GDPR stands for General Data Protection Regulation and was brought into effect in May 2018 to replace the Data protection Act 1998. It was drafted and passed by the European Union, and imposes strict obligations on organisations and businesses.
The main goal of GDPR is to strengthen an individual’s control and rights over their personal data, while simplifying regulation for international business.
If you process the personal data of an EU citizen, or if you offer goods or services to these individuals, then the regulation applies to you regardless if you’re in the EU or not.
GDPR was adopted in a number of countries outside of the EU, including:
The seven principles of GDPR embody the spirit of the regulation and are the best means to understand the importance and intentions behind it. Each principle has been broken down to help further your understanding.
Article 5(1), and 5(2) requires that personal data shall be:
A data controller is the main decision-maker who is able to exercise overall control over the purposes and means of the processing of personal data. Essentially, they decide what data is collected, and how this is used.
Example: Lawyers, accountants and professional advisors are considered data controllers as they exercise professional skill and judgement over the data they receive.
A data processor on the other hand facilitate the data collection and provide the framework in order to execute this. They act on behalf of and only on the instructions of the relevant controller.
Example: cloud storage providers
Article 17 of the GDPR provides something known as the ‘right to be forgotten’, therefore the right to have personal data erased.
The right only applies to data held at the time the request is received. It does not apply to data that may be created in the future. The right is not absolute and only applies in certain circumstances. For example, meeting one of the following criteria would provide a basis of which a company must oblige and erase data:
However, there is a caveat to this. Companies can reject the right to erasure if they have a legal basis for retaining this data. For example, if it is required in the interest of protecting public health or safety.
Individuals are able to request companies disclose the personal data they have collected. This helps individuals understand how and why you are using their data and allows them to ensure that this is being done lawfully.
Post-Brexit, GDPR is still enforced in the UK because it was adopted as part of the Data Protection Act 2018, which enshrines GDPR’s requirements in law.
Additionally, the UK government introduced a statutory instrument known as ‘The Data Protection, Privacy and Electronic Communications Regulations 2019’. This document creates a new data protection framework that is now known as the UK GDPR, which is truly no different compared to the EU GDPR. It is safe to say therefore that Brexit didn’t change anything in terms of compliance with GDPR.
Loading More Content