Tuesday, June 6, 2017

GDPR – General Data Protection Regulation in 60 seconds

“Protecting the data of the people”

EU regulation comes into force on 25th May 2018.  It aims to simplify the existing laws and is an evolution of the pre-existing Data Protection Directive laws.   DPD has been implemented into national laws, leading to some inconsistencies between member states.  GDPR provides a more consistent definition of personal data creating a more uniform law across member states.   It is designed to bring much harsher penalties for non compliance.

Five roles are defined
Data Subject: citizen or resident of an EU member state. The rightful data owner
Data Controller: organisation that collects the data.
Data Processor: organisation that process the data on behalf of the controller
Data Protection Officer: works independently to ensure that an entity is adhering to GDPR regulations
Data Protection Authority: each EU member state must have an enforcement power

Personal Data: any information relating to the data subject

Important Principles
data must be freely given i.e. individual may refuse and must affirm its use.
controller must clearly explain how data will be used.
Right Of Access:
data subject may obtain access to the data
data subject has right to erasure
Data should only be retained when there is a compelling and valid reason
3 days to report a breach

Lawful basis to process
There are 6 lawful basis under GDPR in order to process personal data. You must determine and document your lawful basis before you begin processing.
Consent must be unambiguous and involve a clear affirmative action (an opt-in). You must keep clear records to demonstrate consent.
You can rely on this lawful basis if you need to process someone’s personal data to fulfil your contractual obligations to them
Legal Obligation
You can rely on Legal Obligation if you need to process the personal data to comply with a common law or statutory obligation.
Vital Interests
Where processing is necessary in order to protect the vital interests of the data subjec. vital interests are intended to cover only interests that are essential for someone’s life e.g. emergency medical care
Public Task
Your overall purpose must be to perform a public interest task or exercise official authority, and that the overall task or authority has a sufficiently clear basis in law e.g. justic admin. government functions.
Legitimate Interests
Legitimate interests are most likely to be an appropriate basis where you use data in ways that people would reasonably expect and that have a minimal privacy impact. requires a LIA legitimate Interest Assessment: purpose, necessity and balancing test

No comments: