According to a recent article published by the Independent at least 500 small business owners have admitted that they don’t understand many of the GDPR terms and regulations.
So what is GDPR and what does it do?
General Data Protection Regulation (GDPR) is the new European regulation on personal data protection that came into effect on May 25th this year (2018) In short, companies and organisations will need to take privacy into account when implementing any technology which processes personal data. GDPR is no joke and comes with some hefty penalties if businesses do not comply. What’s more is individuals can sue you for compensation to recover both material damage and non-material damage, like distress.
The two central objectives of GDPR are:
- Giving citizens back control of their personal data and
- Simplifying the regulatory environment for business by unifying the regulation within the EU
GDPR is a huge piece of legislation, and we do recommend that you fully get to grips with it, but to save you from reading all 250 pages right now here are some key terms we think you should know.
This is the broad term for any information related to a ‘Data Subject’, that can be used to directly or indirectly identify the person. Examples of personal data; a name, identification number, location data, physical address, email address, IP address, radio frequency identification tag, photograph, video, voice recording, biometric data (eye retina, fingerprint, etc.), or an online identifier of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person. As with most things, there are some challenges with the collection or publication of personal data, for example
A single element of data might not be considered personal data in some contexts, but when it is used in conjunction with other elements, it’s able to identify a data subject. So not only should you understand the list of elements considered as personal data but you should consider what you can do with those elements once you use them with other elements, for example; If you have a common name, perhaps one that thousands of people in the one country also have then that name may not be personal data on its own. But, if the name is used in conjunction with the name of an employer or an email address, then this is more likely to lead to the identification of a Data Subject.
So what does this tell us? Defining what personal data is under GDPR depends on the element, context, and the likelihood of identification being generated by such data.
When a piece of data relates to an individual, then they are known as the data subject. A data subject is any person whose personal data is being collected, held or processed. The EU GDPR proposes a set of rules that are meant to help data subjects and enforce their rights against abusive personal data processing.
Data Protection Authority (DPA)
Every country will have its own DPA, a national authority responsible for the protection of data and privacy as well as implementing and enforcing data protection law. In the UK this will still be the UK Information Commissioner. There are a lot of questions regarding GDPR and BREXIT so if you missed it The Queen made a speech back in 2017 which announced a new Data Protection Bill to remove any doubt that the UK will implement GDPR so that it continues to be in force after Brexit takes effect.
Who is the Data Controller? This is a person who decides the purpose for which any personal data is to be processed and the way in which it is to be processed. This can be decided by one person alone or jointly with other people. Like the existing Data Protection Act (DPA), the GDPR applies to Data Controllers who process personal data.
Who is a Data Processor? These are third parties that process data on behalf of the Data Controller and includes IT service providers. Unlike the Data Protection Authority (DPA), the GDPR introduces specific responsibilities for the Data Processor.
Like the existing Data Protection Act (DPA), the GDPR applies to Data Controllers who process personal data. So first, who is the Data Controller? This is a person who decides the purpose for which any personal data is to be processed and the way in which it is to be processed. This can be decided by one person alone or jointly with other people.
An automated or manual action performed on personal data, for example, collection, organisation or recording. For the processing of personal data to be lawful under the GDPR, businesses must identify a constitutional basis for this action.
Profiling is automated processing of personal data for evaluation analysis or prediction. When processing personal data for profiling purposes, you must ensure that appropriate safeguards are in place.
The concept of “consent” is foundational to EU data protection law. In general, the validly obtained, consent of the data subject will permit almost any type of processing activity, including Cross-Border Data Transfers.
Data Protection Officer
A Data Protection Officer is someone who is given formal responsibility for data protection compliance within a business. Not every business will need to appoint a data protection officer – you need to do so if:
- Your organisation is a public authority; or
- You carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking); or
- You carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.
Biometric data can be used for all kinds of reasons, some fairly common reasons are fingerprint scanning to unlock iPhones and facial recognition software to improve security systems. So Biometric data is personal data that has resulted from specific processing related to physical and behavioural features of a person, which allows then leads to the identification of that person.
Right to be Forgotten
For the first time, the right to be forgotten can be found in the General Data Protection Regulation (GDPR) in addition to the right to erasure. The right to erasure of personal data or ‘the right to be forgotten’ enables an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing.
Privacy Impact Assessments
A Privacy Impact Assessment (PIA) is a process which assists organisations in identifying and minimising the privacy risks of new projects or policies through the misuse of their personal information when you are undertaking new projects handling personal data.
Binding Corporate Rules (BCRs)
Binding Corporate Rules (BCRs) are not new however, they are now in the spotlight due to the new GDPR policy. BCRs have been designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA. Companies must demonstrate that their rules put in place adequate safeguards for protecting personal data throughout the organisation.
What about GDPR outside the EU?
You probably think you know the answer to this, and it seems evident that the EU GDPR only applies to EU countries right? Think again, GDPR will affect firms both inside and outside of the EU, any company dealing with EU businesses’, residents’, or citizens’ data will have to comply with the GDPR. So if a company does not have a European presence, it will still have to understand the rules of GDPR if it processes an EU resident’s personal data. These restrictions are in place to ensure that the level of protection of individuals is not undermined outside of the EU.