What is GDPR?
GDPR stands for General Data Protection Regulation. It gives offers more rights and freedoms to individuals living in the EU to control and access their data. There are 8 rights of the individual; these are:
- The right to be informed – Data subjects have the right to be informed about how their information is being used, who it is shared with, and how it is protected.
- The right of access – Data subjects have the right to request access to any personal information you hold on them.
- The right to rectification – This means that you must be able to rectify or remove any inaccurate information held on a data subject. This could be a number, email, or any other information. If found incorrect but unable to be updated, this should be removed.
- The right to erasure – This means that under certain circumstances, a data subject may request for you to delete any information you hold on them, and you must comply.
- The right to restrict processing – Individuals have the right to request you cease the processing of their data under certain circumstances.
- The right to data portability – Individuals may request a copy of their data for reuse across different services, which should be provided in a way so that information can be copied or transferred from one IT environment to another safely and securely without affecting its usability.
- The right to object – The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. For example, Individuals have an absolute right to stop their data being used for direct marketing.
- Rights concerning automated decision making and profiling – You may only carry out this type of decision-making where the decision is either A) necessary for the entry into or performance of a contract, B) authorised by Union or Member state law applicable to the controller; or based on the individual’s explicit consent.
GDPR also means that you must only process information with the following 7 principles in mind:
- Lawfulness, fairness and transparency – You must not be in breach of the law, you must be fully transparent about the way data is used, and you must identify a lawful basis for processing.
- Purpose limitation – You must only use the information for the purpose it was collected for.
- Data minimisation- You must only collect the information required to complete the processing activity; anything else is considered excessive.
- Accuracy – Data must be kept accurate and up to date. Anything inaccurate should be updated or removed.
- Storage limitation – You must have set retention periods for the timeframe you hold data, which detail how long it is stored and how it will be removed securely.
- Integrity and confidentiality – You must ensure the security and privacy of information stored within your systems and hardware.
- Accountability – You must ensure you take responsibility for what you do with personal data and how you comply with the other principles. This is evidenced via appropriate measures and records demonstrating compliance of the regulations.
Who does GDPR apply to?
GDPR applies to any business operating within the EU, and any non-EU company that markets to, or obtains and process personal data from within the EU. Therefore, every business intending on operating within the EU, or targeting EU citizens should be well-versed in GDPR compliance and have good protocols in place. Don’t forget, GDPR also governs employee personal data.
How does GDPR apply to me as a business?
As a business, you are expected to follow all the principles of GDPR and ensure that the rights and freedoms of individuals information is respected when collecting, processing, sharing, and storing personal data. This data includes any information which can personally identify an individual either directly, or indirectly.
Why is GDPR necessary?
GDPR is built upon the premise of protecting the public, and over time it has improved to grant more confidence to both consumers and businesses when handling data. It is essential for guiding your employees and directing third parties on their responsibilities to ensure the rights and freedoms of individuals is respected. Data protection must be a forethought, never an afterthought.
Do I need a DPO?
According to the ICO, under GDPR, you must appoint a DPO if:
- You are a public authority or body (except for courts acting in their judicial capacity);
- Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- Your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. You can appoint a DPO if you wish, even if you aren’t required to. If you decide to appoint a DPO voluntarily, you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.