General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is the strict security and privacy law around the globe. Although GDPR was composed and passed by the European Union (EU), it imposes obligations on any organization which targets or collects data regarding EU citizens.

Here are the seven fundamental principles of UK General Data Protection Regulation at a glance:
– Data reduction
– Storage limits
– Accountability
– Transparency, fairness, and legality
– Accuracy
– Purpose limitation
– Integrity and confidentiality (security)
When processing personal data, you must implement these principles at all costs.

The principles are essential elements of UK GDPR. These principles must be set up right from the implementation of legislation and provide details for everything that follows. The principles aren’t hard and fast, but they form the fundamental grounds of data protection rule (rare exceptions exist). Complying with the objective of these principles is essential to building excellent data protection practices. It’s also mandatory to comply with detailed provisions of the UK GDPR.
Failure to follow these principles may pose heavy fines. In fact, Article 83(5)(a) states that whoever overlooks these principles will be subject to the highest tier of administrative fines – 17.5 million pounds or 4% of annual turnover, whichever is higher.

The GDPR is an EU law which enforces rules to protect personal data of people within EU. Be it inside or outside EU, GDPR effects any organization that stores or processes EU citizens’ personal data.

GDPR aims to enforce a standardized data security law on all EU members, eliminating the need for each member state to craft their own state-specific data protection regulations. This ensures that laws are consistent across the entire EU.

As per the legal definition stated in the GDPR legislature, ‘personal data’ refers to details about an identifiable person, which is also known as a data subject.
It includes information that can be used alone or with other datasets to identify someone. Several data attributes include name, address, cultural details, IP addresses, ID or passport number, financial info, or medical data used by healthcare experts or institutes.
There are several special datasets you can’t process or store, including sexual orientation, ethnicity, race, religious ideologies, political beliefs of membership, and health data (unless due to explicit concern or wide public interest)

Data subjects have the following rights under GDPR which are protected using strict measures:
– Children data collection: parental consent is required until children reach 13-16 years old.
– Data portability and access: Data subjects must be able to access all details about their data as stored by the Data Controller. This includes information relating to know-hows, processing and sending details.
– Correcting and objecting data: : Data subjects have the right to change incorrect or incomplete data, and the Data controller must inform of all the changes. They also have the right to control the use of their data, and Data Controllers must comply with the objections unless they have legal grounds that undermine the data subject’s interest.
– Erasure right: Data subjects can ask the controller to erase their personal data. However, organizations must retain the data due to legal compliances or public interest issues, especially in the case of scientific or historical research.
– Automated decision-making: Data subjects have the right to know about any automated decision based on their private information, contest the automated decision, or request a person’s review of the decision.- Breaches alert: In case the personal data, under the due care of the Data Controller, is exposed to unauthorized parties, the controller must inform the relevant EU data protection authority within 72 hours and even inform individual data subjects in some instances.
– Data transfer outside EU: In case the data is transferred outside the EU, the Data controller must ensure that appropriate measures are in place to protect the data and rights of the data subject.

The organization, if under GDPR, must respond to a data subject’s request regarding personal data within a month. GDPR provisions give consumers the right to ask companies for their data held in the database.

Following are the seven key steps to comply with GDPR provisions:
– Hire a Data Protection Officer (if needed)
– Information audit
– Review GDPR
– Set-up processes
– Establish documentation
– Determine the legal basis for processing data
– Deploy policies and training”

What is a personal data breach? A personal data breach refers to a security breach causing accidental or unlawful destruction, alteration, loss, or illegal disclosure of, or access to, personal data. This includes breaches occurring due to both accidental and deliberate factors.

Anonymous information isn’t covered under GDPR regulations. However, if the information of a specific individual is inaccurate, factually incorrect, or disguised (i.e., relating to someone else), it’s still a personal data and must be protected.