Keep in mind, this material is provided for your general information and is not intended to act as legal advice.
General Data Protection Regulation
What is it –
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
The Regulation includes provisions that promote accountability, so the DPC advises organisations to make an inventory of all the personal data they hold and examine it under the following questions:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties, and on what basis might you do so?
Review personal privacy rights
Data subjects have a number of rights pertaining to the way organisations collect and hold their data. These include:
- The right to be informed
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
The right to access
Most of these rights are similar to those in current data protection laws, but there are some significant changes. It’s important to familiarise yourself with those changes and plan accordingly.
Communicate with staff and service users
You’re not the only one who needs to know about data subjects’ rights. When collecting personal data from staff, clients or service users, you need to inform them of their rights.
Learn about legal grounds
Organisations need to prove that they have a legal ground to process data. Most organisations currently use consent by default, but the GDPR toughens the rules for getting and keeping consent.
There are five other lawful grounds for processing data:
- A contract with the individual
- Compliance with a legal obligation
- Vital interests
- A public task
- Legitimate interests
Organisations should learn when these grounds can be sought and adjust their data collection policies appropriately.