After two years of GDPR speculation, and a deluge of ‘opt in to stay in touch’ e-mails, the enforcement date has finally arrived; and just like the Y2K conspiracy, the world is still turning! We are aware that everyone is drowning in a sea of GDPR information, so here is a concise summary of the key points.
What is GDPR?
The General Data Protection Regulation is a new EU incentive to better protect the personal information of data subjects. Replacing the Data Protection Act (1998), this legislation will ensure that those in charge of our personal data (data processors and controllers) are held more accountable.
Personal Data- Any information that can be used to identify an individual.
Sensitive Data– This is data that contains one or more of the following:
- – Race or ethnic origin
- – Political opinions
- – Religious or philosophical beliefs
- – Trade union membership
- – Genetic data or bio-metric data related to human characteristics such as DNA test results, finger prints, eye and voice recognition (new under GDPR) when used to identify a natural person
- – Data concerning health
- – Data concerning a natural person’s sexual orientation
What are the 6 processing principles of GDPR?
- Lawfulness, fairness and transparency– Organisations must ensure that the treatment of personal data is lawful and transparent. It is therefore recommended that businesses include their reason for collecting the personal data in their Privacy policies.
- Purpose Limitation– The data must only be utilised for the purpose it was collected. It shall not be further processed in any manner misaligned with that purpose.
- Data minimisation– Organisations must only store and utilise personal data that is necessary for its processing purposes.
- Accuracy– The GDPR stipulates that “every reasonable step must be taken to erase or rectify data that is inaccurate or incomplete.” Incomplete data must be erased within 30 days should the data subject request that it is so.
- Retention– Organisations must delete personal data when it is no longer necessary. The timeframe for retention varies between industries and the reason that the data is initially collected.
- Integrity and Confidentiality– Personal data must be stored safely to protect against unauthorised/ unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures.
Lawful conditions that can be used to justify processing data
It is legal to process personal data, so long as it satisfies at least one of the conditions set by the GDPR; this must be stated in your firm’s privacy statement. It is important to consider the individuals rights when deciding upon which condition to use.
It is the controller’s responsibility to assure that they can demonstrate that the data is being processed lawfully. In order to go ahead, at least one of the following reasons must be proven:
- Consent– The individual has specifically consented to the processing of their data.
- Necessary performance of contract– The data is necessary for the performance of a contract with the data subject, or for entering a contract.
- Legal obligation– The controller is legally obliged to process the data; for example, passing it on to HMRC.
- Vital interests– The firm can prove that it is necessary to process the data subject’s data to protect their vital interests, or someone else’s.
- Public functions– It is necessary to process the data for a task carried out in the public’s interest.
- Legitimate interests– the data controller or third party has legitimate interest to process the data, but it cannot be at the expense of the rights or freedoms of the individual.
When processing sensitive personal data, the requirements are more stringent. In such cases, the subject’s consent must be explicit. In the absence of explicit consent, the processing of sensitive personal data must be limited. This typically relates to processing that is necessary to: comply with employment or social protection law; processing necessary for reasons of public interest; and processing that is necessary to establish, exercise or defend legal claims.
What are an individual’s rights under the GDPR?
- The right to be informed– individuals are entitled to know about the collection and use of their personal data.
- The right of access– Controllers must provide individuals will access to their personal data should they request it. The data must be provided within one month and free of charge if the request is reasonable.
- The right to rectification– Any errors in an individual’s personal data must be rectified if the data subject requests it. This must also be carried out within a month of receiving the request.
- The right to erasure– individuals can request the deletion or removal of their data.
- The right to restrict processing– individuals can block or suppress the processing of their data.
- The right to object– Data subjects are entitled to object to the processing of their personal data. Controllers must make it known that subjects have this right. There must be legitimate grounds for continuing to process data that overrides the data subject’s objection.
- The rights related to automated decision making including profiling– individuals have the right to not be the subject of a decision that is based solely on automated processing of their data. You must ensure that individuals are able to obtain human intervention; express their point of view; and obtain an explanation of the decision and challenge it.
If you would like to discuss the GDPR further, please get in contact with us via: firstname.lastname@example.org