General Data Protection Regulation
The General Data Protection Regulation
2016/679 is a regulation in EU law on data protection and privacy for all
individuals, citizens of the European Union and the European Economic Area.
It also addresses the export of personal data outside the EU and EEA areas.
Implemented on the 25th May 2018, it
replaced Data Protection Directive 95/46/ec, and is the primary law
regulating how companies protect EU citizens' personal data. The purpose of GDPR is to provide a set
of standardised data protection laws across all the member countries. This
should make it easier for EU citizens to understand how their data is being
used, and also raise any complaints, even if they are not in the country
where its located.
Data Protection Laws ensure that:
I.
Personal information
is only gathered for a specific purpose
II.
The individual (data
subject) about whom information is obtained, knows that you are gathering
and storing information about him or her
III.
The personal
information is used only for the purpose for which it was obtained
IV.
The personal
information is not passed on to third parties without the individual’s
consent
V.
The individuals have
access to the personal information retained
VI.
The use and access to
personal information is controlled
The Nine Principles of ‘Good Information
Handling’
The data controller shall ensure that:
- Personal data is
processed fairly, transparently and lawfully;
- Personal data is
always processed in accordance with good practice (security-Integrity
and confidentiality);
- Personal data is
only collected for specific, explicitly stated and legitimate purposes
(purpose limitation);
- Personal data is
not processed for any purpose that is incompatible with that for which
the information is collected;
- Personal data
that is processed is adequate and relevant in relation to the purposes
of the processing;
- No more personal
data is processed than is necessary (data minimisation) having regard
to the purposes of the processing;
- Personal data
that is processed is correct, accurate and, if necessary, up to date.
- All reasonable
measures are taken to complete, correct, block or erase data to the
extent that such data is incomplete or incorrect, having regard to the
purposes for which they are processed (accountability);
- Personal data is
not kept for a period longer than is necessary (storage limitation),
having regard to the purposes for which they are processed.
Data Protection Terminology
Who is the Data Controller?
In GDPR and other privacy laws, the data
controller has the most responsibility when it comes to protecting the
privacy and rights of the data's subject, (example: user of a website). In
simple terms, the data controller controls the procedures and purpose of
data usage.
The data controller determines the
purposes for which and the manner in which personal data is processed. It
can do this either on its own or jointly or in common with other
organisations. This means that the data controller exercises overall
control over the 'why' and the 'how' of a data processing activity.
Who is the Data Processor?
The data processor is a person or organization, who deals with personal
data as instructed by a data controller for specific purposes and services
offered to the data controller that involve personal data processing
(example: 3rd Party entity providing outsourced payroll to the entity
processing the entities employees wages data).
What is Personal Data?
Personal data means any information about
an identifiable living individual, a data subject.
Who is a data subject?
The term 'data subject' refers to any
living individual whose personal data is collected, held or processed by an
organisation. Personal data is any data that can be used to identify an
individual, (example: name, home address or credit card number).
What are the rights of data subjects?
There are eight fundamental rights under
GDPR.
I.
Right to Access
Personal Data. (Article 15)
II.
Right to
Rectification. (Article 16)
III.
Right to Erasure /
Right to be Forgotten. (Article 17)
IV.
Right to Restrict
Data Processing. (Article 18)
V.
Right to be Notified.
(Article 19)
VI.
Right to Data
Portability. (Article 20)
VII.
Right to Object.
(Article 21)
VIII.
Right to Reject
Automated Individual Decision-Making. (Article 22)
What is a Data Protection Officer?
A Data Protection Officer (DPO) is an
enterprise security leadership role required by the General Data Protection
Regulation (GDPR). Data protection officers are responsible for overseeing
a company's data protection strategy and its implementation to ensure
compliance with GDPR requirements.
Does GDPR affect my business?
GDPR applies to all businesses and
organizations established in the EU, regardless of whether the data
processing takes place in the EU or not. Even non-EU established
organizations will be subject to GDPR. Almost all businesses are affected
by the GDPR, from sole traders to multinationals. But even though the GDPR
intends to unify data protection rules across the EU, not all businesses
will face the same problems.
If your business offers goods and/ or
services to citizens in the EU, then it's subject to GDPR. This is because your business must still comply
if it's involved in regular processing (which includes collecting, storing
and using) of personal data.
Do I need a Data Protection Officer for my business?
An organisation is required to appoint a
designated data protection officer where:
I.
The processing is
carried out by a public authority or body;
II.
The core activities
of the controller or the processor consist of processing operations, which
require regular and systematic monitoring of data subjects on a large
scale; or
III.
The core activities
of the controller or the processor consist of processing on a large scale
of special categories of data or personal data relating to criminal
convictions and offences.
LEGAL TEXTS
CONTACT DETAILS
Updated July 2020
|