On May 25, 2018, the General Data Protection Regulation (GDPR) will become a global law.
The regulation applies to the collection, processing and movement of personal data for individuals residing in 32 European States. (28 EU States + 4 other European States). If your company has prospects or customers in these States, you most likely have exposure and are mandated to comply, or risk severe penalties and fines.
GDPR Citation (2) states the following;
(2) The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.
Why has this become an issue?
GDPR Citation (6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.
GDPR Citation (7) Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced. .
The GDPR encourages the establishment of data protection certification (Article 42, Paragaraph 1), and it outlines the criteria for setting up the certification bodies (Article 43), however, these accredited certification bodies have been slow to surface.
With only a few months to go, this is surprising because Certification is an integral part of the GDPR fabric. For example, GDPR references approved certification as a mechanism may be used as an element to demonstrate compliance within these section;
Processor's Obligations With The Controller, [Citation (81)]
Responsibility Of The Controller, [Article 24, Paragraph 3]
Data Protection By Design And By Default, [Article 25, Paragraph 3]
Processor's Capability, [Article 28, Paragraph 5]
Security of Processing, [Article 32, Paragraph 3]
Guiding the imposition of administrative fines, [Article 83, Paragraph 2(j)]
Articles 42 and 43 are listed below.
Article 42 Certification
1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.
2. In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.
3. The certification shall be voluntary and available via a process that is transparent.
4. A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56.
5. A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.
6. The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.
7. Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the requirements for the certification are not or are no longer met.
8. The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.
Article 43 Certification bodies
1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the supervisory authority in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, issue and renew certification. Member States shall ensure that those certification bodies are accredited by one or both of the following:
(a) the supervisory authority which is competent pursuant to Article 55 or 56;
(b) the national accreditation body named in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council (1) in accordance with EN-ISO/IEC 17065/2012 and with the additional requirements established by the supervisory authority which is competent pursuant to Article 55 or 56.
2. Certification bodies referred to in paragraph 1 shall be accredited in accordance with that paragraph only where they have:
(a) demonstrated their independence and expertise in relation to the subject-matter of the certification to the satisfaction of the competent supervisory authority;
(b) undertaken to respect the criteria referred to in Article 42(5) and approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63;
(c) established procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks;
(d) established procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
(e) demonstrated, to the satisfaction of the competent supervisory authority, that their tasks and duties do not result in a conflict of interests.
3. The accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article shall take place on the basis of criteria approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63. In the case of accreditation pursuant to point (b) of paragraph 1 of this Article, those requirements shall complement those envisaged in Regulation (EC) No 765/2008 and the technical rules that describe the methods and procedures of the certification bodies.
4. The certification bodies referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation shall be issued for a maximum period of five years and may be renewed on the same conditions provided that the certification body meets the requirements set out in this Article.
5. The certification bodies referred to in paragraph 1 shall provide the competent supervisory authorities with the reasons for granting or withdrawing the requested certification.
6. The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be made public by the supervisory authority in an easily accessible form. The supervisory authorities shall also transmit those requirements and criteria to the Board. The Board shall collate all certification mechanisms and data protection seals in a register and shall make them publicly available by any appropriate means.
7. Without prejudice to Chapter VIII, the competent supervisory authority or the national accreditation body shall revoke an accreditation of a certification body pursuant to paragraph 1 of this Article where the conditions for the accreditation are not, or are no longer, met or where actions taken by a certification body infringe this Regulation.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1).
9. The Commission may adopt implementing acts laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
In our digital economy, global communication and solicitation is the norm, however, many US corporations have not contemplated their exposure to GDPR. In addition to providing an infrastructure that allows EU individuals (data subjects) to exercise their rights, the GDPR mandates data protection by design and by default.
GDPR, Citation (78) - ".. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. .."
GDPR, Citation (108) "In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. .."
GDPR, Atricle 25 - Data protection by design and by default;
1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
Data protection by design and by default are describe in the GDPR Article 47 as items that need to specified in the Binding Corporate Rules;
A.47 P(2d) "minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules; "
With respect to the DPO, the GDPR states that, "The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39." GDPR Article 37, Paragraph 5.
And that, "The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge." GDPR Article 38, Paragraph 2.
Knowledgeable advice and directions is given by attorneys specializing in privacy, consultants and IT professionals with years of practical experience. To assist their efforts, dozens of new software applications are being introduced in the market offering customized GDPR solutions.
A short list of organizations offering programs and certifications relevant to GDPR, would include the IAPP, ISACA, ((ISC)2) and the EU GDPR Institute.
