GDPR – What is it all about?

In the last 20 years, the collection and processing of data has grown exponentially. The practice has been undertaken by businesses worldwide, in order to help improve efficiency, gain insight and understanding and increase profits.  The General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) is aimed at bringing EU data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data. up to speed with the changes that have occurred in the 20+ years since the 1995 Data Protection Directive (95/46/EC) was passed.

The GDPR has been enacted into UK law – with slight amendments (known as derogations) provided for within the Regulation – via the Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998), and implemented the GDPR into UK legislation., which replaced the UK the Data Protection Act 1998.

Who does GDPR apply to?

Data controllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data.– The person or organisation who, solely or jointly, determines the purpose and means of processing personal dataInformation which relates to an identified or identifiable natural person..

Data processorsThird parties processing personal data on behalf of a data controller.– Third-party individual or organisation who processes data on behalf of the Data ControllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data. e.g. an accountancy company running the Data Controller’s payroll.

Data Controllers are responsible for ensuring that the Data ProcessorA third party processing personal data on behalf of a data controller. processes the data lawfullyIn data protection terms, 'lawfully' must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations..

What are the principles of the GDPR regulation?

Article 5 of the GDPR sets out the 7 key principles of the GDPR:

1. Lawfulness, fairness and transparencyThe first principle of the GDPR, requiring organisations to document a lawful basis for collecting and using personal data, to avoid processing personal data in a way that is unduly detrimental, unexpected or misleading to data subjects, and to be clear and honest about how they use personal data.

• • • There must be a lawful basis for collecting and using personal data.
    • Data must not be processed in a way that is unduly detrimental, unexpected or misleading to the individual concerned
    • Companies must be clear and honest about how they will use personal data

2. Purpose limitationThe second principle of the GDPR, requiring organisations to only process personal data for the specific purpose for which it was collected.

• • • The purpose of data processing must clearly be specified
    • Personal data can only be used for a new purpose if compatible with the original purpose of processingA specified, explicit and legitimate rationale for the processing of personal data., new consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. is gained, or there is a clear legal basis

3. Data minimisationThe third GDPR principle, requiring organisations to only collect the personal data that is truly necessary to fulfill each purpose for data processing.

• • • Only the minimum amount of data needed to fulfil the purpose of the data processing should be identified and stored

4. AccuracyIn data protection terms, the concept of ensuring data is not incorrect or misleading.

• • • Reasonable steps should be taken to ensure incorrect data is erased or corrected as soon as possible

5. Storage limitationThe fifth GDPR principle which requires organisations to only store data for as long as it is needed.

• • • Data should only be stored for as long as it is needed and is justifiable

6. Integrity and confidentialityThe sixth GDPR principle, also know as the security principle. This requires organisations to implement the appropriate security measures to protect personal data.

• • • There must be appropriate security measures in place to protect the data held

7. AccountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance.

• • • Data controllers or processors must take responsibility for how they handle personal data and comply with the above principles
    • Records must be created and retained, so as to enable a company to demonstrate their compliance

What is the Scope of the GDPR?

Increased Territorial Scope–The GDPR clarifies that companies not established within the EU are subject to the GDPR if their activities relate to offering goods and/or services to EU residents or monitoring their behaviour. Those falling into this category must now appoint a representative within the EU.

Increased Data Scope– The widened definition of what constitutes ‘personal data’ within GDPR means that more information is included in its remit, including for example IP addresses and website cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences.. Furthermore, the widened definition of ‘special category’ means that more data is subject to stricter controls e.g. ethnic origin, religious beliefs, genetic and bio-metric data and political views.

Penalties – GDPR now provides for penalties to be handed down for infringements, with the maximum penalty being 4% of annual worldwide turnover or €20 million, whichever is greater.

Consent– The request for consent to processA series of actions or steps taken in order to achieve a particular end. personal data must be clear and distinguishable from other matters, with details given of the purpose of the processing. Consent must be as easy to withdraw as it was to give.

Data Protection Officers– DPOs must be appointed by controllers or processors whose data processing consists of large scale monitoring of data subjects; of special categories of data; data relating to criminal convictions or offences.

Data Subjects’ Rights – Data subjects now have the right to have their data erased (the right to be forgotten), the right to see what their data is being used for and by whom (right to access) and the right to receive the personal data held regarding them and to transmit the data to another controller (right to data portability).

Breach Notification– Data Controllers must notify the supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation. of any data breaches that are likely to ‘result in a risk for the rights and freedoms of individuals’ within 72 hours of the breach being identified. Data Controllers are subject to obligations to notify their customers of a breach.

Summary

In summary, the GDPR insists on transparency and honesty from companies allowing individuals to be more informed, as well as giving individuals increased control over what happens to their personal data. This does depend on organisations taking the necessary steps to comply with the regulation. However, with supervisory bodies able to impose heavy fines, this should encourage compliance and allow individuals to benefit from the GDPR.

If you would like some help with your GDPR compliance, please contact us.