What is GDPR?
The GDPR introduces new obligations and penalties for the way personal data is handled and UK organisations must comply when dealing with customers, employees, supplies and other individuals.
It is the biggest shake-up in data protection law for 20 years, and ushers in a new era of personal data transparency and accountability. Organisations that fail to comply with the new law risk fines of up to 4% of their global annual turnover or €20m, whichever value is greater.
Why is it happening?
The digital age has increased risk for individuals, particularly with the escalating threat of cyber crime and identity theft.
GDPR brings the law up to date by raising the bar for personal data handling and protection, as well as introducing some ground-breaking changes.
What is personal/sensitive personal data?
Data is categorised in two ways: personal and sensitive personal.
It is vital that you know the difference and treat each set of data carefully.
Personal Data
Any information relating to identifying an individual (data subject):
- A photo
- Email address
- Bank details
- Posts on social networking websites
- Medical information
- Computer IP address
Sensitive Personal Data
Any personal data consisting of information related to:
- Race or ethnic origin
- Political opinions
- Religious beliefs
- Trade union membership
- Physical or mental health records
- Alleged criminal activity
- Genetic
- Biometric
Need-to-know definitions
- Consent - Freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data.
- Data Subject Rights - A series of rights for data subjects that can be inflicted on organisations who process personal data.
- Encrypted Data - Personal data that is protected by technological measures to ensure that the data is only accessible/readable by those with specified access.
- Erasure/The Right to be Forgotten - Enables an individual to request that their personal data is deleted or removed.
- Privacy by Design - A principle that calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
- Privacy Notices - A statement that is made to the data subject which explains how the organisation will collect, use and retain their personal data.
- Processing - Obtaining, recording, holding data. This includes carrying out any operation or set of operations on the data.
- Pseudonymisation - The technical processing of personal data so that the data can no longer be attributed to a specific individual without the use of additional information.
- Subject Access Requests (SAR) - Allows individuals to see records of their personal data and request amends if data is not correct.
Who is Who?
- Data Controller - An individual or organisation which determines the purpose and use of how to process personal data.
- Data Subject - An individual who can be identified through direct or indirect means.
- Data Processor - A body or individual who processes the data on behalf of the data controller.
- Data Protection Officer (DPO) - An expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures of the data protection regulation.