The European Union (EU) & United Kingdom (UK) General Data Protection Regulations (GDPR)
The European Union’s General Data Protection Regulation (EU GDPR) went into effect May 2018 and has become the yardstick for basic data protection guidelines and rules for data privacy in Europe. The impact of GDPR was felt globally, as it influences processes for companies operating within European borders as well as those that operate overseas but deal with the data of European citizens.
GDPR enables a standard framework to protect personal data as well as ensure the free movement of data for standards in data privacy in Europe. The framework protects the fundamental rights of individuals and specifically their right to the protection of personal data. It lays down rules and regulations for the processing and free movement of personal data and stresses the importance of consent of data subjects. Companies must adhere to this standard set of regulations for data storage, usage, and transfer to uphold data privacy in Europe. GDPR also requires companies to periodically delete unnecessary consumer data, especially when requested directly by the customer. It also links to more detailed guidance and other resources, including ICO guidance and statutory ICO codes of practice. GDPR fines and penalties are quite high.
Before Brexit, the UK followed the EU’s GDPR framework for regulation, compliance and data privacy in Europe. In 2018, the Data Protection Act (DPA) came into effect, laying out regulations and guidelines to safeguard the privacy of individuals and ensure ethical data handling practices. In the same year, amendments were made to the Privacy and Electronic Communications Regulations (PERC) which were originally implemented in 2003. PERC follows the DPA framework but also sets specific privacy rights and standards for electronic communications.
Change in Government
On January 1, 2021, the UK left the EU. The Data Protection Act (DPA) 2018 was merged with the EU GDPR to form a new, UK-specific post-Brexit data protection regulatory framework known as UK-GDPR. The new UK GDPR is nearly identical to the EU GDPR but it’s independent UK legislation governed and enforced by the UK’s Parliaments and Assemblies. DPA 2018 addresses the areas of law enforcement, intelligence services and immigration that EU GDPR didn’t cover.
GDPR Applies to:
GDPR accords special responsibilities and legal obligations to processors. The processor will also have legal liability if they are held responsible for a breach.
GDPR accords special responsibilities and legal obligations to processors. The processor will also have legal liability if they are held responsible for a breach.
Organizations that process data within the territory/union, as well as organizations outside of the territory/union that offer products and services to consumers.
Exceptions
- Processing of personal data by an individual for a purely personal or household activity
- Processing of personal data by a competent authority for any law enforcement purposes
- Similar to Certain activities including processing covered by the Law Enforcement Directive, and processing for national security purposes
Key Definitions
Processor
GDPR accords special responsibilities and legal obligations to processors. The processor will also have legal liability if they are held responsible for a breach.
Controller
A controller has legal obligations where a processor is involved. GDPR places further obligations on controllers to ensure contracts with processors comply with the GDPR.
Personal Data
Personal data includes information relating to natural persons who can be identified, or who are identifiable, directly from the information in question or who can be indirectly identified from that information in combination with other information. It may also include special categories of personal data or criminal conviction and offense data. These are considered to be more sensitive and can only be processed in more limited circumstances. GDPR gives an exhaustive list of identifiers for a better understanding of the meaning of ‘individual’.
Key Principles of GDPR
Lawfulness, Fairness, and Transparency
Guidelines require one to provide valid grounds for collecting and using personal data. It is crucial to use data in a fair manner and refrain from processing personal data in a way that is unduly detrimental, unexpected, or misleading to the individuals concerned. The law also requires that you maintain transparency with regards to why you need the data and also ensure there is no breach of data.
Purpose Limitation
You must be specific and clear about the purpose of processing data to uphold standards of data privacy in Europe. You also need to record your data processing purpose as part of your documentation obligations and specify them in your privacy information for individuals. You can only use the personal data for a new purpose if either this is compatible with your original purpose, you get consent, or you have a clear obligation or function set out in law.
Accuracy
You need to ensure the personal data you hold is correct and not misleading in any way. You also need to frequently update your data, although this will depend on what you are using it for. If you discover personal data is incorrect or misleading, you must take reasonable steps to correct or erase it as soon as possible. You must carefully consider any challenges to the accuracy of personal data.
Data Minimization
It is imperative to ensure that the personal data you are processing is adequate, relevant, and limited to what is necessary. You can’t hold more data than you need. You should identify the minimum amount of personal data you need to fulfill your purpose. You need to be able to demonstrate you have appropriate processes to ensure you only collect and hold the personal data you need.
Storage limitation
There is a limitation on how long you can store data. Refrain from storing data for an extended period of time, especially when you don’t need it. You need to justify why you are storing the data. As long as you are keeping the data for public interest archiving, scientific or historical research, or statistical purposes, you can keep personal data for a longer period of time. You need to periodically review, update and erase incorrect data. Individuals also have the right to request erasure if they no longer need the data.
Accountability
This requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance.
Integrity and Confidentiality (Security)
You must ensure you have appropriate security measures in place to protect the personal data you hold. There is an exhaustive list of security guidelines you must adhere to when collecting and processing personal data.
6 Lawful Bases of Processing
Consent
GDPR requires that organizations secure freely given consent by individuals to collect and process data. It also requires that organizations allow individuals to withdraw their consent to share their data.
Contract
Organizations must enter into a contract with data subjects or individuals. The contract needs to be covered on a legal basis.
Legal Obligations
Organizations must fulfill legal obligations. Organizations must document their decision to rely on this lawful basis and ensure they can justify their reasoning.
Vital Interest
Organizations must reasonably protect the person’s vital interests in another less intrusive way. You can’t rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent.
Public Task
Document your decision to rely on this basis to help you demonstrate compliance if required. You should be able to specify the relevant task, function, or power, and identify its statutory or common law basis.
Legitimate Interests
These can be your own interests or the interests of third parties. They can include commercial interests, individual interests, or broader societal benefits. You must balance your interests against the individuals. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests. Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required. You must include details of your legitimate interests in your privacy information.
The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.