An Overview Of The GDPR

In our most recent article, we talked about how the General Data Protection Regulations (GDPR) affect businesses. It explained the difference between the UK GDPR and EU GDPR, the responsibilities of businesses regarding data protection and privacy, and the opportunities compliance presented for forward-thinking organisations. In the second part of this series, we will examine what the GDPR is further, who it applies to, its principles, the rights it provides to data subjects, and the legal basis for processing personal data.

What Is The GDPR?

The GDPR came into force on 25th May 2018, following a two-year preparation period and four years of negotiations. However, the concept of privacy protection dates back to the 1950 European Convention on Human Rights which set out rights relating to private life (art.8) and freedom of expression (art.10).

As one of the toughest privacy and data protection laws in the world, the GDPR limits what organisations can do with the personal data they hold and increases the rights of data subjects. For example, a data subject has rights under the GDPR to request an organisation hand over a copy of all the personal data concerning them and can also demand that their personal data be erased. Although both these rights are subject to exceptions, the balance sits heavily in favour of the data subject.

What Does The GDPR Aim To Achieve?

Three main objectives govern the background and text of the GDPR:

• Establish and protect the data protection and privacy rights of people.
• Harmonise privacy laws across the EU/EEA.
• Ensure privacy and data protection legislation is broad enough to be effective with early 21st century technology.

Although the GDPR was designed to bring all 28 (as it was in 2018) EU Member States plus the EEA States’ data protection and privacy laws under one roof, there was plenty of scope for individual countries to make their own regulations, especially concerning national security, crime prevention, and civil litigation. This is why the UK has the Data Protection Act 2018 which should be read alongside the GDPR.

Who Does The GDPR Apply To?

The GDPR applies to two classes of organisations that deal with personal data:

• Controllers - the person, public authority, business, agency, charity, or other body that alone or jointly determines the purpose and means of processing personal data.
• Processors - a person or organisation, which could be a public authority, business, agency, charity or other body that processes personal data on the controller’s behalf.

For more information, the ICO has a detailed web page about the differences between controllers and processors.

In order to know whether the GDPR applies to your organisation, you must ask yourself the following:

• Are your data processing activities regulated by the GDPR, for example, do you or your organisation engage in collecting, analysing, recording, accessing, viewing, combining, storing, deleting, or disclosing personal data?
• Does your organisation operate within the UK GDPR’s jurisdiction, defined by Article 3 as an organisation ‘established’ in the UK?

What Is Personal Data?

Personal data is data that relates to an identifiable living person:

• Directly or indirectly by reference to an identifier (for example, their name).
• By an identification number.
• By location data.
• Through an online identifier such as an IP address or cookies.
• By one or more factors specific to the physical, physiological, or genetic traits of that person.

The GDPR also provides for special categories of personal data under Article 9. Processing of any of the following information is prohibited unless an Article 9 exemption applies:

• Race or ethnic origin.
• Political opinions.
• Religious or philosophical beliefs.
• Trade union membership.
• Genetic data.
• Biometric data such as fingerprints.
• Health data.
• Data relating to a person’s sex life or sexual orientation.

For more information, the ICO has a detailed web page about the different types of different types of personal data.

What Are The GDPR Principles?

There are six GDPR principles listed under Article 5(1) which states that personal data must be processed:

• Lawfully, fairly, and transparently.
• For specified, explicit, and legitimate purposes only.
• In a manner that is adequate, relevant, and limited to what is necessary.
• Accurately and where required, kept up-to-date.
• Regarding storage, data should not be kept in a manner that can be identified for any longer than is necessary.
• In a way that protects it from unlawful or unauthorised processing, loss, damage, or destruction.

Article 5(2) provides the accountability requirement (some argue that this is the seventh principle). The accountability principle states that the controller (this point also applies to processors) is not only responsible for complying with the aforementioned principles, they also must be able to demonstrate compliance. The accountability requirement is the lynchpin of the GDPR and should be in the back of your mind at all times. As in writing fiction, it is essential to ‘show rather than tell’.

What Are The Legal Reasons For Processing Data?

There are six lawful reasons for processing personal data:

• The data subject has given their consent.
• Performance of a contract.
• To allow the controller to comply with a legal obligation.
• To protect the vital interests of the data subject or another person.
• Public interest or task.
• Legitimate interest.

If you cannot place your reason for processing data under one of these six categories, any processing will be deemed unlawful.

In addition to meeting the lawful criteria under Article 6, there are ten more conditions for processing special category data under Article 9. You must determine which condition applies before commencing the processing and document your findings. Note: five of the conditions require further requirements and safeguards to be satisfied under Schedule 1 of the Data Protection Act 2018. If the processing is deemed high risk, you also will need to complete a data protection impact assessment.

What Are The Rights Of A Data Subject?

The GDPR provides several rights to a data subject. These include:

• Article 13 & 14 - The right to be informed about what, how, when, where, and why their data is being collected and processed.
• Article 15 - The right to access their data.
• Article 16 - The right to rectify any inaccurate personal data concerning them.
• Article 17 - The right to be forgotten.
• Article 18 - The right to restrict processing.
• Article 20 - The right to data portability, to transfer their personal data from one controller to another.
• Article 21 - The right to object to the processing of their personal data.
• Article 22 - The right to not have any decisions concerning them made solely based on automated decision making and profiling.

These rights are extensive, and without effective processes and procedures in place, management can be time-consuming and expensive. One of the major positives of being GDPR compliant is that it reduces the overall costs of honouring the rights of data subjects while at the same time increasing the trust and loyalty of your customers, employees, and suppliers.

In Summary

It is impossible to implement a privacy framework and data protection policies and procedures without first understanding the basics of the GDPR. One way to increase knowledge in your organisation is to have relevant people obtain certification through the BCS Practitioner Certificate in Data Protection or the IAPP CIPP/E and CIPM.

In our next article, we will examine elements such as organisation structure and the budgets required to support GDPR compliance, including appointing a Data Protection Officer.

Discover more about data protection and privacy law training, email us at contact@freevacy.com or call 0370 04 27701.