If you’re not familiar with the new EU General Data Protection Regulation (GDPR), then you’d better start learning now. Even if you’ve never been to Europe you still need to obey this law if you ever use or manage ANY personal data about anybody who lives in the EU.
GDPR will come into force in May 2018, and it’s complicated. If you work for a huge multi-national company with a dedicated information security department they’ve probably been working on this for at least a year so you’re unlikely to have much to worry about.
But what about the rest of us? What do we need to do to be ready for GDPR?
Well, obviously the first step is to understand what we’re being asked to deliver. Unfortunately, most explanations of GDPR are quite complex, but though it may be difficult to explain GDPR in terms that make sense even to a five year old, it’s not actually impossible. Instead of talking about sharing information, I can illustrate most of the key points by talking about sharing toys.
For anyone who wants to read an explanation in more formal language, I’ve taken all my headings from the UK Information Commissioner’s Office Overview of GDPR. I’ll explain what each of these headings means by using my toy-sharing analogy.
Sometimes you want to share your toys with other children, but sometimes you don’t. That’s fine. You’re allowed to share your toys if you want to, but you don’t have to. You can keep some toys just for yourself. If someone wants to play with your toys then they should ask you first. If you say “yes” they are allowed to play with the toy. Of course, that only counts if you have a real choice. If another child threatens to hit you if you don’t say “yes” then that isn’t fair.
Sometimes other children are allowed to play with your toys without asking. For example, if your friends are waiting in your house for you to come home to play football, it might be okay for them to practice with your football while they’re waiting. Sometimes your parents might give someone permission to play with one of your toys, even though you would rather they didn’t. That might make you feel sad or cross, but the other child wouldn’t be doing anything wrong when they played with the toy.
GDPR says that all processing of personal data must be lawful. The simplest example of lawful processing is when someone gives you permission to process their data, but there are other circumstances that can make your processing lawful, for example if you need to use the data to deliver a service that the customer has bought from you, or if a court of law instructs you to do something with the data.
If you lend a toy to a friend, it’s still your toy. Your friend needs to look after your toy properly and make sure they act fairly to you.
The following are your rights – with your toys and your data.
When someone wants to borrow a toy, they must identify themselves, tell you what toy they’re borrowing, how long they’re going to keep it, and who else they might share it with; and they must be aware that you can ask for the toy back at any time. They should also let you know who you can go to, to complain, if they aren’t being fair.
Similarly, with your data: If you ask a user to share their data with you, you must identify who you are, what data you need, why you need it etc.
If you ask someone which of your toys they’ve borrowed, they must let you know. It might take them a little while to be 100% sure of exactly which toys of yours they’ve got, but they must tell you within one month of you asking. If there’s a really good reason, then it might take up to three months, but they can never take longer than that.
Similarly, with your data: If someone asks your organization what data you have about them, you must respond within one month, or in some circumstances you may have up to 3 months.
If someone borrows one of your toys they must look after it. If they damage a toy, then you can ask them to fix it and they need to agree to that.
Similarly, with your data: If someone asks you to correct the personal data you have stored about them then you must do so.
You can ask someone to stop using your toy at any time, and they should stop straight away, unless they have a very good reason for carrying on. For example, if they’ve borrowed your bike then they might need to get home first. Bottom line - they shouldn’t keep the toy after you’ve asked them to give it back.
Similarly, with your data: If someone withdraws their consent for you to process their data, or if the data is no longer needed for the purpose for which it was collected, then you must erase the data. Of course you are allowed to keep the data if it’s needed to defend a legal claim or for some other good reason like that.
If you ask someone to stop playing with your toy, you might not want it back straight away. You could let them keep the toy for a while, but not play with it. They still have to look after the toy and make sure it stays safe.
Similarly, with your data: If someone asks you not to use their personal data, then you must not use it any more. This might happen if there is a dispute about your right to use the data, or about the accuracy of the data.
If you ask someone to give your toy back, then you should be able to use it as originally intended when you get it back. For example, it wouldn’t be fair if they borrowed your bike, then took it apart and gave you back a box full of bike parts, would it?
