What is GDPR?

4 Minutes Read

What is GDPR?

GDPR stands for General Data Protection Regulation. It is a set of rules and regulations that gives EU citizens specific rights to control how organisations process, store, and share their personal data. It covers that:

  • Everyone has a fundamental right to privacy.
  • When individuals and businesses provide their data to a company, that company has an obligation to protect it.
  • GDPR is enforced by the office of the Data Protection Commissioner.
  • GDPR is a legal requirement and cannot be ignored.

GDPR Terms

Data Subject - The individual/natural person who is the subject of the personal data.
Data Controller - The natural or legal person (e.g. an organisation) who determines the purposes and means of processing the data of the Data Subject (personal data).
Data Processor - The natural or legal person who processes data on behalf of a Data Controller.
Retention Period - How long a natural or legal person can store personal data. This varies depending on the type of data and legal responsibilities.

What are the risks?

  • The liability of compliance with GDPR rules and regulations is on the Controller.
  • Infringement of GDPR rules and regulations may result in fines of up to 4% of the Data Controller's global turnover or €20M
  • Pursuits per individuals and class actions
  • Based on material & non-material
  • Each missing request on Subjects rights (30d)
  • Each Data Breach
  • Reputational Damage
  • It is mandatory to report data breaches to Data Protection Commissioner & the data subjects.

What is personal data?

Personal data is "any information that relates to an identified or identifiable natural person." Examples of Personal Data include:

  • HR files and data, online identifiers, emails, payroll records, medical files, etc.
  • The Personal Data definition is very broad.
  • Refers to living individuals, not legal entities.
  • Data can be in either an automated or manual format.

What is considered Special or Sensitive Data?

Special and Sensitive Data is a category of data which must not be processed unless allowed for under certain specific exemptions, most usually where explicit consent is obtained; it is any data referring to:

  • Race/ethnicity
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Health data
  • Sexual health/orientation

What is 'Processing"?

Processing means performing any operation on personal data, whether or not by automated means, including:

  • Collecting/recording
  • Organising/structuring
  • Storing
  • Altering
  • Retrieving
  • Transmitting/transferring
  • Erasing/destroying

Legal basis for 'Processing"?

When processing data, at least one of the following legal bases must apply:

  • By consent of the individual. This must be freely given and can be withdrawn.
  • In fulfilment of a contract with the data subject.
  • Where there is a legal obligation on the Controller, e.g. taxes.
  • Legitimate interests of the Data Controller (explained next)
  • For the vital interests of the individual (e.g. in an emergency).
  • In the public interest.

What is legitimate interest?

Legitimate Interest is the most flexible of the GDPR's lawful basis. It applies in circumstances where processing operations do not fit into any other legal basis, e.g. IT security. Data processed under this basis should consider the following:

  • Be able to identify and define the legitimate interest clearly.
  • Demonstrate that the intended processing is required for this interest.
  • Balance the legitimate interest against the data subject's interests, rights, and freedoms.

The 7 Principles of Data Protection

  1. Transparency - State who you are and for what purpose the data will be collected.
  2. Purpose Limitation - Only process data for the particular purpose for which it was originally collected.
  3. Data Minimisation - Data collection should be limited to only what is necessary and relevant.
  4. Accuracy - Data must be accurate and, where necessary, kept up to date.
  5. Storage Limitation - Data is not to be held for any longer than the original purpose for which it was collected.
  6. Integrity & Confidentiality - Security measures must be implemented to keep data safe and secure.
  7. Accountability - Must demonstrate compliance with each of your/the obligations.

What are your rights as a Data Subject?

  • Right to access their own data.
  • Right to data portability (where technically possible), i.e. allow individuals to obtain and reuse their personal data for their own purposes.
  • Right of erasure (not absolute, e.g. where against legal obligations)
  • Right to rectification if incorrect.
  • Right to object to processing (where legitimate interest is the legal bases being used).

Your responsibilities as an organisation

  • To appoint a "Data Protection Officer"
  • To design and operate appropriate processing systems.
  • To use processors that meet the requirements of the legislation (e.g. do not transfer data outside the EU).
  • To keep records of processing activities (for controllers with more than 250 employees).
  • Keep data secure.
  • Report data breaches within 72 hours of becoming aware.
  • Carry out Data Protection Impact Assessments (DPIA) if intending to carry out a high-risk processing activity, e.g. new technology, automated decision making, processing large amounts of sensitive data.

To be compliant, we recommend:

  • Education & Training - We all have a responsibility to be aware of our responsibilities and how we should act on them.
  • Personal Data
    • Data Inventory - As an organisation, you should be aware of all personal data held and how it is processed.
    • Audit your existing data and identify what is required and under what legal bases.
    • Identify gaps.
    • Implement a remediation plan.
  • Internal Processes
    • Each team should be aware of any processes they currently have which use personal data.
    • Processes should be documented and governance procedures created.
    • Embed governance procedures within teams.
  • Required Processes - There are several required processes currently undocumented:
    • Enabling Data Subject Rights - Processes to ensure compliance with any data subject request, e.g. request for access to their data, request to delete data, etc.
    • Data breaches - Process for reporting any data breaches.
    • DPIA - The process for carrying out a DPIA.
  • Data Management & Controls - Design and implement policies for managing and controlling all data in the organisation.
  • Audits & Reviews - Design a set of audits and reviews that measure and demonstrate compliance if an audit ever takes place.

In a nutshell, here's what you should remember:

  • GDPR is about transparency and protection
  • Keep only what you need.
  • Be prepared, but don't panic. It's about process and awareness.
  • If in doubt, ask!
  • GDPR has to be a Business As Usual task.

If you want to learn more about GDPR, Data Privacy or Data Security, then get in touch.