What is GDPR?

The General Data Protection Regulation is new law from the EU government. It came into practice in 2016, but it will be enforceable from 25th May 2018.  A few parts of how it is implemented can be decided by member states under a ‘directive’. For this, the UK have the Data Protection Bill, which is going through parliament.

Who does GDPR apply to?
The activities of an establishment processing personal data within the EU or processing personal data about a person (data subject) who resides in the EU.

What are the aims?
1.  To enforce accountability
2.  To update privacy laws in respect of the digital age
3.  To unify how all EU residents can expect their data to be protected

The most serious infringements will be subject to fines capped at a maximum of €20million or 4% of total worldwide turnover, whichever is the highest.

6 Key principles
Article 5 requires that the controller shall be responsible for and able to demonstrate compliance with each of the principles as follows:
1.  Lawfulness*, fairness and transparency – in relation to the data subject
2.  Purpose limitation – collected for a specified, explicit and legitimate reason
3.  Data minimisation – collect only what is necessary and relevant
4.  Accuracy – take every step to ensure data is up to date (with regard to the purpose)
5.  Storage limitation – kept in a way that identifies a person for no longer than is required
6.  Integrity and confidentiality – ensure security using appropriate measures

What are the * lawful bases for processing data?
To obtain and process personal data lawfully, at least one of the following criteria must apply:
1.  Consent
2.  Contractual requirement
3.  Legal obligation
4.  Vital interests
5.  Public interest
6. Legitimate interest

Download GDPR Resources
For more GDPR facts and guidance, download available free resources by clicking on the icons below.