How to analyse data protection laws

The first step is to work out whether the data that is being processed is actually personal data. This definition is set out in the GDPR and breaks into four components. Any information, this is very wide and will cover any and all data. Relating to, this means more than information provided by a person, and can include, for example, comments about a person in an email. An identified or identifiable, this covers online identifiers such as IP addresses, as you may be able to identify a person from their IP address. Natural person, deceased people and organizations such as companies, which have legal personality but are not natural persons, are out of scope.

Much of the data we use in cyberspace and in our daily lives will constitute personal data. You can see some of the types of data which will be personal data in the left-hand column. But this is a very small subset of personal data. Note in particular that data collected about your browsing behavior online will constitute personal data. Data which has been truly anonymized, so that it does not identify a person, will not be personal data. In practice, it is very difficult to fully anonymize personal data once it has been collected. The next step is to identify who is the data controller of the personal data.

This is the organization, for example, a company, a charity or club, a local council, which determines how the personal data will be processed. For example, an employer determines how data about its employees are used. In practice, most organizations, no matter how small, are data controllers. The GDPR does not apply to natural persons in the course of a purely personal or household activity. But small businesses are subject to the GDPR in the same way as large companies. Data processors, these process personal data on behalf of controllers. In practice, this will be companies that offer payroll services and payment services. They don’t specify to whom and how much an employee or customer has paid, but provide the service for that to happen.

In cyberspace, a large amount of data is held on the cloud. So providers who provide services to access and use the cloud will be data processors, for example, Amazon Web Services. Data subject is the term that the GDPR uses to define the individual about whom the personal data relates to. We will look at the rights given to data subjects later on this week. Processing is very widely defined, and will include any type of operation on personal data, whether collecting it, organizing it, or even simply storing it. This slide shows the relationships. The individual, the data subject, provides personal data to the data controller, who determines how the data is processed.

The data processor will also have access and use this data, but only on the instructions of the controller. Once you have established where the personal data is being processed and who the data controller is, you then need to determine the lawful basis of that processing. That is, you can’t process personal data unless you have a lawful basis as set out in the GDPR. This is the most fundamental part of the GDPR. To have a lawful basis, you need to know what personal data you hold and why you are holding it. This is not straightforward with a huge amount of digital data that is processed.

Article six of the GDPR sets out the different types of lawful basis that a controller can rely on. You only need to have one lawful basis. The key ones are consent, consent of the data subject. This means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data. Put simply, this means that the data subject has to affirmatively agree, to opt in, as opposed to opting out or consent being assumed. The processing is necessary for the performance of the contract.

This will be the basis on which many online retailers will process your data when you have bought goods online. The processing is necessary for the purposes of the legitimate interests of the data controller or a third party. This is not a catch-all permission and is subject to a balancing test, as the controller cannot use this basis where the legitimate interests of the controller are overridden by the interests and freedoms of the data subject, which require protection of personal data, in particular with a data subject as a child. You can see on this slide how consent works in action. You cannot pre-tick for consent. This would not meet the standard for affirmative action by the data subject.

The data subject needs to opt in, as in the left-hand box, to give their consent by deliberate action. It’s this definition of consent which is the reason why you received many emails before GDPR came into force in May 2018, requesting you to actively agree to continue receiving emails. Not all personal data is the same. The GDPR recognizes that some data carries higher risk if the data was to be misused or lost. This is called special category data, it used to be called sensitive data. The types of special category data as set out in the slide. Note that it includes biometric data, which will be highly relevant when we’re considering tracing apps in the current COVID pandemic.

With special category data, not only must the data controller have a lawful basis for processing the data, but you must also come within one of the permitted exemptions for processing this type of data. These are set out in article nine two of GDPR, and include the explicit consent of the data subject. How you achieve that in cyberspace can present some practical problems. You will now move on to a short quiz to test your understanding of this topic so far.