies and their employees are legally bound by those rules.  

Per the GDPR, "The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they: 

(a) are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;"  [GDPR Article 47, Paragraph (1-1a)]. 

In addition to 10 other requirements of the Binding Corporate Rules, [GDPR Article 47, Paragraph (2a-2m)]., the GDPR requires "the appropriate data protection training to personnel having permanent or regular access to personal data."  [GDPR Article 47, Paragraph (2n)]. 

Data Protection Impact Assessment

The GDPR sets forth the need and requirement of a Data Protection Impact Assessment. 

"Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks."    [GDPR Article 35, Paragraph (1)].  

The assessment shall contain at least:  [GDPR Article 35, Paragraph (7)].  

(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; 
(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; 
(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and 
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.  

GDPR and Pseudonymisation

Pseudonymisation is the process where identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. With regard to the security of personal identifiable information, the 'keys' linking the pseudonyms to the actual data should be secured in a separate location.

The GDPR considers pseudonymisation and encryption of personal data as one of the appropriate technical and organisational measures to ensure a level of security,   [GDPR Article 32, Paragraph (1a)].  

The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.    [GDPR Citation (26)].

To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.   [GDPR Citation (26)].

The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.   [GDPR Citation (28)]. 

In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. The controller processing the personal data should indicate the authorised persons within the same controller.   [GDPR Citation (29)].  

The GDPR's Impact on Data Lakes and Big Data

The GDPR does not allow for the indiscriminate collection personal data (as in a Data Lake of Big Data) without having legal jurisdiction. To determine this, the GDPR provides six (6) grounds for processing personal data, referred to as Lawfulness of Processing. [GDPR Article 6, paragraph (1)].

The GDPR recognizes that "The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities"  [GDPR Citation (6)].  

The GDPR states that "Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed." and,  "In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data."  [GDPR Citation (39)].

GDPR Profiling, Automated Processing and Artificial Intelligence

The GDPR definition of profiling and automated processing may be interpreted to include artificial intelligence.  "‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; .. [GDPR Article 4, paragraph (4)]. 

Where, "...the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. [GDPR Article 13, paragraph (2f)]. 

And in some instances, an individual can ask that their information be processed by a human, "...the right to obtain human intervention.." [GDPR Article 22].