The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. GDPR provides a single law for data privacy and protection for personal data for all EU residents. Any organization either within or outside the EU that collects or processes personal information about EU residents is subject to the GDPR. As a reference, the official regulation may be read here: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
The law identifies three different participants in the handling of personal data – the data subject (natural person), the data controller (those collecting personal information for some purpose) and data processors (organizations who process personal information on behalf of data controllers). Personal data is considered to be the property only of the data subject, not of the data controller or a data processor.
Under the GDPR, personal data is defined as any information that can be used to directly or indirectly identify a natural person, which might include an IP address, a name, email address, health records, etc. The inclusion of data that might be indirectly associated with an individual is an expansion of the scope of personal data from preceding legislation, and may be a complicating factor in achieving compliance. Importantly, there is no distinction between personal data in the private, public or work lives of data subjects.
Rights of Data Subjects
The law provides for a number of rights for data subjects with respect to personal information. These include:
- The right to data correction
- The right to access and be informed of all pieces of information that the data controller or processor has in its possession
- The right to be informed and consulted on the collection or processing of personal information
- The right to be forgotten
- The right to be notified of endangerment of personal information
- The right to data portability
- Privacy by default
Enforcement & Penalties
Organizations that collect or process personal information are accountable for respecting these rights. Penalties for failing to comply with the law are severe – up to the higher of 4% of an organization's global revenue, or €20M.
Responsibilities of Data Controllers & Data Processors
Both data controllers (who collect personal data) and data processors (who handle or process data on behalf of data controllers) have accountability to ensure the protection of personal data and the rights of data subjects. To achieve compliance with GDPR, these organizations must demonstrate lawful basis to collect and process personal information.
As defined in Article 6, these include:
- consent by the data subject
- the collection and processing of personal information is required for the execution of a contract
- there is a legal obligation to collect or process personal information
- it is the vital interest of the person to collect or process personal information
- processing of personal information is necessary to perform a task in an official function or in the public interest, where there is a clear basis in law
- there is a legitimate interest in collecting or processing personal information which is not overridden by the rights of the data subject
- responsible security, in keeping with the state of the industry, “appropriate to the risk” with the personal information.
This might include:
- the pseudonymization and/or encryption of personal data.
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data.
- the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident.
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
- transparency and visibility for how personal information is handled
- recourse for data subjects. In public authorities, or where the core activities of a controller or processor involve “regular and systematic monitoring of data subjects on a large scale”, or where there is “special categories of personal data” being collected, this will require a Data Protection Officer to be appointed.
Relevance to EHSQ Applications
Many applications employed for the management of environment, quality, and (particularly) health & safety, will require the collection and handling of personal data. For each application, here are some steps that may be required:
- Determine the lawful basis for the collection and processing of personal data. For many organizations, the personal information will be of their employees, in which case, the lawful basis may be provided through legitimate interest (e.g. safety of their employees, or of their customers) or legal obligation (e.g. regulatory reporting of occupational injuries or emissions).
- Conduct a Data Protection Impact Assessment (DPIA), which describes the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data. DPIAs are important tools for accountability, as they help controllers not only comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation (see also article 24). In other words, a DPIA is a process for building and demonstrating compliance. More information about DPIAs is available from the official working group (WP29) on the GDPR here: https://www.google.ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwjWivrwoNHZAhVOaq0KHcBvCEAQFggnMAA&url=http%3A%2F%2Fec.europa.eu%2Fnewsroom%2Fdocument.cfm%3Fdoc_id%3D47711&usg=AOvVaw3XVVVesnM2UMVugrLpaM5T
- Ensure that mechanisms are established to ensure that all rights of the data subjects are protected. This may include the designation of a Data Protection Officer, who acts in the interest of data subjects.
- Prepare and publish materials that communicate the purpose, nature of processing, policies for retention and recourse available to data subjects
- Ensure that all steps in the collection and processing of personal data respect the principles of the GDPR and that this compliance can be demonstrated.
Considerations for EHSQ SaaS Applications
SaaS applications almost invariably include the participation of a 3rd party in the processing of personal information, which under the GDPR will be a data processor. It will be the responsibility of the data controller to ensure that such data processors who are handling personal information have been assessed and are appropriate for the nature of personal data which is to be collected. This must include contractual provisions for the protection of personal data, and may include assessing any cross-border data flows and the presence of comparable legal protections for personal data if processing occurs outside of the EU.
Intelex EHSQ SaaS & GDPR
Intelex provides a wide range of solutions for Environment, Health & Safety, and Quality management. To learn more about how Intelex is achieving GDPR compliance, please visit https://community.intelex.com/library/knowledgebase/technical-documents/gdpr-roadmap-compliance-20180314.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. L 119/1.
- Article 29 Working Party. Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679, 17/EN WP 248 rev. 01. 4 October 2017.