Key Points and Definitions of GDPR that need to be noted

Asimah Shah
GDPR key points

Here are the key points and definitions of GDPR that need to be noted.

What is the General Data Protection Regulation (GDPR)?

The GDPR is an EU law that came into effect on 25 May 2018 and is made up of numerous articles.  It was introduced to regulate data protection and privacy in Europe and can also apply to a business outside of Europe if such a business is trading in Europe.

Key Definitions

Here are the key definitions under the GDPR:

Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. For example: names, addresses (including email addresses), location information, IP address, ethnicity, images, video recordings, gender, biometric data, religious beliefs, web cookies,  political opinions etc.

Data processing — Any action, activity,  performed on data, whether automated or manual. For example:  collecting, recording, organising, structuring, storing, using, erasing.

Data subject — The person whose data is processed. These are customers, employees, visitors etc.

Data controller — The person who decides why and how personal data will be processed. The controller is the decision maker and responsible for deciding why personal data will be collected and the way in which that personal data will be processed.

Data processor — A third party that processes personal data on behalf of a data controller. Data Processors must process personal data on behalf of, and under the controller’s specific instructions.

Data protection key principles

There is a requirement to comply with the GDPR’s key principles which are central to complying with the GDPR.  They are:

  1. Lawfulness, fairness and transparency— Processing must be lawful, fair, and transparent to the data subject.
  1. Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
  2. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
  3. Accuracy — You must keep personal data accurate and up to date.
  4. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
  5. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
  6. Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

When can personal data be processed?

Personal data cannot be processed unless it is legal to do so. Under the GDPR there are six legal grounds for processing personal data and more than one may apply:

  1. Consent: the individual has given consent for you to process their personal data for a virtual meeting.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: you need to process personal data to comply with the law.
  4. Vital interests: you need to process personal data to protect someone’s life.
  5. Public task: you need to process personal data to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: you need to process personal data for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

/#sixlawfulgrounds

The data subject rights

Individuals whose personal data is being processed have rights under the GDPR and they are as follows:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

The above just covers the key points and definitions of the GDPR.  Look out for our future blog posts where we cover different areas of the GDPR.

Important Notice: This page is for reference purposes only. It does not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking or deciding not to take any action. Please email us ([email protected]) if you have any questions.

Comment and share
Facebook
Twitter
LinkedIn
Email
Print
WhatsApp