In this blog post, we'll cover:
Before diving into understanding what GDPR and compliance of this entails, here are some general GDPR terms and definitions that would be helpful as you read this article.
Terminology | Definition |
Data Subject | A natural person whose personal data is processed by a Data Controller or Data Processor. |
Data Controller | An individual or organisation that determines the purpose and means that data is processed |
Data Processor | An individual or organisation that processes data on behalf of a Data Controller |
Processing | Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, etc. |
Data Protection Impact Assessment | A process designed to identify risks arising out of the processing of personal data and to minimise these risks as far and as early as possible. |
Data Protection Officer | The primary role of the DPO is to ensure that the organisation processes the personal data of its staff, customers, providers or any other individuals in compliance with the applicable data protection rules. |
Obtaining Consent | Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies agreement to the processing of personal data relating to him or her. |
Security Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. |
Principles | the fundamental principles embedded within the GDPR which set out the main responsibilities for organisations. |
Personal Data | Any information relating to an identified or identifiable natural person ('data subject') |
The UK GDPR, now known as the Data Protection Act 2018 (DPA) is a legislative framework that establishes rules for the gathering and processing of personal information for anyone within the UK. The DPA came into effect after Brexit, when the UK adopted GDPR regulations following their departure from the EU. The DPA mirrors the EU GDPR and applies similar data protection regulations to anyone within the UK, with a few exceptions.
UK GDPR applies to all organisations based in the UK, it equally applies to organisations outside the UK that will have business transactions and dealings within the UK . Similarly, the EU GDPR applies to any organisations that will have business transactions and dealings within the EU and any of its territories. Collectively, this will be addressed as GDPR in this article.
GDPR has outlined 7 fundamental principles. Organisations should align any policies on management of personal data to these principles to ensure continuous compliance with GDPR requirements.
These principles uphold individual rights under GDPR in relation to management and safeguarding of individual’s personal data.
Individual rights under GDPR, requires the need for consent before collecting or processing any of their personal data. GDPR prohibits the collection or handling of individual persona data without consent. There are consequence for non-compliance and this includes punitive measures, including penalties and fines.
There are clear benefits for ensuring that your organisation is compliant with requirements under GDPR. The following are a few reasons why your organisation should ensure that it is GDPR compliant:
While the benefits of GDPR compliance are important considerations, the requirement of legal rights of your data subjects must be understood and adhered to.
GDPR guarantees data subjects 8 fundamental rights including the right to withdraw consent. These rights provide data subject with an element of control in relation to their personal data. These data subject rights are as follows:
The scope of GDPR includes all organisations of all sizes that handle or manage personal data. To understand this further, these data handling organisations are categorised into ‘Processors’ and ‘Controllers’.
GDPR defines a Controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data”. In other words, controllers make decisions about processing activities. They have overall control over the personal data being used and are ultimately in charge of and responsible for processing that data.
A Processor is a "natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller". A Processor will only process information in line with the instructions given by a Controller.
Now that you have an understanding of data handlers, let us take a look at what the data in question is.
GDPR applies to personal data of natural persons — meaning people, not legal entities like corporations and non-profit organisations. Personal data in the context of GDPR means any information relating to a natural person. The following are some examples of personal data:
GDPR establishes seven principles that are meant to guide enterprises in their handling of personal data. These are designed to serve as a framework for explaining the regulation's objective. The seven principles are:
Noncompliance with GDPR can be punitive. GDPR fines and penalties the maximum fine can be been imposed of €20 million (about £18 million) or 4% of annual global turnover, whichever is greater, for infringements.
These fines are designed to be effective, proportionate and dissuasive. In short, to act as deterrents for organisations and to ensure compliance with GDPR.
Now that we have covered the definition of personal data, the principles governing GDPR, and the magnitude of fines for infractions, let us take a look at a practical roadmap to assist your organisation in becoming GDPR compliant. Here are the most important steps:
Step 1: Create an actionable plan - To successfully apply data protection principles and preserve data subject rights, GDPR recommends the implementation of suitable technological and organisational measures. This is referred to as "data protection by design and default." This means that you must incorporate data security into your processing operations and business practices beginning with the design stage and continuing through the full data processing lifetime. The principles of GDPR can help you create this plan.
Step 2: Generate a processing register - GDPR requires entities to keep records of their processing actions and to keep such documents up to date. Data mapping covers the operational process of creating and maintaining a centralised inventory of the organisation's data flows.
Step 3: Conduct a Data Protection Impact Assessment (DPIA) - If a processing activity poses a significant risk to individual’s personal data, Controllers must complete a Data Protection Impact Assessment (DPIA).
Step 4: Build a framework for consent management - GDPR raises the bar for enterprises that rely on consent to process personal data. If you want people to provide their consent to your use of their personal information, your disclosures should be concise, easy to understand, and straightforward to withdraw. Organisations must also be able to provide proof of permission in a variety of methods.
Step 5: Review and remedy processor risks - Controllers are held liable for the Processor's acts or breaches under GDPR. Data transfers and contractual commitments must be examined with the same level of care as internal processing operations in order to adequately mitigate this risk.
Step 6: Implement GDPR compliance training - GDPR requires an appointment of a Data Protection Officer to oversee an organisation's adherence to the regulation, which includes educating and training employees. There should be initial and refresher training provided to employees by their employers. Additionally, there should be a system in place to keep track of the training in order to prove compliance.
Step 7: Appoint a Data Protection Officer (DPO) - The Data Protection Officer is responsible for ensuring that their organisation is compliant with GDPR and serving as the link between the employees and the members of the public who may find their information used and processed by the organisation. For more information, read our article on everything you need to know about appointing a data protection officer.
If your business has less than 250 employees but still processes personal or sensitive data regularly, you must be GDPR compliant. Small businesses rely heavily on marketing and getting information about their business out in public. Promotions and personal contact require access to personal information, hence the need for consent and overall compliance with the requirements of GDPR.
Large organisations have access to extensive resources to contract support with GDPR compliance, whether through internal hires or outsourcing. Smaller businesses, even with limited resources, can still achieve GDPR compliance by:
If you want to learn more, read our articles below to understand how GDPR affects small businesses, there are articles for sector-specific guidance.
Every year, the gap between your company's resources to manage external compliance obligations and its ability to meet those needs becomes challenging. In order to ease this burden and position your firm for success, DataGuard offers a suite of solutions including, Privacy-as-a-service and Consent and Preference Management.
With the support of our GDPR experts, you can look beyond compliance issues with minimum impact on your everyday operations. Get the help you need to tackle complex GDPR compliance requirements. You can also rely on our GDPR experts for industry-specific advice.
Are there still some questions that you would like answered? Feel free to contact one of our GDPR experts.