What are the basic requirements of the law?

Data protection impact assessment

data protection assessments must be made when implementing a new system or starting a new project. It is a necessary procedure when there is a significant change in the way data is processed.

Data transfers

data controllers have the responsibility to ensure the protection of personal data when it is being transferred outside the company or to a third party. They also have to ensure that gdpr requirements are respected.

Data protection officer

an organisation should assign a data protection officer where significant data processing is taking place. The data protection officer will have the responsibility for ensuring the company complies with the gdpr requirements.

What are the basic requirements of the law?

Awareness and training

organisations must make their employees aware of gdpr requirements. Regular training must be provided to ensure employees are aware of their responsibilities in protecting personal data and in identifying data breaches as soon as possible.

The structure of GDPR

The gdpr is a very large piece of legislation. Therefore, its structure has been broken down into eleven chapters. These chapters cover:

  • General provisions
  • Principles
  • Rights of the data subject
  • Duties of data controllers or processors
  • Transfers of personal data to third countries
  • Supervisory authorities
  • Cooperation among member states
  • Remedies
  • Liability or penalties for breach of rights
  • Miscellaneous final provisions

Articles

Each chapter is split into articles. There are 99 articles in the gdpr.

We are now going to take a look at the key articles, these are:

 

Article 6: lawfulness of processing – processing is only

Lawful if at least one of the following applies:

A) Consent: the individual has given clear consent to Process their personal data for a definite purpose.

B) Contract: the processing is necessary to take steps at the Request of the individual prior to entering into a contract

C) Legal obligation: the processing is mandatory for one to Comply with the law

D) Vital interests: the processing is required in order to Protect the vital interests of the data subject

E) Public task: the processing is necessary for the Performance of a task carried out in the public interest or For official functions

F) Legitimate interests: the processing is necessary for the Purposes of the legitimate interests pursued by the Individual or by a third party, unless there is a good Reason to protect the individual’s personal data which Overrides those interests.

Articles

Article 15: right of access by the data subject – the data subject has the right to obtain information about them from a data controller, and whether or not it’s being processed.

Article 16: right to rectification – the data subject has the right to obtain from the data controller without delay the rectification of inaccurate personal data concerning them. Also, the data subject shall have the right to have incomplete personal data completed.

Articles

Article 18: right to restriction of processing – the dat subject has the right to obtain data from the data controller, the restriction of processing where one of the following applies: the data subject contests the accuracy of information, when processing of data is unlawful, and the data subject asks for it to be deleted, or where the data is no longer needed for processing but is retained in the event it is needed in a legal situation.

→ article 20: right to data portability – the data subjec has the right to receive the personal data concerning them, which they have provided to a data controller, in a commonly used format and have the right to pass that data to another data controller without delay from the data controller to which the personal Data had been provided.

→ article 21: right to object – the data subject has the right to object to the processing of their personal data. To continue processing data, the controller must demonstrate compelling legitimate grounds for processing the data.

Organisational structure

We will now look at the structure of the GDPR and how it works.

→ we begin with the European data protection board, and they will issue guidance to data controllers and Processors.

The lead supervisory authority (information commissioner’s office) will oversee both the data Processors and controllers ensure compliance.

→ the lead authority will enforce data protection impact Statements to the data controller and processor .

The data controllers and processors will notify the supervisory authority of any breaches or notifications.

The data controller will then pass the data that is processed on to third countries, third parties and others who require this information. At the heart of the GDPR is the protection of personally identifiable information.

Summary

In this module, we have looked at the GDPR in much more detail. We now know why the regulation came into force,

And we have learnt:

  1. one of the key changes made by the gdr is much larger fines for companies who do not follow the legislation.
  2. GDPR ensures that consent is given clearly and that at any time, an individual has the right to have their data Destroyed.

3 the uk’s supervisory authority for implementing the GDPR is the information commissioner’s office (ico)

4 authorities may liaise with data protection officers where companies implement them.