Data protection

Question 1

Is GDPR a big shift?

Answer 1

Often said GDPR brought complete change to data protection but our UK data protection act wasn’t far from GDPR

Question 2

Is GDPR strictly binding?

Answer 2

As a regulation it’s directly binding and applicable, but it gives member states flexibility to adjust certain aspects of the regulation

Question 3

What’s the test for whether data is sensitive?

Answer 3

data which would violate rights or cause serious harm if used to discriminate. Includes racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic/biometric data, health data or data concerning sex life/ sexual orientation.

Question 4

Which data is in the public interest

Answer 4

Processing necessary for some public interest. Must be (1) interest set out in EU or national law and (2) processing proportionate with that interest. Examples include reporting crimes, taxation and social care.

Question 5

Who does GDPR apply to?

Answer 5

Anyone who processes data, meaning containing/recording/holding/organisation/combination etc. will be subject to GDPR

Question 6

Who is data subject

Answer 6

The data subject is the person whose data is being collected.

Question 7

Who is the data controller

Answer 7

The data controller determines the purpose of the processing.

Question 8

What’s the main basis for processing data?

Answer 8

Consent, but prescription by law or necessary to perform a contract are also important

Question 9

‘right to be forgotten’ case

Answer 9

Costeja case
Google Spain v AEPD and Mario Costeja González
It held that an Internet search engine operator is responsible for the processing that it carries out of personal information which appears on web pages published by third parties. In the case, Spanish man filed bankruptcy, 15 years later he discovered that typing his name into google brought up first results of articles about bankruptcy. He argued i.r.l no-one would read a news story 15 years ago and that it was damaging his reputation. The court said there should be a remedy available, as there is a right to be forgotten. This means that google indexing the web qualifies as processing of data.

Question 10

Right to be forgotten, who performs removal?

Answer 10

Google is the one performing the balancing of interests- should we trust them with this power? Isn’t this an unexpected outcomes of the decision?

Question 11

Is data protection consistent in EU?

Answer 11

Yes, harmonised by GDPR

Question 12

What does GDPR call the right to be forgotten

Answer 12

the right to be delisted

Question 13

Whats personal data?

Answer 13

If you can identify an individual from your information using means reasonably likely to be used, it may be personal data. Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual. - When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual. Just because it is ‘personal data’ for your purposes doesn’t mean that it will be for another data controller

Question 14

Is pseudonmysed data personal data?

Answer 14

Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.

Question 15

What is data processing?

Answer 15

containing/recording/holding/organisation/combination etc.

Question 16

What is lawful basis?

Answer 16

Having valid grounds for processing information i.e consent

Question 17

7 principles of GDPR

Answer 17

a) lawfulness, fairness and transparency
b) purpose limitation
c) data minimisation
d) accuracy
e) storage limitation
f) integrity and confidentiality
g) accountability principle

Question 18

lawfulness, fairness and transparency

Answer 18

• you must have a lawful basis for processing and not break any other laws with the data
• you mustn’t use the data in a way thats detrimental/misleading/unexpected to data subject.
• you must be open from outset about how you’ll use the data

Question 19

purpose limitation

Answer 19

Article 5(1)(b) Personal data should collected for specified, explicit, legitimate purposes and not processed in a manner incompatible with those purposes, UNLESS for archiving purposes in the public interest/scientific/ historical research /statistical purposes

Question 20

data minimisation

Answer 20

Article 5(1)(c). You should only hold the minimum amount of personal data you need to fulfil your purpose.

Question 21

accuracy

Answer 21

Article 5(1)(d) Personal data should be accurate and up to date. Inaccurate personal data should be erased or rectified without delay.

Question 22

storage limitation

Answer 22

Article 5(1)(e) says: Personal data shall be kept in form which allows identification of data subjects for no longer than is necessary for the purposes unless stored for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Question 23

integrity and confidentiality

Answer 23

You must ensure that you have appropriate security measures in place to protect the personal data you hold. This is the ‘integrity and confidentiality’ principle of the GDPR – also known as the security principle.

Question 24

accountability principle

Answer 24

The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance.

Question 25

Directives v regulation?

Answer 25

Directives must be transposed into national law while regulations are directly applicable, and usually remove any space for discretion. Regulations are about unification, not harmonization- as the law is then the same everywhere in the EU.

Question 26

Opt-in vs opt-out

Answer 26

With development of understanding of how internet works, we realise people don’t untick things, it so it became opt-in, not opt-out. It’s called a transactive cost- the effort unticking. A pre-checked form isn’t GDPR compliant. Opt-in systems protect the data subject more, but they mean the data controller collects much less data.
Opt-in vs opt-out makes a huge difference- the way specific information is delivered makes a huge difference.

Question 27

Why do companies want to collect so much data on consumers?

Answer 27

If we can differentiate between consumers, we can engage in market segmentation and sell to them at different prices. If we know what people are willing to pay we can make more money.
Cambridge Analytica went further as it wasn’t looking at our behaviour as consumers, but at our behaviour as voters.

Question 28

consent as basis for data processing

Answer 28

consent must be freely given, specific, informed, opt-in and unambiguous. Unlikely to be freely given if power imbalance or if its a condition of service.
consent can be withdrawn at any time
GDPR bans pre-ticked opt-in boxes

Question 29

GDPR

Answer 29

General Data Protection Regulation (Regulation 2016/679)

Question 30

Right to erasure

Answer 30

Data subjects are entitled to require a controller to delete their personal data if the continued processing of those data is not justified

Question 31

Right to data portability

Answer 31

Data subjects have the right to transfer their personal data between controllers (e.g., to move account details from one online platform to another).

Question 32

How long does consent last

Answer 32

There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.

Question 33

What rights do data subjects have

Answer 33

The right to access, right to information, right of rectification, right to erasure, right to object, right not to be subject to automated decision making

Question 34

right to access

Answer 34

Data subjects have the right to access the data held on them

Question 35

right to information

Answer 35

right to basic information about purposes for processing data, retention periods and who it will be shared with

Question 36

right to rectification

Answer 36

Data subjects are entitled to require a controller to rectify any errors in their personal data.

Question 37

How is data the internet’s currency?

Answer 37

By 2020, the European data economy is predicted to be worth £553million. Many companies monitize data, and trade it as a commodity i.e for apps, advertising and consumer services. GDPR seeks to regulate the new ways data is processed in internet economy.
Think about data flows discussion (UK can’t transfer EU data outwith EU post-brexit if it wants to transfer data to and from EU)