Links & Downloadables

Just as third-party data processors must comply with their data controller’s processing instructions, third countries (those outside the EU) must meet privacy standards equivalent to the EU GDPR in order to be considered safe for receiving personal data from within the EU.

An ‘adequacy decision’ is determined by the European Commission (EC) for each third country, deciding whether to allow unhindered transfer of data, or whether additional safeguards, such as Standard Contractual Clauses (SCCs), are necessary.

Anonymisation, and its cousin 'pseudonymisation', is the process of entirely (the former) or partly (the latter) removing personal identifiers from data. While the concept of anonymisation is fairly straightforward, pseudonymisation is not as clear cut: even if, for example, an external coding system is required for identification, the data is not truly anonymised. When reaching a retention limit or receiving a 'request for erasure', anonymisation is a compliant approach for retaining the non-personal elements of data while upholding your data subjects' rights.

Data breaches are often associated with malicious intent, but the reality is that the vast majority are caused instead by human error. A data breach is any unauthorised access to personal data, either in digital or analogue (paper) format - this can therefore include everything from a compromised server, to an accidentally-shared email, to paperwork being kept in-view of prying eyes. With only 72 hours to report a breach to the applicable data protection authority and to inform affected data subjects, all organisations should be prepared for immediate action.

A 'data controller' is one (e.g. company, public authority, agency, etc.) who decides the purposes and means of processing personal information, providing the guidelines for any associated data processors. Under the EU GDPR, data controllers are expected to have introduced 'Data Processing Agreements' (DPAs) with their data processors in order to ensure compliance with their instructions. With these responsibilities comes the expectation for a data controller to closely monitor, assess, and define the risks and intentions of their personal data processing.

'Data processing' is any operation performed on personal data, regardless of whether or not that operation is automated. Collection, recording/storage, organisation, alteration, dissemination (making available), restriction, and erasure/destruction of personal data is all considered processing. Consequently, as many of these operations are commonplace, the vast majority of businesses are liable for compliance with data privacy legislation. If the personal data being processed is that of EU/EEA individuals, the GDPR is where to begin.

Your company may already be working towards privacy compliance, but are your third parties? It is the responsibility of data controllers to provide their data processors with guidelines on how to process transferred or shared personal data, thus protecting data subject rights and furthering compliance with privacy legislation.

These guidelines, in their most basic form, exist as Data Processing Agreements (DPAs). DPAs outline both standardised legislative requirements as well as any additional restrictions that a data controller wishes to include. Although there are expectations that processors will adhere to the rules, liability ultimately falls on controllers to ensure that appropriate documentation is in place in order to prove awareness and consideration of, and maximise efforts towards, the foundational implementation of privacy by default.

A 'data processor' is anyone (natural or legal) who processes personal information (e.g. collection, organisation, erasure, etc.). This personal information can be that of customers, staff members, partners or affiliates, or any other individual ('data subject'). A data processor must follow the guidelines set out by the associated 'data controller', although data controllers are also themselves categorised as data processors. Data processors must maintain compliance with applicable privacy legislation, which may include the EU GDPR, UK GDPR, and others.

The General Data Protection Regulation (GDPR) includes 8 rights of the data subject: the rights to access, erasure, rectification, portability, restriction, objection, the right to be informed, and rights related to automated decision making and profiling. Individuals can enter Data Subject Requests (DSRs) for any of these rights, which the data processor must then address within 1 month. Under certain conditions, this 1-month period can be extended within reason, and exemptions do exist to allow organisations to altogether deny specific DSRs.

The GDPR protects the rights of 'identifiable natural persons', also known as 'data subjects', who are within the European Union (EU). A 'natural person' is a living human being, as opposed to a 'legal person', which may be a private or public organisation. Identifiers of data subjects can exist in many formats, ranging from social security number and location data (physical or digital) to genetic or economic information, to name only a few. During compliance efforts, be sure to consider all data subjects: customers, colleagues, and staff alike.