Similarly, with your data: If someone asks for a portable copy of their personal data then you must provide it to them in a commonly used, and machine readable, form.
If you don’t like the way that someone is using your toy, then you can ask them to stop. They must stop straight away, unless there’s a very good reason not to. For example, if they’re using your skipping rope to save someone who is stuck in a river, then they can continue.
Similarly, with your data: If someone objects to how you’re using their personal data, then you must stop processing it, unless you can show compelling reasons why you have to override their rights. If you’re using the data for direct marketing, then there are no exemptions or grounds to refuse.
When you lend your toys, you need to be able to talk to a real person about what they’re doing with them, and why. It’s not right if a computer makes all the decisions without explaining. Let me explain…
Suppose you lend all your toys to a toy library that has a computer in charge of lending and returns, and fining people for losing or damaging toys. The toy library must make sure that you can talk to a person, and not just a computer, if one of your toys gets lost, or if you’re fined unfairly for not returning a toy that you know you’ve returned. You must be able to tell that person what you think is wrong, and they must explain what has happened.
This rule doesn’t always apply. It doesn’t apply if you make a deal with the toy library that allows the computer to make decisions without having to talk to you about them; and it doesn’t apply when there are laws that allow the computer to make decisions. It also doesn’t apply to decisions that don’t have a bad effect on you - for example deciding to close the toy library a few minutes early on a day you didn’t visit, or fining someone else.
Similarly, with your data: If you use automated processing to make decisions that affect people, then you must make sure that they can talk to a human being about the decision and be offered an explanation and an opportunity to challenge the decision.
If somebody borrows your toy, then they might have to show that you gave them permission, and that they looked after it properly. It’s not enough to ask for permission and take good care of the toy, they must be able to prove that they did so.
Organizations need to keep good records, so they can prove that they have lawfully obtained and processed data. It’s not enough to just show you had no breaches, and nobody complained.
If someone breaks a toy that they’ve borrowed, or loses it, then they must tell you within three days. If they just lose it for a few minutes and then find it again, and nothing bad happens to you because of this, then they might not need to tell you. But they must tell you about any serious loss or damage.
They must also tell your parents (the “regulatory authority”). They must explain whose toy it was, what damage was done, what they’re doing to make up for it, and how they’re going to stop it from happening again.
Many organizations will find this requirement to notify the authorities, and the affected people, within 72 hours of a data breach quite difficult. You need a well-designed and rehearsed security incident management process. If you get this wrong, then it could be very expensive.
You’re allowed to lend your own toys to other people, but if you’ve borrowed someone else’s toy then you can’t lend it to another person, unless you can be certain that the person you’re lending it to will look after it just like you would.
Personal data can’t be transferred to another organization unless you ensure there are adequate safeguards. There are further specific requirements for data being transferred outside the EU.
Sometimes there are special, local, rules about lending toys. For example, one country might have a law saying you can’t lend toy guns to people. In another country there could be a law saying that the church can borrow religious toys without having to ask for permission.
EU governments can introduce exemptions from some of these rights, but only for specific reasons such as national security or law enforcement.
GDPR is going to have a huge impact on any organization that controls or processes personal data. You not only have to comply with all the requirements, but you must be able to produce records showing that you have. This regulation applies to any organization that offers goods or services to individuals in the EU, even if they are based somewhere completely different.
If you haven’t started planning for GDPR yet then you urgently need to get started. There is a lot of work to do to ensure that you are compliant, and that you can show that you’re compliant. You’ll find there are lots of “GDPR consultants” ready and willing to help you, but do take care to review their experience before taking them on.
Remember, you can’t borrow toys without having permission (or another legitimate reason), and you must look after them properly.
I hope my analogy* clarified a few things. Please do let me know if you have any comments or questions.
* With thanks to Moyn Uddin for the idea of comparing GDPR to lending something physical (https://www.cybercounsel.co.uk/gdpr-in-a-nutshell/).