In this article Chalmin Data Privacy look to provide the answer to the question, ‘What does GDPR mean in simple terms?’
What is GDPR?
So, what does GDPR mean in simple terms? The General Data Protection Regulation integrates accountability as a principle which requires that organisations put in place appropriate technical and organisational measures and be able to demonstrate what they did and its effectiveness when requested. Accountability is a common principle for organisations across many disciplines; the principle embodies that organisations live up to expectations (for instance in the delivery of their products and their behaviour towards those they interact with).
Organisations, and not Data Protection Authorities, must demonstrate that they are compliant with the law. This includes:
- adequate documentation on what personal data is processed
- how, to what purpose, and how long data will be processed for
- documented processes and procedures aiming at tackling data protection issues at an early state when building information systems or responding to a data breach
- the presence of a Data Protection Officer (if required) who is integrated in the organisation planning and operations etc
Processing personal data
The GDPR places direct data processing obligations on businesses and organisations at an EU-wide level. According to the GDPR, an organisation can only process personal data under certain conditions and must be based on one of the following legal grounds:
- The consent of the individual concerned
- To satisfy a legal obligation
- A contractual obligation between you and the individual
- To protect the vital interests of the individual
- To carry out a task that is in the public interest
- For your company’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the individual whose data you are processing are not seriously impacted. If the person’s rights override your interests, then you cannot process the data
Data protection legislation
Key steps you need to take to ensure compliance with data protection legislation include:
- Identify what personal data you hold
- Conduct a risk assessment of the personal data you hold and your data processing activities
- Implement appropriate technical and organisational measures to ensure data (on digital and paper files) is stored securely
- Know the legal basis you rely on (consent? contract? legitimate interest? legal obligation?) to justify your processing of personal data
- Ensure that you are only collecting the minimum amount of personal data necessary to conduct your business. Make sure that the data is accurate and kept no longer than is needed for the purpose for which it was collected
- Be transparent with your customers about the reasons for collecting their personal data, the specific uses it will be put to, and how long you need to keep their data on
- Establish whether or not the personal data you process falls under the category of special categories (sensitive) of personal data and, if it does, know what additional precautions you need to take
- Decide whether you will need to retain the services of a Data Protection Officer (DPO)
- Decide if Art 27 EU Rep is required.
Chalmin Data Privacy understand that data protection is essential to an organisation’s reputation and can provide the help to support you in conducting your business in a transparent and compliant manner. You can find their services on THE LIST or visit their website.