Data protection Flashcards
Is GDPR a big shift?
Often said GDPR brought complete change to data protection but our UK data protection act wasn’t far from GDPR
Is GDPR strictly binding?
As a regulation it’s directly binding and applicable, but it gives member states flexibility to adjust certain aspects of the regulation
What’s the test for whether data is sensitive?
data which would violate rights or cause serious harm if used to discriminate. Includes racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic/biometric data, health data or data concerning sex life/ sexual orientation.
Which data is in the public interest
Processing necessary for some public interest. Must be (1) interest set out in EU or national law and (2) processing proportionate with that interest. Examples include reporting crimes, taxation and social care.
Who does GDPR apply to?
Anyone who processes data, meaning containing/recording/holding/organisation/combination etc. will be subject to GDPR
Who is data subject
The data subject is the person whose data is being collected.
Who is the data controller
The data controller determines the purpose of the processing.
What’s the main basis for processing data?
Consent, but prescription by law or necessary to perform a contract are also important
‘right to be forgotten’ case
Costeja case
Google Spain v AEPD and Mario Costeja González
It held that an Internet search engine operator is responsible for the processing that it carries out of personal information which appears on web pages published by third parties. In the case, Spanish man filed bankruptcy, 15 years later he discovered that typing his name into google brought up first results of articles about bankruptcy. He argued i.r.l no-one would read a news story 15 years ago and that it was damaging his reputation. The court said there should be a remedy available, as there is a right to be forgotten. This means that google indexing the web qualifies as processing of data.
Right to be forgotten, who performs removal?
Google is the one performing the balancing of interests- should we trust them with this power? Isn’t this an unexpected outcomes of the decision?
Is data protection consistent in EU?
Yes, harmonised by GDPR
What does GDPR call the right to be forgotten
the right to be delisted
Whats personal data?
If you can identify an individual from your information using means reasonably likely to be used, it may be personal data. Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual. - When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual. Just because it is ‘personal data’ for your purposes doesn’t mean that it will be for another data controller
Is pseudonmysed data personal data?
Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.
What is data processing?
containing/recording/holding/organisation/combination etc.
What is lawful basis?
Having valid grounds for processing information i.e consent
7 principles of GDPR
a) lawfulness, fairness and transparency
b) purpose limitation
c) data minimisation
d) accuracy
e) storage limitation
f) integrity and confidentiality
g) accountability principle
lawfulness, fairness and transparency
- you must have a lawful basis for processing and not break any other laws with the data
- you mustn’t use the data in a way thats detrimental/misleading/unexpected to data subject.
- you must be open from outset about how you’ll use the data
purpose limitation
Article 5(1)(b) Personal data should collected for specified, explicit, legitimate purposes and not processed in a manner incompatible with those purposes, UNLESS for archiving purposes in the public interest/scientific/ historical research /statistical purposes
data minimisation
Article 5(1)(c). You should only hold the minimum amount of personal data you need to fulfil your purpose.
accuracy
Article 5(1)(d) Personal data should be accurate and up to date. Inaccurate personal data should be erased or rectified without delay.
storage limitation
Article 5(1)(e) says: Personal data shall be kept in form which allows identification of data subjects for no longer than is necessary for the purposes unless stored for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
integrity and confidentiality
You must ensure that you have appropriate security measures in place to protect the personal data you hold. This is the ‘integrity and confidentiality’ principle of the GDPR – also known as the security principle.
accountability principle
The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance.
Directives v regulation?
Directives must be transposed into national law while regulations are directly applicable, and usually remove any space for discretion. Regulations are about unification, not harmonization- as the law is then the same everywhere in the EU.
Opt-in vs opt-out
With development of understanding of how internet works, we realise people don’t untick things, it so it became opt-in, not opt-out. It’s called a transactive cost- the effort unticking. A pre-checked form isn’t GDPR compliant. Opt-in systems protect the data subject more, but they mean the data controller collects much less data.
Opt-in vs opt-out makes a huge difference- the way specific information is delivered makes a huge difference.
Why do companies want to collect so much data on consumers?
If we can differentiate between consumers, we can engage in market segmentation and sell to them at different prices. If we know what people are willing to pay we can make more money.
Cambridge Analytica went further as it wasn’t looking at our behaviour as consumers, but at our behaviour as voters.
consent as basis for data processing
consent must be freely given, specific, informed, opt-in and unambiguous. Unlikely to be freely given if power imbalance or if its a condition of service.
consent can be withdrawn at any time
GDPR bans pre-ticked opt-in boxes
GDPR
General Data Protection Regulation (Regulation 2016/679)
Right to erasure
Data subjects are entitled to require a controller to delete their personal data if the continued processing of those data is not justified
Right to data portability
Data subjects have the right to transfer their personal data between controllers (e.g., to move account details from one online platform to another).
How long does consent last
There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
What rights do data subjects have
The right to access, right to information, right of rectification, right to erasure, right to object, right not to be subject to automated decision making
right to access
Data subjects have the right to access the data held on them
right to information
right to basic information about purposes for processing data, retention periods and who it will be shared with
right to rectification
Data subjects are entitled to require a controller to rectify any errors in their personal data.
How is data the internet’s currency?
By 2020, the European data economy is predicted to be worth £553million. Many companies monitize data, and trade it as a commodity i.e for apps, advertising and consumer services. GDPR seeks to regulate the new ways data is processed in internet economy.
Think about data flows discussion (UK can’t transfer EU data outwith EU post-brexit if it wants to transfer data to and from EU)
