“Protecting the data of the people”
EU regulation comes into force on 25th May
2018. It aims to simplify the existing
laws and is an evolution of the pre-existing Data Protection Directive
laws. DPD has been implemented into
national laws, leading to some inconsistencies between member states. GDPR provides a more consistent definition of
personal data creating a more uniform law across member states. It is designed to bring much harsher
penalties for non compliance.
Five roles are defined
Data Subject: citizen
or resident of an EU member state. The rightful data owner
Data Controller:
organisation that collects the data.
Data Processor:
organisation that process the data on behalf of the controller
Data Protection
Officer: works independently to ensure that an entity is adhering to GDPR
regulations
Data Protection
Authority: each EU member state must have an enforcement power
Personal Data: any
information relating to the data subject
Important Principles
Consent:
data must be freely given i.e. individual may refuse and
must affirm its use.
controller must clearly explain how data will be used.
Right Of Access:
data subject may obtain access to the data
data subject has right to erasure
Retention:
Data should only be retained when there is a compelling
and valid reason
Enforcement:
3 days to report a breach
Lawful basis to process
There are 6 lawful basis under GDPR in order to process personal data. You must determine and document your lawful basis before you begin processing.
Consent
Consent must be unambiguous and involve a clear affirmative action (an opt-in). You must keep clear records to demonstrate consent.
Contract
You can rely on this lawful basis if you need to process someone’s personal data to fulfil your contractual obligations to them
Legal Obligation
You can rely on Legal Obligation if you need to process the personal data to comply with a common law or statutory obligation.
Vital Interests
Where processing is necessary in order to protect the vital interests of the data subjec. vital interests are intended to cover only interests that are essential for someone’s life e.g. emergency medical care
Public Task
Your overall purpose must be to perform a public interest task or exercise official authority, and that the overall task or authority has a sufficiently clear basis in law e.g. justic admin. government functions.
Legitimate Interests
Legitimate interests are most likely to be an appropriate basis where you use data in ways that people would reasonably expect and that have a minimal privacy impact. requires a LIA legitimate Interest Assessment: purpose, necessity and balancing test
Lawful basis to process
There are 6 lawful basis under GDPR in order to process personal data. You must determine and document your lawful basis before you begin processing.
Consent
Consent must be unambiguous and involve a clear affirmative action (an opt-in). You must keep clear records to demonstrate consent.
Contract
You can rely on this lawful basis if you need to process someone’s personal data to fulfil your contractual obligations to them
Legal Obligation
You can rely on Legal Obligation if you need to process the personal data to comply with a common law or statutory obligation.
Vital Interests
Where processing is necessary in order to protect the vital interests of the data subjec. vital interests are intended to cover only interests that are essential for someone’s life e.g. emergency medical care
Public Task
Your overall purpose must be to perform a public interest task or exercise official authority, and that the overall task or authority has a sufficiently clear basis in law e.g. justic admin. government functions.
Legitimate Interests
Legitimate interests are most likely to be an appropriate basis where you use data in ways that people would reasonably expect and that have a minimal privacy impact. requires a LIA legitimate Interest Assessment: purpose, necessity and balancing test
No comments:
Post a Comment