Understanding GDPR and its key principle is a great way to deepen your commercial awareness and show off your wider reading.

GDPR Explained

GDPR stands for General Data Protection Regulation and was brought into effect in May 2018 to replace the Data protection Act 1998. It was drafted and passed by the European Union, and imposes strict obligations on organisations and businesses.

The main goal of GDPR is to strengthen an individual’s control and rights over their personal data, while simplifying regulation for international business.

If you process the personal data of an EU citizen, or if you offer goods or services to these individuals, then the regulation applies to you regardless if you’re in the EU or not.

GDPR was adopted in a number of countries outside of the EU, including:

  • Turkey
  • Mauritius
  • Chile
  • Japan
  • Brazil
  • South Korea
  • South Africa
  • Argentina
  • Kenya
  • United Kingdom

The 7 Principles of GDPR

The seven principles of GDPR embody the spirit of the regulation and are the best means to understand the importance and intentions behind it. Each principle has been broken down to help further your understanding.

Article 5(1), and 5(2) requires that personal data shall be:

  1. Processed lawfully, fairly and in a transparent manner.
    • Data must be strictly processed under the guidelines set out by the GDPR.
    • You must use personal data in a way that is fair and therefore not process the data in a way that is unduly
    • detrimental, unexpected or misleading to the individuals concerned.
    • You must be clear, open and honest with people from the start about how you will use their personal data.
  2. Collected for specified, explicit, and legitimate purposes.
    • You must be clear about what your purposes for processing are from the start.
    • You need to record your purposes as part of your documentation obligations and specify them in your privacy information for individuals.
  3. Data minimisation
    • Personal data collected must be adequate, relevant and limited to only what is necessary in relation to the purpose.
    • Data must be reviewed periodically in order to delete what is no longer needed.
  4. Accurate, and where necessary kept up to date.
    • You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact.
    • You may need to keep the personal data updated, although this will depend on what you are using it for.
  5. Storage limitation
    • Personal data should not be kept for longer than required.
    • Data may be kept for longer if this falls under the public interest, scientific or historical research purposes, all subject to measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
  6. Integrity and confidentiality (security)
    • Data must be processed in a manner that ensures appropriate security, and protection against unauthorised or unlawful processing.
  7. Accountability
    • The controller is responsible for the data and must have the appropriate measures in place in order to demonstrate compliance.

Get Monthly Commercial Awareness Updates

Never miss an update with our CA newsletter

Subscribe now

What Is A Data Controller?

A data controller is the main decision-maker who is able to exercise overall control over the purposes and means of the processing of personal data. Essentially, they decide what data is collected, and how this is used.

Example: Lawyers, accountants and professional advisors are considered data controllers as they exercise professional skill and judgement over the data they receive.

What Is A Data Processor?

A data processor on the other hand facilitate the data collection and provide the framework in order to execute this. They act on behalf of and only on the instructions of the relevant controller.

Example: cloud storage providers

What Is The Right To Erasure?

Article 17 of the GDPR provides something known as the ‘right to be forgotten’, therefore the right to have personal data erased.

The right only applies to data held at the time the request is received. It does not apply to data that may be created in the future. The right is not absolute and only applies in certain circumstances. For example, meeting one of the following criteria would provide a basis of which a company must oblige and erase data:

  • The data was unlawfully collected
  • Data is no longer necessary to retain for the purposes it was original collected.
  • Data subject withdraws consent to processing on the original basis for processing.

However, there is a caveat to this. Companies can reject the right to erasure if they have a legal basis for retaining this data. For example, if it is required in the interest of protecting public health or safety.

What is a Data Subject Access Request?

Individuals are able to request companies disclose the personal data they have collected. This helps individuals understand how and why you are using their data and allows them to ensure that this is being done lawfully.

Impact of Brexit on GDPR

Post-Brexit, GDPR is still enforced in the UK because it was adopted as part of the Data Protection Act 2018, which enshrines GDPR’s requirements in law.

Additionally, the UK government introduced a statutory instrument known as ‘The Data Protection, Privacy and Electronic Communications Regulations 2019’. This document creates a new data protection framework that is now known as the UK GDPR, which is truly no different compared to the EU GDPR. It is safe to say therefore that Brexit didn’t change anything in terms of compliance with GDPR.


Loading More Content