GDPR
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (EU) 2016/679 or GDPR is a piece of legislation that applies to those who have day to day responsibilities for data protection.
This is the successor to the previous Data Protection Act.
What is Personal Data?
Personal data means data which relate to a living individual who can be identified
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Data Controllers and Subjects
Data controller is a person who (either alone or jointly) a person who determines the purposes and means of processing personal data
Data subject: an individual who is the subject of the data.
Implications of GDPR
Due to the GDPR legislation there are certain implications for every company that is storing and processing personal data.
processed lawfully, fairly and in a transparent manner in relation to the data subject (individuals)
collected for the specified, declared purpose
adequate, relevant and limited to what is necessary accurate and, where necessary, kept up to date
data must be kept for no longer than is necessary for the purposes required
held securely
Your rights under the legislation
Although not assessed as part of the course Information Commissioner's office lists the following rights for individuals:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling.
Right 1 - Your right to be informed
You have to be informed that data is being stored about you.
So companies would be obliged to provide a privacy notice - sometimes called ‘fair processing information’
This may also include some details such as:
Identity and contact details of the controller
Purpose of the information
Any recipient or categories of recipients of the personal data
Right to withdraw consent/lodge a complaint
Right 2 - Right of Access
This right states that you have the right to access the data that is held on you
The organisation must provide the information free of charge. Unless the request is unfounded or excessive/repetitive.
Your data must be provided within a month (or two months if excessive)
Right 3 - Right to rectification
You are entitled to have your personal data rectified if it is inaccurate or incomplete.
If the company has disclosed your information to others they must contact these recipients. Unless this is impossible or involves a disproportionate effort
Right 4 - Right to Erasure
Also known as the “right to be forgotten” but this doesn’t provide an absolute ‘right to be forgotten’. You have a right to have personal data about you erased and to prevent processing in specific circumstances (some are detailed below) :
Where the data is no longer necessary in relation to the purpose for which it was originally collected/processed.
When the individual withdraws consent.
When the individual objects to the processing and there is no legitimate interest for continuing the processing.
The data was unlawfully processed (ie otherwise in breach of the GDPR).
The data has to be erased in order to comply with a legal obligation.
Right 5 - The Right to Restrict Processing
You have a right to ‘block’ or put an end to processing of personal data.
When processing is restricted, the organisation is permitted to store your personal data, but not further process it.
Right 6 - The right to data portability
The right to data portability allows you to obtain and reuse your own personal data for your own purposes across different services.
This means that you are allowed to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way. Some organisations in the UK already offer data portability
It can allow you to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits. Such as data usage on mobile phones or the amount of calls you make to assist you when choosing a new tariff.
Right 7 - The Right to Object
You have the right to object to:
processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
direct marketing (including profiling); and
processing for purposes of scientific/historical research and statistics.
Right 8 - Rights in relation to automated decision making
The GDPR has provisions on:
automated individual decision-making (making a decision solely by automated means without any human involvement)
profiling (automated processing of personal data to evaluate certain things about an individual).
Article 22 of the GDPR has additional rules to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them.
Exceptions
There are some exceptions to the transparency that is offered by the GDPR and some are listed below:
national security/defence
public security
the prevention, investigation, detection or prosecution of criminal offences
economic interests, including budgetary and taxation, public health and security
judicial independence and proceedings
breaches of ethics in regulated professions
the protection of the individual, or the rights and freedoms of others; or
the enforcement of civil law matters
Data Breaches
What if there is a data breach?
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant authority.
They must do this within 72 hours (of becoming aware of the breach, where feasible). Depending on the breach this may require subjects to be notified immediately
The organisation should ensure they keep a record of any data breaches, regardless of whether they are required to notify.
Penalties
Under GDPR organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
For less serious non compliance, the maximum fine is 10 million Euros or 2% of group worldwide turnover.