It's understandable that the General Data Protection Regulation (GDPR) is a difficult piece of law to comprehend. In this blog, we've offered a summary of the major GDPR regulations for individuals looking for guidance on how to comply.
1.  Lawful, fair and transparent processing
According to Article 5 of the GDPR, organisations must have a legal basis for processing personal data that is documented, and individuals must be aware of how their data is being used and processed. That might sound simple, but according to a research from our sister organisation, IT Governance UK, infractions of Article 5 are the most frequently mentioned mistake in penalty notifications. By comparing your procedures to the GDPR's permissible bases for processing, you may make sure that your processing is legal (more on that later).
You must produce privacy notices and make them available to data subjects if you want to ensure transparency.
2. Limitation of purpose, data and storage
Article 5 also stipulates that businesses may only gather individuals' personal information for specified purposes. They must also specify that objective in writing and make sure that data is destroyed when it is no longer required.
More latitude is granted for processing that is done for public interest archiving, scientific, historical, or statistical objectives.
3. Data subject rights
Eight data subject rights are protected by the GDPR:
- Right to be informed
People have a right to know what information is being gathered, how it will be used, how long it will be stored, and whether it will be shared with outside parties.
This information must be delivered succinctly and in an understandable manner.
- Right of access
People can submit DSARs (data subject access requests), which compel organisations to give them a copy of any personal information they may have about them. Although there are few exceptions for demands that are plainly baseless, repetitive, or excessive, organisations have a month to produce this information.
- Right to rectification
An individual has the right to ask that any inaccurate or incomplete information held about them by an organisation be rectified. The same limitations apply as with the right of access, and organisations have a month to complete this.
- Right to erasure
In some situations, such as when the data is no longer required, it was improperly processed, or it no longer satisfies the legal basis for collection, individuals have the right to request that organisations delete their personal data.
- Right to restrict processing
When people no longer use the product or service for which personal data was originally acquired but the organisation requires it to establish, exercise, or defend a legal claim, they have an alternative to the right to deletion known as the right to restrict processing. The organisation should therefore restrict how the information is utilized rather than delete it.
- Right to data portability
People are free to collect and utilize their personal data anyway they see fit across various services. This right only applies to personal information that a person has voluntarily or contractually disclosed to data controllers.
- Right to object
Organizations must provide individuals with the opportunity to object when processing personal data on the grounds of legitimate interest or carrying out a duty in the service of an official authority. Organizations must stop processing information if they exercise this right, unless they can provide a compelling cause for doing so that outweighs the interests, rights, and freedoms of the individual.
- Rights related to automated decision making including profiling
The GDPR has protections for decisions that are made automatically, like profiling, which analyses personal data to infer judgments about people. There are strong regulations governing this type of processing, and individuals are free to contest the processing and ask for a review if they think the regulations aren't being followed.
It's a common misperception that organisations must obtain individuals' consent before processing personal data under the GDPR. In reality, there are only six legal reasons for permission, and it should only be used in certain circumstances. Organizations must adhere to specified guidelines when consent is most appropriate.
In essence, consent must be expressed through an obvious affirmative action. In other words, rather than pre-ticked boxes, people need a method that demands a deliberate decision to opt in.
5. Personal data breaches
Understanding exactly what is covered in this word is crucial because data breaches are at the core of the GDPR. An incident that results in the unintentional or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed is referred to as a personal data breach in Article 4.
This implies that data breaches aren't necessarily the consequence of hackers breaking into a company's computer systems. They can also happen when an employee accesses data that are unrelated to their job function, shares files with a third party outside the organisation, or sends an email with sensitive information to the incorrect recipient. Data breaches also include incidents like ransomware attacks or broken hardware that prevent organisations from accessing systems that contain personal data because it is no longer usable.
6. Privacy by design
Privacy by design is not a new idea it was previously regarded as best practise. With the GDPR, it is now required, though.
So what is it exactly? It asserts that organisations should take privacy concerns into account before implementing data processing procedures rather than doing so after the fact.
This requires organisations to:
- Implement the right organisational and technical steps to put the data protection principles into practise
- integrate safeguards to abide by the GDPR's standards and protect the rights of individuals.
7. Data protection impact assessment
Article 35 introduces DPIAs as a concept (data protection impact assessments). These aid organisations in identifying and reducing privacy issues when processing data. They are crucial if you handle any high-risk data, but they are also important whenever you're implementing a new system, procedure, or technology for data collection. DPIAs are required, according to the GPDR, in situations when processing data "is likely to result in a high danger to the rights and freedoms of natural persons."
Although it doesn't define "high risk," it typically refers to the following:
- Broad and systematic profiling
- Large-scale statistics on a specific category or offence
- large-scale, systematic observation of locations that are open to the public
8. Data transfers
Depending on where you are moving data to and from, different rules apply for data transfers. Organizations do not need to take any additional security precautions when transferring personal data inside the EU. However, one of the protections listed in Article 46 must be used if you are sending data to a third nation. SCCs (standard contractual clauses) are used in the majority of situations where organisations are straightforwardly sharing data with organisations headquartered outside of the EU. Two sets of SCCs for data transfers between data controllers and one set for data transfers between data controllers and data processors have so far been released by the European Commission.
9. Data protection officer
A DPO (data protection officer) is an impartial expert in data protection who advises a company on how to adhere to regulatory standards. Article 39 lists the prerequisites for a DPO, which include the following :
- Educating employees about their obligations regarding data protection
- Maintaining a close eye on the organization's data protection rules and practises
- Advising management of the necessity of DPIAs (data protection impact assessments)
- Acting as the organization's point of contact with its supervisory authority
- Acting as a contact for people with regard to privacy issues
10. Awareness and training
Anyone who manages personal data or is in charge of monitoring data protection procedures must provide staff awareness training. Additionally, make sure that the training is applicable to the work that the personnel do. For instance, employees in charge of handling personal data should be educated about their duties and the risks involved. Along with the data protection policy, senior staff members should be taught key concepts, including privacy by design and DPIAs.