We are now twenty months on from the day the General Data Protection Regulation, more commonly known as GDPR, came into force. The Regulation came into force on 25 May 2018 and was designed to modernise the laws that protect individuals’ personal information. A reason for this was the changes over the past decades as to how organisations use and process personal data.
Personal Data
Under the Regulation, organisations that hold and process persona data must now have a valid lawful reason for doing so and the lawful basis for this must be detailed within the organisations privacy policy.
Personal data is anything that allows a natural person to be directly or indirectly identified. Under GDPR it is split into two key types:
- Personal data which is defined as including name, address, date of birth, national insurance number, identification number, email address, telephone number;
- Special categories of personal data, referred commonly to as sensitive personal data, which includes data relating to racial or ethnic origin, political opinions, religious or philosophical be beliefs, genetics, health, sexual orientation, as well as data relating to natural individuals under the age of 16.
Data Subject Access requests
The Regulation makes it easier for individuals to know of and access personal data which organisations hold about them. Individuals can submit a subject access request to confirm what information an organisation holds about them and to access the information. Organisations are required by the Regulation to provide the information without delays and at the latest within one month of receipt of the individual’s request. The organisation may charge a reasonable fee based on administrative costs of preparing the requested data.
Data Controllers and Data Processors
A controller is the person that decides how and why to collect and use personal data. The controller must ensure that the processing of that data, even by a processor, complies with data protection law.
A processor is a separate person or organisation who processes data on behalf of the controller and in accordance with the instructions of the controller.
Data Breaches
The Regulation requires organisations to report any “destruction, loss, alteration, unauthorised disclosure of, or access to” personal data to the Information Commissioners Office. Reporting is required within 72 hours of the organisation becoming aware of the breach if there is a risk to individuals rights and freedoms.
The Information Commissioners Office has a number of corrective powers under the Regulation, including the power to fine organisations for data breaches and for failing to notify them of a breach.
Failing to comply with certain requirements under the Regulation including failing to notify a data breach when required to do so can result in a significant fine up to 10 million euro or 2 per cent of an organisations global turnover. Failing to comply with the basic principles of the Regulation including rights of data subjects can result in an even more significant fine up to 20 million euro of 4 per cent of the organisations global turnover.
