What the GDPR Really Means
The GDPR has been hailed as a major change in the data protection landscape. The GDPR is about protecting people and facilitating the appropriate use of their data. The GDPR Empowers us ‘data subjects’ to have more control over what data is stored and why it is
Practically every organisation has data protection obligations. These will vary depending on what the organisation is doing, its size whether it is commercial or non-profit, the types of categories of personal data being collected and processed, for what purposes, and contingent upon the nature of the risks of misuse, disclosure or loss of data.
In the GDPR, ‘personal data’ is defined as ‘any information relating to an identified or identifiable natural person (“data subject”). Data Protection law imposes many obligations on Controllers and as a result, all Controllers should continually examine their data flow in order to assess whether they are processing data in a compliant manner. A Data Subject is an employee or customer and an EU Citizen.
Article 8 of the EU Charter of Fundamental Rights states that:
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purpose and one the basis of the consent of the person concerned or some other legitimate basis laid down by law.
3. Everyone has the right of access to data which has been collected concerning him
or her, and the right to have it rectified.
4. Compliance with these rules shall be subject to control by an independent Authority.
Controller (Your company)
Article 4 of the GDPR defines a Controller as a ‘natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purpose and means of the processing of personal data. This is a broad definition that captures a wide range of individuals and institutions – such as dentists, retail, hotels etc which stores data on their PCs.
Additionally, Controllers will need to demonstrate that consent was specific, informed and reely given. It was unambiguously obtained on the basis of a statement or clear affirmative action.
GDPR, art 4(11); recital 32; GDPR art, 7. If a Controller wishes to process the data for a
separate purpose, the Controller must communicate with the Data Subject first and
provide all the necessary information (GDPR, recital 61).
Data Subjects should be provided with several pieces of information.
1. The identity of the Controller.
2. The purpose of processing.
3. Notice of risks, rules, safeguards, and
rights relevant to processing of personal
4. How to exercise their relevant rights (these are outlined below).
Data Subjects’ Rights
1. Right of access;
2. Right to be forgotten;
3. Right to restrict processing;
4. Right to object;
5. Automated decision making and profiling; &
In summary, it is important for your companies to start from a position of strength by beginning your exploratory journey of the GDPR by examining all of your company’s data with
scrutiny. Remember, the GDPR is about respecting and honouring personal data. Lastly,
to become GDPR compliant is not an easy task and it is not something you can do over night.
Copyright © 2017 by Enguard