In 2018, on the 25th of May, a new European privacy law was adopted – the General Data Protection Regulation or GDPR, as we’ve all come to know it. In the EU, the regulation has been adopted in all privacy laws at the local level. The law applies to any company that stores personal information of EU citizens or commercializes any services or products to EU citizens, regardless of where in the world the company is based.
Essentially, GDPR guarantees that EU citizens have greater control over the personal data that companies collect from them and that their details are protected. A year and half after GDPR came into effect, there are still cases of very high profile companies that are sanctioned for not complying with GDPR. Such was the case of British Airways and Marriott International, which are facing fines.
What are the most important terms related to GDPR?
Understanding what each of the terms is a very important step. Here are some of the terms used in this article, which will help you have a better grasp on GDPR:
- Data subject – a natural person whose personal data is processed by a controller or processor.
- Data controller – the entity that determines the purposes, conditions, and means of the processing of personal data.
- Personal data – any information related to a natural person or Data Subject that can be used to directly or indirectly identify the person.
- Data processor – the entity that processes data on behalf of the Data Controller.
According to GDPR, what are the rights an individual (data subject) has?
According to GDPR, these are the rights a EU citizen has, which you, as a company operating in the EU, or “data controller”, must respect:
- The Right of Access – under Article 15, GDPR gives individuals the right to request a copy of any of their personal data which are being ‘processed’ (i.e. used in any way) by ‘controllers’ (i.e. those who decide how and why data are processed), as well as other relevant information. These requests are often referred to as ‘data subject access requests’, or ‘access requests’.
- The right to be informed – Any processing of personal data should be lawful, fair, and transparent. It should be clear and transparent to individuals that personal data concerning them are collected, used, consulted or otherwise processed, and to what extent the personal data are, or will be, processed. The right to be informed, under Articles 13 and 14 GDPR, is a key part of any organisations obligations to be transparent.
- The right to rectification – If an individual thinks their personal data is inaccurate, they have the right to have the data rectified, by the controller, without undue delay.
If an individual’s personal data is incomplete, they have the right to have data completed, including by means of providing supplementary information. The right of rectification is restricted in certain circumstances under Section 60 of the Data Protection Act 2018, which provides for restrictions that are necessary for important objectives of public interest, and by Section 43 of the Act which seeks to balance the right of rectification with the right of freedom of expression and information.
- The right to erasure – this is also known as the ‘right to be forgotten’.
An individual has the right to have their data erased, without undue delay, by the data controller, if one of the following grounds applies:
- Where their personal data are no longer necessary in relation to the purpose for which it was collected or processed.
- Where they withdraw their consent to the processing and there is no other lawful basis for processing the data.
- Where they object to the processing and there is no overriding legitimate grounds for continuing the processing.
- Where they object to the processing and their personal data are being processed for direct marketing purposes.
- Where their personal data have been unlawfully processed.
- Where their personal data have to be erased in order to comply with a legal obligation.
- Where their personal data have been collected in relation to the offer of information society services to a child.
- The right to data portability – In some circumstances, an individual may be entitled to obtain their personal data from a data controller in a format that makes it easier to reuse their information in another context, and to transmit this data to another data controller of their choosing without hindrance. This is referred to as the right to data portability. This right only applies where processing of personal data is carried out by automated means, and where they have either consented to processing, or where processing is conducted on the basis of a contract between the individual and the data controller.
- Rights in relation to automated decision making, including profiling – Automated processing is permitted only with an individual’s express consent, when necessary for the performance of a contract or when authorised by Union or Member State law. Where one of these exceptions applies, suitable measures must be in place to safeguard the rights, freedoms and legitimate interests of people. This may include the right to obtain human intervention on the controller’s part, the individual’s right to present their point of view, and the right to challenge the decision.
- The right to object to processing of personal data – An individual has the right to object to certain types of processing of their personal data where this processing is carried out in connection with tasks (1) in the public interest, (2) under official authority, (3) in the legitimate interests of others. An individual has a stronger right to object to processing of their personal data where the processing relates to direct marketing. An individual may also object to processing of their personal data for research purposes, unless the processing is necessary for the performance of a task carried out in the public interest.
- The right of restriction – This right applies in four ways. The first two types of restriction of processing apply where an individual has objected to processing of their data under Article 21, or where they have contested the accuracy of their data. In these cases, the restriction applies until the data controller has determined the accuracy of the data, or the outcome of the individual’s objection. The third situation in which an individual can request restriction relates to processing which is unlawful. In these cases, if they do not want the data controller to delete their information, they can request restriction of the personal data instead. The fourth type of restriction of processing applies where an individual requires data for the purpose of a legal claim. In this case, they can request restriction even where the data controller no longer needs the data.
These rights all converge towards helping to give customer, individuals, prospective customers, employees or contractors more control over their data and ensuring the organisations that collect and process this data have less power.
How does GDPR affect how a company operates?
As we’ve established, GDPR gives consumers more power. Whose job is it to comply with these regulations? That responsibility falls on all companies established in the EU, no matter if the data collected is processed in the European Union or not. Also, a company established outside the EU which offers services or goods to EU consumers must comply with GDPR. What is more, under GDPR, all entities that collect and process personal data should appoint a DPO (data protection officer), who is in charge of GDPR compliance. Companies that are non-compliant with GDPR can expect fines of up to 4% of annual global revenue or 20 million EUR, depending on which is greater.
How can you make sure that your company is GDPR-compliant?
Data mapping – Do you know how data moves in your company? Having a clear record of how data moves in your company by keeping tabs on everything is a great start to proving that your company is complying with GDPR. There are tools that are readily available to help you map the data in your company. This is a good example. Using a tool like this might also help you find any problems you have, which is the first step in solving them.
Providing training to employees – GDPR has a deep impact on how businesses operate. As such, the people working in your company need to fully grasp the importance of data protection and go through, at the very least, a training session on what GDPR is and what the basic principles are and the procedures you are implementing in order to comply. Data is one of the most valuable currencies in the world. GDPR has been developed to ensure the appropriate management of personal data by companies. As such, organisations that prove they value their customer’s privacy – beyond legal compliance – and who handle data in a transparent way can be seen as more trustful and have more loyal customers.
Provided by: Momentum