There is so much information available on the GDPR (General Data Protection Regulation) that it can be daunting knowing where to begin.
With this blog, we hope to simplify things, providing quick explanations of the GDPR’s core concepts. For those who want to learn more about each topic, we have links to articles where we’ve discussed the issue in more detail.
The definition of personal data
Article 4 of the GDPR defines personal data as any information that identifies or can be used to identify a natural, living person (as opposed to an organisational entity). There’s no definitive list of what this consists of, but the Regulation explains that it can include:
[a] name, an identification number, location data, an online identifier or […] one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
That is to say, personal data is any information that is clearly about a particular person. In certain circumstances, it could be someone’s name, IP address, hair colour, job or political opinions could be considered personal data.
As we explain in our blog dedicated to personal data, “the qualifier ‘certain circumstances’ is worth highlighting, because whether information is considered personal data often comes down to the context in which it is collected.”
Lawful bases for processing personal data
Article 6 of the Regulation states that organisations can only process personal data if there is a lawful basis to do so. These bases are:
- Consent: the individual agrees to the processing.
- A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract.
- Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
- Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
- A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police.
- Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.
Many organisations will be tempted to use consent, but the GDPR’s strict rules on how to obtain and maintain it mean that it should only be sought if no other lawful basis is appropriate.
Get to grips with your compliance requirements with our GDPR Foundation Training Course.
This one-day course is the perfect introduction to the GDPR and the requirements you need to meet.
It’s ideal for managers who want to understand how the Regulation affects their organisation and employees who are responsible for GDPR compliance.
You’ll learn about the six data protection principles, the rights of data subjects, the ways in which you can protect personal data and the steps you must take if a breach occurs.
Data subject rights
Articles 15–22 of the GDPR enshrines eight rights that individuals have concerning the way their personal data is used. These are:
- The right to be informed
Organisations must tell individuals what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
This information must be communicated concisely and in plain language in your privacy notice.
- The right of access
Individuals can submit DSARs (data subject access requests), which oblige organisations to provide a copy of any personal data they hold concerning the individual.
Organisations have one month to produce this information, although there are exceptions for requests that are manifestly unfounded, repetitive or excessive.
- The right to rectification
If an individual discovers that the information an organisation holds on them is inaccurate or incomplete, they can request that it be updated.
As with the right of access, organisations have one month to do this, and the same exceptions apply.
- The right to erasure
Individuals can request that organisations erase their data in certain circumstances, such as when the data is no longer necessary, the data was unlawfully processed or it no longer meets the lawful ground for which it was collected.
The right to erasure is also known as ‘the right to be forgotten’.
- The right to restrict processing
Individuals can request that an organisation limits the way it uses personal data.
It’s an alternative to requesting the erasure of data, and it might be used when an individual contests the accuracy of their personal data or when they no longer need the information but the organisation requires it to establish, exercise or defend a legal claim.
- The right to data portability
Individuals are permitted to obtain and reuse their personal data for their own purposes across different services.
This right only applies to personal data that an individual has provided to data controllers by way of a contract or consent.
- The right to object
Individuals can object to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority.
- Rights related to automated decision making, including profiling
The GDPR includes provisions for decisions made with no human involvement, such as profiling, which uses personal data to make calculated assumptions about individuals.
There are strict rules about this kind of processing, and individuals are permitted to challenge and request a review of the processing if they believe the rules aren’t being followed.
Security of processing
Article 32 of the GDPR states that organisations must implement “appropriate technical and organisational measures” to protect their systems.
It only lists a handful of examples of what these measures might include, because best practices are bound to change over time, which would mean any advice given now could soon be out of date.
That said, encryption tools and malware detection are more or less universal features of modern business, and an obvious starting point.
Similarly, there are widely used measures that address the people and processes aspect of information security, such as staff awareness training.
Data protection impact assessments
DPIAs (data protection impact assessments) help organisations identify, assess and mitigate privacy risks to data processing activities. They are particularly important when introducing new data processes, systems and technologies.
Article 35 of the GDPR states that a DPIA is required if personal data processing is likely to result in a high risk to the rights and freedoms of data subjects. This includes:
- Automated decision-making (including profiling) that could significantly affect data subjects;
- Large-scale processing of special categories of data (relating to race or ethnicity, political opinions, health, etc.); and
- Systematic large-scale monitoring of public areas.
What Brexit means for the GDPR
If your organisation processes UK residents’ personal data or you work with an organisation based in the country, you may be wondering how the requirements we’ve listed here are affected by Brexit.
The answer, as with so many things related to Brexit, is complicated. The UK may no longer be EU member state, but it doesn’t mean you can simply ignore its compliance requirements.
For a start, you must appoint a UK representative. They are a localised version of the GDPR’s EU representative requirements, and are responsible for serving as the point of contact between the organisation, relevant supervisory authorities and data subjects.
They are tasked with:
- Responding to any queries the supervisory authorities or data subjects have concerning data processing;
- Maintaining records of the organisation’s data processing activities; and
- Making data processing records accessible to the UK’s data protection supervisory authority, the ICO (Information Commissioner’s Office).
You can find a UK representative quickly and easily with the help of our sister company GRCI Law.
Led by a team of lawyers, barristers, and information and cyber security experts, GRCI Law can take the strain of GDPR compliance, acting as your EU representative for personal data processing activities.
A version of this blog was originally published on 20 March 2020.