The General Data Protection Regulation (GDPR) is an EU regulation that ensures that people’s fundamental right to privacy has protection. The GDPR mandates that businesses protect the privacy and personal data of EU citizens in any transaction within or outside the European Union.
In the UK, this regulation led to the evolution of the Data Protection Act (2018). The DPA controls how government, businesses, and organizations use personal information obtained from subjects. Owing to its hefty fine, every organization holding, and processing customers’ data needs to be aware of the law’s content. This article demystifies the content of the EU GDPR, rules of data processing and provides a quick checklist to help you achieve compliance.
History, Meaning, and Mission of the General Data Protection Regulation (GDPR)
The General Data Protection Regulation is the foremost regulation. Among the list of compliance frameworks that every website owner or organization who collects and processes personal data must observe. It seeks to give individuals control over their data and limit and minimize usage for legal purposes.
Nevertheless, the right to privacy is a fundamental human right. Article 8 of the European Convention on Human Rights states that “everyone has the right to respect for his private and family life, his home and correspondence”. Owing to its great importance, the EU had enacted different regulations to safeguard its citizens’ privacy. The General Data Protection Regulation replaced the Data Protection Directive (officially Directive 95/46/EC), enacted in 1995. Although it was created in April 2016, the new data protection regulation didn’t come into force until May 25, 2018. In its original form, the General Data Protection [also written as Regulation Regulation (EU) 2016/679] contains 99 articles under 11 chapter headings.
Important Definitions in the GDPR
Before we go any further, it is crucial to understand certain key terms used in Article 4 of the GDPR:
- Personal data: This refers to any piece of information related to an identifiable natural person. Which is technically referred to as the “data subject”. Personal data includes name, identification number, and location data. It also includes online identification, including IP address, cookie data, and other web data.
- Processing: refers to any operation which issues personal data or sets of personal data. (Data) processing includes collecting, recording, sorting or organizing, structuring, storing, adapting or altering, retrieving, disclosing (by transmission), disseminating, aligning, combining, restricting, or erasing data.
- Controller: refers to a person, agency, or public authority who determines the purpose and procedure of processing data.
- Processor: A processor is an individual or group that processes data on behalf and at the controller’s request.
- Consent: refers to an informed, freely given, and unambiguous indication of agreement
- to the processing of personal data. According to the regulation, the data subject may indicate consent to process their data by a clear, affirmative statement or action.
- Personal data breach: refers to the breach of security resulting in unauthorized disclosure, unlawful destruction, loss, or access to personal data.
What type of data does the GDPR protect?
Not every piece of data comes under the purview of the EU data protection regulation. However, the regulation covers salient data sets. It would be best to worry about the following categories of information as a data controller or processor.
- Primary identity information such as name, address, and ID nos
- Biometric data, e.g., facial images
- IP address, location, cookie data, and a few other web-related data
- Health data (revealing the state of physical or mental health, as well as the provision of health services)
- Genetic data
- Racial information
- Sexual orientation
- Political orientation
What are the Principles of Data Protection?
The General Data Protection Regulation lays down six broad principles to guide the lawful processing of personal data. They are:
Data shall be collected for an explicit, specified, legitimate purpose. According to the European Union Convention on Human Rights, privacy is a fundamental human right. Personal data is an extension of this privacy and should be handled with a high sense of responsibility. For this reason, a principle of data protection is that data collectors must obtain people’s data for purposes that are legal and specified.
Thus, before you extract data, you should tell customers what your organization will use the information for and be sure that such a purpose is legal; that is, tenable under the law. It is important to know that you do not have the right to process any data for any purpose other than you stated at the point of data collection. The GDPR states that data should be limited to the purpose for which it is collected.
Data should be processed in a lawful, fair, and transparent manner. A core principle of data protection is transparency. As a principle of data protection, transparency states that any piece of information addressed to the data subject or general public should be clear, concise, and easy to access. Such information could be accompanied by visualization if it will aid understanding.
As a transparent data collector, you should make potential data subjects aware that you collect data from them. In addition to disclosing data collection, you should state in clear terms the legal basis for obtaining and processing the data so obtained. To be fair with data subjects, you have to convey their rules, risks, and safeguards related to this process and the rights they have over their data.
Data shall be relevant, adequate, and limited to what is sufficient to achieve the purpose for which data is processed. As soon as this purpose is achieved, it is unethical to process data for other reasons.
Data shall be accurate and up-to-date. Data that are inaccurate for processing shall be rectified or erased without delay.
Data shall be kept for as long as is necessary and in a form that permits the identification of subjects for intended purposes.
Data shall be processed in a manner that ensures security against unauthorized processing and accidental loss or damage.
A quick GDPR Compliance Checklist
At this point, you should be asking, “how do I comply with the GDPR?” You can put some things in place to avoid the excessive fine that GDPR violation attracts. However, the following are the most important tips to achieve GDPR compliance.
1. Identify data and record data activities
Your first step to GDPR compliance is identifying the type of personal data you hold, document it, and keeping an accurate catalog of the data. Initial cataloging helps you determine sensitive data under your control, where such data is stored, its source, what processing you are doing on it, and who has access to it. In line with Article 30 of the General Data Protection Regulation, we strongly advise that you keep a record of data processing activities which must be made available to authorities upon request. This record of processing activities must detail data categories, groups of data subjects, the purpose of processing data, and recipients of processed data. Not keeping records of processing activities could cost up to 10 million euros in a fine or 2% of your business’s annual turnover.
2. Simplify consent procedure
You have to disclose to data subjects that you are collecting their data and obtain their consent before doing so. Part of disclosing data collection is declaring the legal basis for the collection and processing of data. Also, you should make data subjects understand how you intend to process their data, hold it for the long term, and whether or not you are sharing customer data with third parties. The GDPR requires that consent for data processing must be specified, clearly worded, and freely given. In addition to making consent simple to understand, your organization has to ensure that consent withdrawal is easy to follow.
3. Set up an information system for privacy
In a bid to ensure that people’s data are well protected and secured, data controllers and processors are obliged to put measures in place to aid the implementation of data protection principles. Designing an information system with privacy in mind is a viable way to go. A good way of doing this is by making sure that datasets are not publicly accessible by default and cannot be used to identify data subjects.
4. Appoint a “Data Protection Officer” (DPO)
Having a data protection officer, who demonstrates professional knowledge of data law and IT security, is a legal obligation under the GDPR. This becomes mandatory when a company processes sensitive personal data on a large scale. The Data Protection Officer’s duties include striving towards compliance with relevant data laws, overseeing data protection impact assessments, training employees on data protection and increasing awareness among them, and cooperating with supervisory authorities.
The General Data Protection Regulation is a critical data privacy and security framework. Understanding its dos’ and don’t’ is important to every organization that collects that data in the European Union or processes or transfers data outside the EU. While this article is one of the simplest pieces out there on the GDPR, do understand that it is not a substitute for legal advice. You may need a trained lawyer’s service to understand the legal side of things to complement the little information you have obtained from this article.
Become fully compliant following international web accessibility guidelines.