GDPR DATA PROTECTION (1)
Come 25th May 2018 the new General Data Protection Regulation (GDPR) will come into effect. As the GDPR is a European regulation, as opposed to a directive, there is no need for member states to enact legislation to give effect to it. The GDPR is directly effective.
The first question to address is what DATA does the GDPR protect? Personal data and sensitive data come under the ambit of the General Data Protection Regulation.
DATA means information in a form which can be processed. It includes both automated and manual data.
PERSONAL DATA is data relating to a living individual who is or can be identified from the data or who is or can be identified from the data in conjunction with other information that is in or is likely to come into the possession of the data controller. This is clearly an extremely broad definition.
SENSITIVE DATA relates to specific categories of data relating to a person's racial origin, political opinions, religious or other beliefs, physical or mental health, sexual life, criminal convictions or the alleged commission of an offence or trade union membership. An individual has additional rights in relation to the processing of sensitive data.
GDPR applies to both Data Controllers and Data Processors.
Who is a Data Controller?
A Data controller keeps or processes any information about living people. All data controllers must comply with the rules about how they collect and use personal information. Some must register annually with the Data Protection
Who is a Data Processor?
If you hold or process personal data but do not exercise responsibility for or control over the personal data you are a data processor. Data processors have limited responsibilities under the GDPR. Examples of Data Processors are payroll companies and cloud providers. If their data controller must register with the commissioner then they must also register. The primary obligation of the data processor is to keep personal data secure.
Responsibilites of a Data Controller
The 8 rules
1. Obtain and process information fairly.
2. Keep it only for one or more specified, explicit and lawful purposes
3. Use and disclose it only in ways compatible with these purposes
4. Keep it safe and secure
5. Keep it accurate, complete and up to date
6. Ensure that it is adequate, relevant and not excessive
7. Retain it for no longer than is necessary
8. Give a copy to the individual on request