This article outlines some of the most crucial concepts that organisations covered by GDPR must understand to implement the regulations successfully.
1) Why is GDPR needed?
EU lawmakers introduce GDPR to improve data privacy practices across Europe and introduce EU-wide standards for data security. GDPR also granted individuals new rights over their data. Before GDPR, laws were inadequate to deal with the age of ‘big data’, and many businesses did not implement best practices to ensure that adequate safeguards were in place to protect personal data.
2) GDPR’s Core Principles of Data Protection
GDPR outlines several core principles of data protection that guide the rest of the legislation. These include:
- There are different categories of data, such as “identifiable data” or “special data”, and each class must be treated appropriately
- There must be a legal basis for processing data, and processing must be done in a fair and transparent manner
- Only the minimal amount of data necessary should be collected
- Data should only be processed for a pre-defined purpose
- Any data collected should be accurate and precise
- There should be limits to the length of time for which data can be stored
- The integrity and confidentiality of the data must be protectedUnderstanding these core concepts is essential if the organisation is to properly implement GDPR and ensure that consumer data always remains secure.
3) Rights of the data subject
Some of the most significant changes introduced by GDPR are the new rights granted to data subjects. These rights include:
• Right of access
• Right of rectification
• Right to object to how their data is handled• Right to restrict processing
• Right to erasure (Right to be forgotten)
• Right to data portability
- Right to complain to a supervisory authority if they are dissatisfied if how their data is being handled
- Right to be represented by an independent, not-for-profit body when lodging a complaintOrganisations should have a thorough awareness of these rights to ensure that, when they implement GDPR, they are able their responsibilities to data subjects if the situation arises.
4) The responsibilities of a data controller
Data controllers (an organisation that oversees the collection of data) must be aware of the responsibilities of data controllers under GDPR. These responsibilities include:
• Affording transparency with the data subject as to how they handle their data• Ensuring that data may easily be translated from one place to another
• Providing evidence to the data subject that they are fully GDPR-compliant
• Ensuring that they can uphold the rights of a data subject
5) The responsibilities of a data processor
Data processors (a body which processes data on behalf of a data controller) must:• Have pre-arranged contract with a data controller regarding the processing of data• Ensure that the rights of the data subject are respected
• Adequate safeguards must be in place to protect the integrity of sensitive data
6) Data collection under GDPR
GDPR has introduced strict procedures which must be followed to ensure that data collection is performed in a safe manner that is fair to the data subject. Companies looking to implement GDPR must be familiar with the correct forms of data collection. Some of the most critical aspects of GDPR-compliant data collection are outlined here:
The data subject should give their informed consent for their data to be collected, and they must be told precisely for what purposes their data will be used.
GDPR states that individuals under the age of 16 are unable to give informed consent, and a parent or guardian must give consent. However, GDPR allows individual EU states to lower this age of consent to 13 if they wish.
There are some special cases—such as a national emergency or criminal incident—for which the above rules do not apply, and consent is not needed for data collection to take place. Employees should be aware of the particular circumstances in which these exceptions apply.
Organisations must choose the most appropriate basis for processing, and consider all viable options in determining which process is best for a given situation.
7) Handling data breaches
Organisations must have robust plans in place for their response to a data breach if one were to occur. All employees in an organisation should be in no doubt as to what their role in handling a data breach should be, such as informing a supervisory authority of a breach or preparing breach notification letters to send to affected customers.
8) Data Protection Impact Assessment
One of the most crucial aspects of preparing for GDPR implementation is the performance of a DPIA. DPIAs allow organisations to evaluate their current methods and policies, and highlight areas of improvements.
9) Employment of a Data Protection Officer
GDPR requires all large organisations to employ a data protection officer (DPO). The DPO’s roles include educating staff members on subject data rights, advising the organisation on data management and GDPR compliant, assessing IT networks and data security systems on their effectiveness, monitoring internal data compliance and cooperating with the Lead Supervisory Authority.
10) Penalties for non-compliance with GDPR
Organisations must be careful in their implementation of GDPR to ensure that they do not accidentally ignore parts of the legislation or violate it. The financial penalties are substantial; either €20 million, or 4% of the company’s global annual turnover, whichever is higher. The fine depends on the nature of the breach and the organisation’s response. Furthermore, individual member states may apply the aforementioned administrative fines and states may choose to impose additional punishments, including jail time.