The EU GDPR has brought a set of rules for organisations for the protection of personal data. It was initially published in January 2012 and adopted on 27 April 2016. And, GDPR repeals the former Data Protection Directive (Directive 95/46 EC). Further, GDPR will harmonise the data protection laws across the European Union, and it is enforceable from 25 May 2018.
Although, the purpose of the GDPR is the protection of data subjects about the processing of personal data and the free movement of such data. However, GDPR has an extraterritorial scope, meaning that it will also apply to organisations that are located outside the EU if they collect and process personal data of EU citizens.
above all, breach of GDPR will result in a penalty of € 20,000,000 or 4% of the annual worldwide turnover of the organisation.
Understanding personal data
Any piece of information that identifies a living individual is considered personal data. Similarly, examples of personal data include names, addresses, photographs, National Insurance Number, Social Security Number, biometric information and online identifiers.
The six principles of data protection
The previous Data Protection Act 1998 had eight data protection principles, while the GDPR has six data processing principles. Though, these principles form the groundwork of data protection regulations:
- Lawful, fair and transparent processing
- Purpose Limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
Imperatives of GDPR
So, the key imperatives for the organisations include:
- Have a governance system in place with a defined role and responsibilities
- Conduct staff training sessions
- Send privacy notices to fully inform the concerned individuals about the data processing
- Ensure the rights of individuals
- Have a contract for outsourcing the data processing operation
- Keep a record of all the data that goes in processing
- Ensuring to implement data protection impact assessments for the data processing that are high-risk
- Implement organisational and technical security measure to protect personal information
- Appoint a data protection officer, where required by law
More control with new rights
Certainly, GDPR gives individuals increased control over their data. Likewise, individuals can avail certain rights, and data controllers are obliged to provide them with those rights. Data subjects have rights:
- Of being informed
- Access
- To rectification
- Erasure
- The right to restrict processing
- To data portability
- The right to object to the processing
- The rights to object on automated decision making and profiling
Outsourcing contract
Where an organisation outsources the data processing operation, they need to have a contract in place between them and the outsourced organisation. The data controller must make sure that its data processor also meets the criteria of GDPR and has adequate security measures in place. Moreover, they will consider the following provisions:
- The Processor must not use sub Processors without the consent of the Controller
- He must report to the data Controller about data breach without delaying it.
- The Processor has to follow with EU trans-border data transfer rules.
The Processor must work with data Controller to comply with data subjects rights. - Data protection by design and by default
Appointing a Data Protection Officer
The data protection officer will oversee the compliance efforts and will act as a contact point between the data controller and the Supervisory Authority. Consequently, appointing a DPO is mandatory for public authorities, other organisations who monitor the behaviour of individuals and data controllers who process personal data in huge volumes. However, it is advisable to appoint a Data Protection Officer even when it is not mandatory.
