GDPR seeks to give everyone control over how organisations can use their data, it is also introducing much heftier penalties for organisations that do not follow the guidelines/rules and also for any data breaches. The aim is to ensure that data protection law is almost identical across the EU and will apply post BREXIT.
Why is GDPR being introduced?
The EU wanted a way to bring data protection law in line with how people's data is being used - the internet allowed organisations to use numerous methods to obtain and use people's data.
Also GDPR will provide more clarity to organisations regarding how they can use data and makes data protection law identical throughout EU member states.
Data Controllers, Data Processors and Data Subjects?
Data Controllers state how and why personal data is processed, they could be any organisation (including but not limited to: a profit-making company, charity or government).
Data Processors are the ones doing the actual processing of the data.
It is the Data Controller's responsibility to ensure their Data Processor conforms to the terms of GDPR. Data Processors must also conform to the rules and must maintain clear records of their processing activities.
Data Subjects are the individuals whom particular personal data is about.
What does GDPR mean?
Once GDPR legislation comes into effect, Data Controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
Organisations must obtain consent for data to collected and this must be an affirmative action by the Data Subject (must agree consent, it cannot just be assumed). The Data Controller must keep a record of how and when the Data Subject gave consent. An individual will have the right to withdraw consent at any time.
What is considered Personal Data?
Personal Data is any information related to a person such as a name, a photo, an email address, bank details, posts on social networking websites, location details, medical information, or a computer IP address.
Penalties for an Organisation?
There are tough penalties for those companies and organisations who don’t comply with GDPR, a fine of up to 4% of annual global revenue or 20 million Euros (whichever is greater).
Individuals Rights under GDPR?
To access - individuals have the right to request access to their personal data and to ask how their data is used.
To be forgotten – if consent is withdrawn then individuals have the right to have their data deleted.
To data portability – individuals right to transfer their data from one service provider to another.
To be informed – individuals have to opt in for their data to be gathered, consent must be freely given rather than implied.
To have information corrected – the right to have out of date or incorrect information updated.
To restrict processing – individuals can request that their information is retained but not used.
To object – any processing or use of individuals data must stop as soon as the request is received.
To be notified – individuals have the right to be informed of any data breaches involving their data within 72 hours.
Data is a valuable currency to organisations.
GDPR is the EU’s way of giving individuals, prospects, customers, contractors and employees more power over their data, the task of complying with this regulation falls upon organisations.