RAYVN and GDPR
In May 2018, a new EU-wide regulation, GDPR (General Data Protection Regulation), went into effect. This new regulation builds upon previous legislation and directives regarding privacy, data protection and information security, but strengthens individuals’ protections and rights in several areas and places clearer duties and accountability on companies handling personal data.
2. Personal data
GDPR applies to personal data, in a wide sense, i.e. any information about, or that can be traced back to, individuals.
Traditional examples of personal data (or ‘personally identifiable information’, PII) are directly identifying data (e.g. name, social security number, phone number, bank account number), but the term also includes anything an individual has authored (e.g. messages, login credentials, written evaluations, program settings, form data) as well as information aboutan individual (e.g. religious and organizational affiliations) and data that’s being automatically generated based on the individual’s actions(e.g. location data, ad profiling, usage logs including IP addresses).
In other words, the regulation will affect any and all companies even if the data in question is as innocuous as a list of contact information for its employees or customers.
Data that are stored and handled pseudonymously (i.e. information that isn’t directly identifying, for example a candidate number – or data that’s ‘hidden’, e.g. by encryption), but still identifiable in combination with data from other sources or by patterns inside the information itself, are still considered personal data – although pseudonymization could be described as an appropriate measure for reducing the consequences of a data leak (‘loss of confidentiality’).
Only completelyanonymous data, fully decoupled from identity in a non-reversible way, falls outside the scope of the regulation, e.g. statistically aggregated data from a large enough population (to ensure that an individual’s effect on the aggregate is impossible to identify).
The purpose of the regulation, as RAYVN understands it, is twofold:
- Primarily, GDPR focuses on giving the registered individuals (‘data subjects’) awareness of, insight into, real influence over and ownership of personal data relating to themselves. The means to obtaining these ends are laid down in several rightsthe individuals (data subjects) have, as well as responsibilitiesthe handling companies have. More on these topics in sections 4 to 6, below.
- Secondly, GDPR aims to unify data protection legislation across borders (the regulation does not require national governments to ratify it – it is directly binding for allmember states of the EU, and will likely be applicable in the entire EEA), thus creating a simplified regulatory environment for companies handling personal data.
4. Roles and Scope
There are several defined roleswhich affect rights, responsibilities and accountability as they pertain to GDPR:
- Data subject: The registered individuals; the subjects that the personal data concerns.
- Data controller: An organization, typically a company, that decides a) what datawill be stored/processed, b) the purposefor which such data is stored/processed and c) the means and methodsof the data storage/processing.
The data controller is ultimately responsible for implementing appropriate measures ensuring that the requirements of GDPR are adhered to, both in its own organization and by subcontractors, such that the data subjects can exercise all their rights according to GDPR and such that none of the provisions are violated.
- Data processor: An organization, typically a subcontractor of the data controller, that stores/processes personal data on behalf of and according to the directions of the data controller.
GDPR applies to any data subject, data controller or data processor that are based in the EU, as well as for personal data of any EU resident even if the controller and/or the processor(s) are based outside the EU.
GDPR grants several rights to individuals (data subjects) regarding storage and processing of, as well as access to, their own personal data:
- Information about registration: Data subjects must be able to get information about the terms of the storage/processing of their own personal data, e.g. what kind of data is being stored/processed, for what purpose, for how long, etc.
- Access to data: Data subjects must be able to access and review their own personal data (with some exceptions).
- Rectification of data: There must exist a process for data subjects to be able to notify the controller about incorrect/incomplete data and/or, whenever appropriate, to be able to correct and/or complete their own personal data.
- Restriction of storage/processing of data: Data subjects must at any time be able to signal their objection, or withdrawal of prior consent, to store/process their own personal data.
- Erasure of data: There must exist a process for data subjects to be able to request erasure of their own personal data and for the request to be considered and handled within a reasonable time frame.
- Portability of data: Data subjects must be able to export their own personal data to a standard, open, electronic and machine-readable format, so that they can bring with them their data to a different provider without hindrance by the data controller.
The main responsibilities of data controllers are as follows:
- Ensuring that functionality and processes are available to data subjects in accordance with their rights as stipulated by the GDPR, cf. section 5. This includes the liability of being able to demonstrate compliance even if processing activities are being carried out by a data processor on behalf of the controller.
- Ensuring that there exists a legal basisfor all storage and processing of personal data prior to such data being handled by the data controller or any data processor(s). Unless such a basis can be established due to a pre-existing requirement or need (e.g. for legal compliance reasons or contractual obligations), the data subject must consentto it before storage/processing of the subject’s data can commence.
For the data subject’s consent to be considered a valid legal basis, the consent must be a) explicit (i.e. not a default), b) informed (must use clear language, not hidden or obscured in any way, physically or semantically, e.g. inside a large body of text like a T&C document or EULA) and c) bounded (e.g. for a specific purpose, or set of purposes and for a given time period). Once the conditions of the consent are no longer met, the legal basis is voided and processing of the data must stop.
- Evaluating the need for a Data Protection Officer (DPO), which may be required or recommended depending on a number of situational factors, e.g. whether the controller is regularly and systematically monitoring data subjects – or if the controller is handling large volumes of sensitive personal data.
A DPO is expected to have knowledge both of data protection legislation as well as information security, such that the person is able to contribute to routines and processes, risk assessments/mitigation (or ‘data protection impact assessments’, DPIAs), security/privacy inquiries, incident response/handling and other considerations and measures the are necessary for effective and compliant storage and processing of personal data.
Typical DPO responsibilities involve being an internal advisor and auditor/’regulator’, suggesting measures to ensure compliance, communicating with Data Protection Authorities (DPAs), e.g. about high-risk operations, and answering external questions regarding privacy, security and data.
- Maintaining and implementing routines for handling data breaches, including pro-actively reporting incidents to the relevant DPAs (or supervisory authorities) without undue delay – as well as informing the affected individuals.
Reporting of data breaches without undue delay is also an independent responsibility of data processors, cf. section 4, regardless of service’s terms/agreement(s) with the data controller.
- Ensuring that personal data covered by the GDPR is not stored or processed in geographic locations outside the EEA, unless the same level of data protection is guaranteed.
- Ensuring that there are routines and a culture for considering data protection as an integral part of business and development processes for products and services, such that personal data are only stored/processed when necessary (according to the stated purposes and time frames) and that default settings and assumptions ensure a high level of privacy (which an individual can opt out of – instead of the other way around).
In some cases, an individual’s rights or interests may be in opposition to the legitimate interests of a data controller or other parties (employers, national governments, etc.). This document only gives an overviewof the basic rights and responsibilities put forth by the GDPR, as currently understood by RAYVN. As such, a detailed discussion of exceptions, borderline cases and legal precedents is outside the scope of this document.
8. Changes to This Policy
Your continued use of our services, after the changes take effect, will be regarded as your acceptance of the changes. Consequently, if you do not agree to the changes, we will unfortunately have to require you to stop using our services before the changes take effect. We hope you appreciate that this is a requirement that is necessary for us to deliver consistent services, under the same rules, to everyone.
9. How to Contact Us