The General Data Protection Regulation, or more commonly known as GDPR, came into force on 25 May 2018. The regulation was designed to modernise laws that protect the personal information of individuals.
The Regulations
Organisations that hold personal data must have a valid lawful reason for processing the personal data. The lawful basis for processing data must be detailed within the organisations privacy policy.
The GDPR Regulations make it easier for individuals to access personal data which organisations hold about them. Individuals can submit a subject access request. There are no fees for asking for this information. Organisations must send the information within one month of receiving the request. In some cases, an individual could have the power to have their personal data erased e.g. if the data is no longer necessary or if consent is withdrawn.
What is Personal Data?
One of the big questions is what is covered under personal data. There are two key types of personal data:
- Personal data is anything that allows a living person to be directly or indirectly identified. Examples include, name, address, date of birth.
- Special Category data is information relating to genetic and biometric data e.g. religious beliefs, racial information or sexual orientation etc. Special category data also requires organisations to comply with Article 9 of the organisations.
Who are Controllers and Processors?
A controller is the person that decides how and why to collect and use the data. The controller must make sure that the processing of that data complies with data protection law.
A processor is a separate person or organisation (not an employee) who processes data on behalf of the controller and in accordance with their instructions.
What is a personal data Breach?
The GDPR regulations require organisations to report any “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data to the Regulators. Organisations need to report to the Information Commissioners office within 72 hours of the breach if there is a resulting risk to people’s rights and freedoms.
The Information Commissioners Office is the supervisory authority for data protection in the UK. The Regulators can fine businesses if the organisation fails to notify the ICO of a breach.