Whether it be for marketing, advertisement, cookies, or any other personal data processing to which no 'lawful basis' applies, 'explicit consent' must be obtained from the data subject.

Explicit consent can be either oral or written, but must involve an informed, unambiguous decision from the individual, often requiring a system of affirmation (opt-in) rather than refutation (opt-out).

This means that:

• the language used is simple and understandable,
• consent is specific to the purpose of data processing and not grouped with other terms,
• a clear record of consent is maintained,
• consent can be easily withdrawn, and
• there is no penalty for refusing to consent, including restricting services that do not necessarily require data processing.

Although it may be tempting to maximise user engagement by, for example, pre-selecting registration to a newsletter, remember that, beyond the scope of legislation, improved customer relations can be built on transparency and choice.

While the EU GDPR applies to all of the EU/EEA, many member nations have amended and strengthened domestic consent gathering obligations, specifically surrounding cookies and their implementation.

The Information Commissioner's Office (ICO) is the United Kingdom's (UK) independent authority whose role it is to uphold information rights in the public interest. Covering several sets of legislation, including the General Data Protection Regulation (GDPR), the ICO's focus extends beyond data privacy and into data protection, investigatory powers, freedom of information, and more. While also performing the common duties of any data protection authority, the ICO is of particular importance for the implementation of the post-Brexit 'UK GDPR'.

Integritetsskyddsmyndigheten (IMY) is the Swedish Data Protection Authority (DPA). Tasked with protecting individuals' data privacy and security, the IMY facilitates the education and implementation of the European Union's General Data Protection Regulation (GDPR). Alongside handling data breach reports and complaints of non-compliance, the IMY provides frequent updates on legislative amendments, issued fines, and published material advising on best practices for any organisation processing personal data.

Data Privacy Impact Assessments (DPIAs) are an essential step when developing new products, processes, and strategies. By using DPIAs to identify and assess the potential risks to individuals’ privacy, organisations can ensure that new or updated projects minimise personal data processing and improve security measures, while also collecting a record of efforts towards EU and UK GDPR compliance.

DPIAs should be integrated into development cycles and reviewed with relative frequency. While a Data Protection Officer (DPO) often leads such reviews, effective PIAs require the input of representatives from several departments within an organisation.

While anonymisation is the complete removal of all personal identifiers from a data set (any information that can be used to identify an individual), ‘pseudonymisation’ is a half-way point. When data has been pseudonymised, there is no direct link between a data set and an individual, but a connection could still theoretically be made.

For example, if users’ names are replaced with coded initials, but a list of the names and corresponding codes is retained elsewhere, the original data set is only pseudonymised as there exists a recorded link between the two (no matter how restricted access to that information may be).

True anonymisation can be difficult to achieve and pseudonymisation is often a more realistic option; however, it is important that a Privacy Impact Assessment is completed prior to a decision being made. Remember that the purpose of privacy legislation is not to intentionally complicate legitimate processing scenarios, but to ensure accountability and justification, encourage privacy by design, and minimise the risk to individuals’ privacy.

‘Sensitive data’ is a subset of personal data that requires stricter justification for, and extra care in, processing. These special categories can include: racial or ethnic origin; political opinions; religious or philosophical beliefs; sexual orientation; trade-union membership; genetic or biometric data; health-related data. Before collecting sensitive data, ensure that a ‘Data Privacy Impact Assessment’ (DPIA) has been conducted to review potential risk, and consider implementing additional security measures for the storage of such data.

Standard Contractual Clauses (SCCs) are regulated sets of terms that must be signed by sender and receiver prior to personal data being transferred to a third party operating outside of the General Data Protection Regulation's (GDPR) jurisdiction. Although there are some mechanisms in place for simplifying compliance when transferring personal data to third countries, such as the recently invalidated EU-US Privacy Shield, SCCs remain small- and medium-sized enterprises' best alternative for ensuring the compliance of extra-EU/EEA third parties.