Topics to be covered
- What is personal data?
- What is gdpr?
- How is gdpr relevant after brexit?
- Key principles of data protection
- Who is the supervisory authority?
- What are the aims of gdpr?
- Key gdpr terminology
- Summary
- Assessment
What is personal data?
We define personal data as information that relates to an identified or identifiable living human. An identifiable person is one who can be identified directly or indirectly by numerous different types of information.
They can be identified by unique data such as:
- Dna (deoxyribonucleic acid)
- Fingerprints,
- Information regarding their name and home address.
The processing of personal data is covered in two ways:
Firstly,
personal data is processed wholly or partly in electronic form.
We call this automated.
Secondly,
personal data is processed manually, such as in a filing system.
We call this non-automated.
What is personal data?
In most cases, it will be simple to determine whether the information you process relates to an identified or identifiable living human.
Sometimes it will be more difficult and you will need to consider the information you have to determine if it is personal data.
Some personal data is more sensitive and requires more protection. The gdpr refers to this data as ‘special categories of personal data’. The categories are:
- Race
- Ethnicity
- Religious beliefs
- Health data
- Sexual orientation
- Personal data also includes information relating to criminal offences and convictions.
- This data also needs better protection.
What is GDPR?
The general data protection regulation (gdpr) is an eu privacy law. Its purpose is to protect the personal data and privacy of all individuals within the eu.
The gdpr applies to each member state of the european union, to provide more consistent protection of consumer and personal data across eu member states.
These regulations increase the restrictions on what organisations can do with your data.
This also gives greater protection and rights to individuals to manage their data.
How is GDPR relevant after brexit?
After brexit, the uk will still be required to comply with the gdpr. 11The reason for this is gdpr applies to all companies based in the Eu.
It also applies to those with eu citizens as customers. This will have an impact all over the world, as even international Companies who have eu citizens, as customers must comply With this.
As there is such a high level of business involving the eu, gdpr will Influence strong data protection procedures around the world.
Because of this, gdpr will be incorporated into uk domestic law As part of any eu withdrawal and will continue to function Alongside the data protection act 2018. Once leaving the eu, the uk will be given ‘third country status’. This
Means the uk has to live up to the adequacy status. They must Demonstrate to the eu that the uk is a safe place to share and Process data. If complied with, this will stop restrictions on data Transfers being imposed.
The key principles of data protection
We are now going to look at the 6 key principles of gdpr.
These principles are:
Lawfulness, fairness and transparency
1) when collecting data, organisations must ensure that they do so in a lawful way.
2)they must make sure they are open and that they don’t hide anything from the data subject.
3)companies must state in their privacy policies the type of data they are collecting and why they are collecting it.
Purpose limitation
Organisations must only collect personal data for a specific purpose. They must clearly state what they are collecting data for and only collect it for long enough to fulfil that purpose. Some exceptions to this rule are collecting data for archiving, historical, scientific or statistical needs.
Data minimisation
To achieve the purpose of data minimisation, a minimum amount of data must be processed. There are two main benefits to this. Firstly, in the event of a data breach, an unauthorised person has access to limited data. Secondly, it is much easier to keep the information accurate and up to date.
Accuracy
→ accuracy is an integral part of data Protection.
→ the gdpr states that ‘every reasonable step is taken to rectify Inaccurate or incomplete data.
→ individuals have the right to request errors in data be rectified within 30 Days.
Storage limitation
→ organisations must delete all personal data when it is no Longer required.
→ this is usually after a set time
→ in circumstances where the organisation isn’t sure how long keeping data will be necessary, they would need to
Obtain legal advice.
Integrity and confidentiality
This principle is mainly regarding security. → all data must be processed in a way that ensures the necessary security of personal data. This includes protecting against unlawful processing, accidental loss and the destruction or damage of personal data.
What is a supervisory authority?
In regard to GDPR, each member state of the EU has its regulator. The purpose of the regulator is to supervise compliance with specific regulations. This involves investigating complaints regarding GDPR and co-operating with supervisory authorities from different EU member states.
Who is the supervisory authority?
For the uk, it is the information commissioner’s office (ico). This independent body upholds information rights in the public
Interest. This authority covers:
→ data protection act of 2018
→ freedom of information act 2000
Privacy and electronic communications regulations
(pecr)
Environmental information regulations following the data protection act, all organisations in the uk which process personal data must register with the ico. They will then publish the names and addresses of the data controllers. It is against the law for a company who processes personal data not to register with the supervisory authority.