GDPR laws - the General Data Protection Reglation

What is the General Data Protection Regulation?

Introduced in 2018, the GDPR proudly describes itself as the world’s toughest privacy and seciurity law in the world.

How did the GDPR come about?

Introduced in 2018, the GDPR is a project co-funded by the Horizon 2020 Framework Programme of the European Union. The need for the GDPR was identified based on the escalating use of cloud services to store people’s personal data and the concurrent escalation in data breaches. Through the GDPR, Europe aims to signal its firm stance on data privacy and security.

What are the core principles of the GDPR?

The GDPR is a large, far reaching and sometimes less than specific regulation, so compliance can be challenging and any brief description will not cover all aspects. However there are ten key GDPR requirements:

1. Lawful, fair and transparent processing You must have a legitimate purpose or interest for processing personal data. Consent must be given and data subjects must be aware of what personal data you are collectiong and why (hence the need for a privacy notice). Transparency demands that data processing activities not be unduly detrimental, unexpected or misleading to subjects.

2. Limitation of purpose, data and storage *Puropose limitation - You must only collect and process personal data for sopecific and declared purposes. *Data Minimisation - You must minimise the amount of personal data you collect and process. And *Storage Limitation - you must destroy personal data you no longer need.

3. Data accuracy, integrity and confidentiality *You must ensure the data you hold about a person is accurate and complete, and if the person exercises their rights under GDPR to contact you and advise that something is inaccurate, you must correct it. *You must implement technical and organisational methods to ensure the data you are holding or processing is secure. There is a schema with checks and controls for this called the Europrivacy certification scheme

4. Data protection impact assessments (DPIAs) The GDPR mandates DPIAs for high risk processing activities. See Article 29 Working Party Guidelines for specific examples of such activities. Article 35 elaborates on this also, specifically that a DPIA is likely needed for large scale systematic and extensive automated processing, processing sensitive or criminal data and/or systematic monitoring of publicly accessible places on a large scale.

5. Privacy by design You must consider and integrate data privacy from the earliest stages of a project and maintain them for the entire project lifecycle. This requirement is mandated in Articles 25 and 32 of the regulation.

6. Controller–processor contracts This requirement, described in Article 28, details the stipulations that must be in contracts between data controllers and data processors. This ensures the processor only processes perdonal data on documented instructions from the controller, takes appropriate security measures (Article 32) and returns all personal data when the contract ends.

7. Data subject rights Data subjects (the individuals whose data you hold) have rights under the GDPR they may exercise: i. The right to be informed ii. The right of access iii. The right to rectification iv. The right to erasure v. The right to restrict processing vi. The right to data portability vii. The right to object viii. Rights in relation to automated decision-making, including profiling You must respond to data subjects within one month when they submit access requiests about their own personal data.

8. Data protection officer
9. International data transfers
10. Personal data breach reporting

Not all requirements are mandatory for all organisations at all times (for example there are stage gates determining when you may need to appoint a data protection officer, and not all organisations are involved in international transfers).

Affiliations Contributors