The International Association of Privacy Professionals (IAPP) was formed in 2000 and reports to be the world’s largest information privacy organization. The IAPP offers the CIPP, CIPM and CIPT certification programs specifically designed for professionals who manage, handle and access data. The IAPP also awards the FIP designation. https://iapp.org/
CIPP - Certified Information Privacy Professional, is the "what" , showing an understanding of the laws, regulations and standards of privacy in a specific jurisdiction or discipline. Further, CIPP offers five concentrations, each focused on a specific region or sector; Asia (CIPP/A), Canada (CIPP/C), Europe (CIPP/E), U.S. Government (CIPP/G), U.S. private-sector (CIPP/US).
CIPM - Certified Information Privacy Manager, is the "how" of operations, showing and understanding of how to use process and technology to manage privacy in an organization—regardless of the industry or jurisdiction.
CIPT - Certified Information Privacy Technologist, is the "how" of technology, showing an understanding of how to manage and build privacy requirements and controls into technology.
FIP - Fellow of Information Privacy - demonstrates a comprehensive knowledge of privacy laws, privacy program management and essential data protection practices, after completing two IAPP credentials.
The Information Systems Audit and Control Association, now known by its acronym ISACA, has been in existence for almost 50 years, boasting of 140,000 in 170 countries. ISACA offers the CISA, CRISC, CISM and CGEIT certifications. https://www.isaca.org/
CISA - Certified Information Systems Auditor - which demonstrates audit experience, skills and knowledge, and being capable to assess vulnerabilities, report on compliance and institute controls within the enterprise.
CISM - Certified Information Security Manager - this management-focused certification promotes international security practices and recognizes the individual who manages, designs, and oversees and assesses an enterprise’s information security.
CRISC - Certified in Risk and Information Systems Control - enables IT professionals for the unique challenges of IT and enterprise risk management, and positions them to become strategic partners to the enterprise.
The International Information System Security Certification Consortium, known as ((ISC)2), offers a number of different certifications, with the Certified Information Systems Security Professional (CISSP) being one of the most prominent. The CISSP recognizes information security leaders who have the knowledge and experience to design, develop, and manage the overall security structure in organization. https://www.isc2.org/Certifications
Another organization which recently emerged is the EU GDPR Institute. The EU GDPR Institute offers a GDPR Certification and a DPO Certification. Their function is focused on the GDPR regulations and helps organizations to comply in this new era of privacy. The EU GDPR Institute code-of-conduct (certification mechanism) provides a platform for data controllers and processors to ensure a structured and efficient means for GDPR compliance. http://www.eugdpr.institute/
As depicted in an earlier GDPRtooon, GDPR has many derogations (exceptions or exemptions) to the regulations. One of the derogations from the regulation is for the collections personal data on the deceased.
GDPR Citiation (27) states;
"(27) This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons."
And also mentioned again it GDPR Citation (158);
"(158) Where personal data are processed for archiving purposes, this Regulation should also apply to that processing, bearing in mind that this Regulation should not apply to deceased persons. Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest. Member States should also be authorised to provide for the further processing of personal data for archiving purposes, for example with a view to providing specific information related to the political behaviour under former totalitarian state regimes, genocide, crimes against humanity, in particular the Holocaust, or war crimes."
The European Union's General Data Protection Regulation (GDPR), was approved on April 14, 2016, and goes into effect on May 25, 2018. As the headlines read, and surveys validate, a vast majority of businesses will not be prepared. Many factors contribute to this, ranging from a lack of knowledge and understanding, which leads to the complacient thought that, "We will not be impacted by this".
GARTNER SAYS ORGANIZATIONS ARE UNPREPARED FOR THE 2018 EUROPEAN DATA PROTECTION REGULATION, May 3, 2017
Gartner Inc. predicts that by the end of 2018, more than 50% of companies affected by the GDPR will not be in full compliance with its requirements. http://www.gartner.com/newsroom/id/3701117
90% OF BUSINESSES ARE NOT READY FOR GDPR SURVEY REVEALS, September 20, 2017
https://www.businessleader.co.uk/90-businesses-not-ready-gdpr/35818/
TREND MICRO RESEARCH REVEALS C-LEVEL EXECUTIVES ARE NOT PREPARED FOR GDPR IMPLEMENTATION, September 5, 2017
•Senior executives shun GDPR responsibility in 57 percent of businesses
•42 percent of businesses don’t know email marketing databases contain PII
•22 percent of businesses claim a fine ‘wouldn’t bother them’ if found in violation
http://newsroom.trendmicro.com/press-release/commercial/trend-micro-research-reveals-c-level-executives-are-not-prepared-gdpr-imple
GDPR includes several derogations, or exemptions, from the regulation. One of the derogations is when information (personal data) on individuals is not in an organized state. For example, when the data is not in a filing system.
