Published on Jul 09, 2021
In our most recent article, we talked about how the General Data Protection Regulations (GDPR) affect businesses. It explained the difference between the UK GDPR and EU GDPR, the responsibilities of businesses regarding data protection and privacy, and the opportunities compliance presented for forward-thinking organisations. In the second part of this series, we will examine what the GDPR is further, who it applies to, its principles, the rights it provides to data subjects, and the legal basis for processing personal data.
The GDPR came into force on 25th May 2018, following a two-year preparation period and four years of negotiations. However, the concept of privacy protection dates back to the 1950 European Convention on Human Rights which set out rights relating to private life (art.8) and freedom of expression (art.10).
As one of the toughest privacy and data protection laws in the world, the GDPR limits what organisations can do with the personal data they hold and increases the rights of data subjects. For example, a data subject has rights under the GDPR to request an organisation hand over a copy of all the personal data concerning them and can also demand that their personal data be erased. Although both these rights are subject to exceptions, the balance sits heavily in favour of the data subject.
Three main objectives govern the background and text of the GDPR:
Although the GDPR was designed to bring all 28 (as it was in 2018) EU Member States plus the EEA States’ data protection and privacy laws under one roof, there was plenty of scope for individual countries to make their own regulations, especially concerning national security, crime prevention, and civil litigation. This is why the UK has the Data Protection Act 2018 which should be read alongside the GDPR.
The GDPR applies to two classes of organisations that deal with personal data:
For more information, the ICO has a detailed web page about the differences between controllers and processors.
In order to know whether the GDPR applies to your organisation, you must ask yourself the following:
Personal data is data that relates to an identifiable living person:
The GDPR also provides for special categories of personal data under Article 9. Processing of any of the following information is prohibited unless an Article 9 exemption applies:
For more information, the ICO has a detailed web page about the different types of different types of personal data.
There are six GDPR principles listed under Article 5(1) which states that personal data must be processed:
Article 5(2) provides the accountability requirement (some argue that this is the seventh principle). The accountability principle states that the controller (this point also applies to processors) is not only responsible for complying with the aforementioned principles, they also must be able to demonstrate compliance. The accountability requirement is the lynchpin of the GDPR and should be in the back of your mind at all times. As in writing fiction, it is essential to ‘show rather than tell’.
There are six lawful reasons for processing personal data:
If you cannot place your reason for processing data under one of these six categories, any processing will be deemed unlawful.
In addition to meeting the lawful criteria under Article 6, there are ten more conditions for processing special category data under Article 9. You must determine which condition applies before commencing the processing and document your findings. Note: five of the conditions require further requirements and safeguards to be satisfied under Schedule 1 of the Data Protection Act 2018. If the processing is deemed high risk, you also will need to complete a data protection impact assessment.
The GDPR provides several rights to a data subject. These include:
These rights are extensive, and without effective processes and procedures in place, management can be time-consuming and expensive. One of the major positives of being GDPR compliant is that it reduces the overall costs of honouring the rights of data subjects while at the same time increasing the trust and loyalty of your customers, employees, and suppliers.
It is impossible to implement a privacy framework and data protection policies and procedures without first understanding the basics of the GDPR. One way to increase knowledge in your organisation is to have relevant people obtain certification through the BCS Practitioner Certificate in Data Protection or the IAPP CIPP/E and CIPM.
In our next article, we will examine elements such as organisation structure and the budgets required to support GDPR compliance, including appointing a Data Protection Officer.
COVID-19: FLEXIBLE, LIVE ONLINE BCS & IAPP TRAINING NOW AVAILABLE - PLEASE CONTACT FOR DETAILS