The EU General Data Protection Regulation is the latest set of rules for organisations to protect personal data. It was initially published in January 2012 and adopted on 27 April 2016. GDPR repeals the former Data Protection Directive (Directive 95/46 EC). GDPR will harmonise the data protection laws across the European Union, and it is enforceable from 25 May 2018.
The purpose of the GDPR is the protection of data subjects about the processing of personal data and the free movement of such data. GDPR has an extra-territorial scope, meaning that it will also apply to organisations that are located outside the EU if they collect and process personal data of EU citizens.
Breach of GDPR will result in a penalty of € 20,000,000 or 4% of the annual worldwide turnover of the organisation.
Understanding personal data
Any piece of information that can directly or indirectly identify a living individual is considered personal data. Examples of personal data include names, address, photographs, National Insurance Number, Social Security Number, biometric information and online identifiers.
The six principles of data protection
The previous Data Protection Act 1998 had eight data protection principles, while the GDPR has six data processing principles. These principles form the groundwork of data protection regulations:
- Lawful, fair and transparent processing
- Purpose Limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
Imperatives of GDPR
The key imperatives for the organisations include:
- Have a governance system in place with a defined role and responsibilities
- Conduct staff training sessions
- Send privacy notices to fully inform the concerned individuals about the data processing
- Ensure the rights of individuals
- Have a contract for outsourcing the data processing operation
- Keep a record of all the data that goes in processing
- Ensuring to implement data protection impact assessments for the data processing that are high-risk
- Implement organisational and technical security measure to protect personal information
- Appoint a data protection officer, where required by law
More control with new rights
GDPR gives individuals increased control over their data. Now individuals are entitled to certain rights and data controllers are obliged to entertain those rights. Data subjects have:
- The right to be informed
- The right to access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object to the processing
- The rights to object on automated decision making and profiling
Where an organisation outsources the data processing operation, they need to have a contract in place between them and the outsourced organisation. The data controller must make sure that their data processor also meets the criteria of GDPR and has adequate security measures in place. Moreover, they will consider the following provisions:
- The Processor must not use sub Processors without the consent of the Controller
- The Processor must report data breaches to the Controller without delay
- The Processor must comply with EU trans-border data transfer rules
- The Processor must help the Controller to comply with data subjects rights
- Data protection by design and by default
Appointing a Data Protection Officer
The data protection officer will oversee the compliance efforts and will act as a contact point between the data controller and the Supervisory Authority. Appointing a DPO is mandatory for public authorities, other organisations who monitor the behaviour of individuals and data controllers who process personal data in huge volumes. However, it is advisable to appoint a Data Protection Officer even when it is not mandatory.