This specific derogation is referenced in GDPR Citation (15)'
"In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation."
The GDPR sets forth the conditions when a controller shall designate a Data Protection Officer (DPO). The DPO carries a tremendous amount of responsibility in an organization and also shares in the liability. Article 37, paragraph (6), may appoint a staff member to be the designated DPO, to which some uninformed organizations may be inclined to push the responsibility back into the IT Department.
GDPR Article 37 - Designation of the data protection officer
1. The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.
4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.
5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.
Article 38 - Position of the data protection officer
1. The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
2. The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
3. The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
4. Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
5. The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
6. The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
Article 39 - Tasks of the data protection officer
1. The data protection officer shall have at least the following tasks:
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
(d) to cooperate with the supervisory authority;
(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
If you decide to claim Legitimate Interest as your "Lawfulness of processing", the GDPR makes it very clear that you must weight your business interest against the individuals interests or fundamental rights and freedoms. This balancing act must not jeopardize the individual's rights for your business interests.
GDPR Article 6, paragraph 1(f)"processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
CIPL - Centre for Information Policy Leadership GDPR Implementation Project
19 May 2017 - TOP TEN MESSAGES ON THE PRINCIPLES OF TRANSPARENCY, CONSENT AND LEGITIMATE INTEREST
CIPL(#8) "Legitimate interest may be the most accountable ground for processing in many contexts, as it requires an assessment and balancing of the risks and benefits of processing for organisations, individuals and society."
CIPL Paragraph 4.4, The balancing test
• The legitimate interest ground is no carte blanche for processing. Instead, the balancing test under legitimate interest requires a context-specific risk/benefit assessment and implementation of potential mitigations as part of organisational accountability.
• Each controller is responsible to ensure that the application of the legitimate interest ground for a new processing purpose meets the relevant balancing test. Moreover, each new or changed proposed processing purpose must be reviewed de novo under the legitimate interest balancing test.
CIPL P 1.1 "... Legitimate interest requires an assessment and balancing of the risks and benefits of processing for organisations, individuals and society. It also requires the implementation of appropriate mitigations to reduce or eliminate any unreasonable risks. This places the burden of protecting individuals on the organisation and shifts it away from individuals. Organisations are in the best position to undertake a risk/benefits analysis and to devise appropriate mitigations, and individuals should not be overburdened with making these assessments and informed choices for all digital interactions and processing of their personal data. "
GDPR Citation (47) "The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data
subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."
Another version of the 'toon. Thank you Dr. Tim Walters.
The GDPR addresses specific requirements that must be followed when data is obtained from other sources about people in your files. For marketing purposes, this is often referred to as a "data overlay" or "data append".
Article 14 of the GDPR is dedicated to this situation, and is titled; "Information to be provided where personal data have not been obtained from the data subject."
1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; (d) the categories of personal data concerned;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
(d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(e) the right to lodge a complaint with a supervisory authority;
(f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
(g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
3. The controller shall provide the information referred to in paragraphs 1 and 2:
(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
(b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
4. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
5. Paragraphs 1 to 4 shall not apply where and insofar as:
(a) the data subject already has the information;
(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available;
(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or
(d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
The ramifications of GDPR go beyond the administrative fines that can be imposed by the Supervisory Authority. GDPR Article 82 gives individuals have the right to compensation for "material" or "non-material" damages.
Article 82 - Right to compensation and liability
1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).
The Centre for Information Policy Leadership GDPR Implementation Project issued a report on May 19 titled, "Recommendations for Implementing Transparency, Consent and Legitimate Interest Under GDPR". The opening paragraphs, section 1.1, makes direct reference to User-Centric Transparency;
"The GDPR recognizes transparency as a core principle of data protection. Transparency is related to the fair processing principle. Processing can be fair only if it takes place in a transparent manner."
"However, transparency can serve its purpose only if it is meaningful. There currently is a growing gap between legal transparency and user-centric transparency. Concise and intelligible privacy notices focusing on truly informing users by providing meaningful information are at the center of usercentric transparency."
"Transparency in the GDPR is intended to be user-centric. It should be an effective instrument for the empowerment of the individual, one of the main objectives of the GDPR. This is why CIPL’s recommendations focus on user-centric transparency. Transparency should be context-specific, flexible, dynamic and adaptable to constantly evolving and changing uses to provide clear and understandable information to individuals and to enable a genuine choice where it is possible about the use of their personal data. However, even where consent is not available, transparency is still necessary to provide relevant information about the processing activities, how the organisation has mitigated the risks, the rights of individuals and any other relevant information demonstrating that the organisation is fully accountable for its processing activities."
