- Contact DPO Centre
- 0203 797 1289
- hello@dpocentre.com
App & Gaming Developers: win user trust; protect their data
November 14, 2018
Why you should ‘steal’ card fraud protection guidelines
November 30, 2018
In the last 20 years, the collection and processing of data has grown exponentially. The practice has been undertaken by businesses worldwide, in order to help improve efficiency, gain insight and understanding and increase profits. The General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).... (GDPR) is aimed at bringing EU data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of Personal Data.... up to speed with the changes that have occurred in the 20+ years since the 1995 Data Protection Directive (95/46/EC) was passed.
The GDPR has been enacted into UK law – with slight amendments (known as derogations) provided for within the Regulation – via the Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998)...., which replaced the UK the Data Protection Act 1998.
Who does GDPR apply to?
Data controllers– The person or organisation who, solely or jointly, determines the purpose and means of processing personal dataInformation which relates to an identified or identifiable natural person.....
Data processors– Third-party individual or organisation who processes data on behalf of the Data ControllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data.... e.g. an accountancy company running the Data Controller’s payroll.
Data Controllers are responsible for ensuring that the Data Processor processes the data lawfullyIn data protection terms, it must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations.....
What are the principles of the GDPR regulation?
Article 5 of the GDPR sets out the 7 key principles of the GDPR:
- Lawfulness, fairness and transparency
- There must be a lawful basis for collecting and using personal data.
- Data must not be processed in a way that is unduly detrimental, unexpected or misleading to the individual concerned
- Companies must be clear and honest about how they will use personal data
- Purpose limitation
- The purpose of data processing must clearly be specified
- Personal data can only be used for a new purpose if compatible with the original purpose of processingA specified, explicit and legitimate rationale for the processing of personal data...., new consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed.... is gained, or there is a clear legal basis
- Data minimisation
- Only the minimum amount of data needed to fulfil the purpose of the data processing should be identified and stored
- AccuracyIn data protection terms, the concept of ensuring data is not incorrect or misleading....
- Reasonable steps should be taken to ensure incorrect data is erased or corrected as soon as possible
- Storage limitation
- Data should only be stored for as long as it is needed and is justifiable
- Integrity and confidentiality
- There must be appropriate securityAppropriate technical and organisational measures ensuring a level of security appropriate to the risks faced.... measures in place to protect the data held
- Accountability
- Data controllers or processors must take responsibility for how they handle personal data and comply with the above principles
- Records must be created and retained, so as to enable a company to demonstrate their compliance
What is the Scope of the GDPR?
Increased Territorial Scope–The GDPR clarifies that companies not established within the EU are subject to the GDPR if their activities relate to offering goods and/or services to EU residents or monitoring their behaviour. Those falling into this category must now appoint a representative within the EU.
Increased Data Scope– The widened definition of what constitutes ‘personal data’ within GDPR means that more information is included in its remit, including for example IP addresses and website cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences..... Furthermore, the widened definition of ‘special category’ means that more data is subject to stricter controls e.g. ethnic origin, religious beliefs, genetic and bio-metric data and political views.
Penalties – GDPR now provides for penalties to be handed down for infringements, with the maximum penalty being 4% of annual worldwide turnover or €20 million, whichever is greater.
Consent– The request for consent to processA series of actions or steps taken in order to achieve a particular end.... personal data must be clear and distinguishable from other matters, with details given of the purpose of the processing. Consent must be as easy to withdraw as it was to give.
Data Protection Officers– DPOs must be appointed by controllers or processors whose data processing consists of large scale monitoring of data subjects; of special categories of data; data relating to criminal convictions or offences.
Data Subjects’ RightsUnder UK data protection regulation, data subjects have a number of rights available to them – to be informed, access, rectification, erasure, restrict processing, data portability, to object and further rights in relation to automated decision making and profiling.... – Data subjects now have the right to have their data erased (the right to be forgotten), the right to see what their data is being used for and by whom (right to access) and the right to receive the personal data held regarding them and to transmit the data to another controller (right to data portability).
Breach Notification– Data Controllers must notify the supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation.... of any data breaches that are likely to ‘result in a risk for the rights and freedoms of individuals’ within 72 hours of the breach being identified. Data Controllers are subject to obligations to notify their customers of a breach.
Summary
In summary, the GDPR insists on transparency and honesty from companies allowing individuals to be more informed, as well as giving individuals increased control over what happens to their personal data. This does depend on organisations taking the necessary steps to comply with the regulation. However, with supervisory bodies able to impose heavy fines, this should encourage compliance and allow individuals to benefit from the GDPR.
If you would like some help with your GDPR compliance, please contact us.
