GDPR can be confusing to understand, to help clarify we have created an overview that helps explain how GDPR works.
To understand GDPR, we first need to understand the different elements involved. The most import of these is personal data:
DATA WHICH CAN BE USED TO IDENTIFY A LIVING INDIVIDUAL
Examples of personal data areemail addresses, telephone numbers, and payment information.
The definition of personal data includes data which would allow identification of a living individual, when combined with other commonly available information. For example an individual's address would be personal data, since while it may not identify them on it's own, it could easily be cross referenced with Electoral Register data to find the individual's name.
When talking about personal data, we often used the term data subject:
AN INDIVIDUAL WHO IS THE SUBJECT OF PERSONAL DATA.
The key concept of GDPR is your responsibility to data subjects whose data you control.
These responsibilities include:
- Transparent, secure, and fair processing
- Minimising the amount of personal data processed
- Ensuring the data is accurate
These responsibilities are defined by the articles in GDPR, which state specifically how data should be handled.
If you store, collect, or process personal data, then you will need to comply with GDPR. Depending on what you are doing with personal data, you will be either a Data Controller, Data Processor, or both. The definitions for these terms are defined below:
THE PERSON/ORGANISATION THAT DECIDES HOW AND WHY DATA IS PROCESSED
A PERSON/ORGANISATION THAT PROCESSES DATA ON BEHALF OF A CONTROLLER
Both controllers and processors have obligations under GDPR that they must fulfil. You should ensure that you are aware of your obligations under GDPR well before May 25th 2018, as the requirements for your organisation may be significant.
The rights of data subjects, and the responsibilities of your organisation will be enforced by a Supervisory Authority, which will ensure compliance with GDPR. Your supervisory authority will depend on which country your organisation is based in, for example in the UK this will be the ICO.
An independent public authority established by a Member State
The supervisory authority will ensure organisations are complying with GDPR. In cases where organisations do not comply, they will have the authority to issue fines of up to €20m or 4% of turnover.
To coordinate communication and compliance, some organisations are required to have a Data Protection Officer (DPO). The main DPO responsibilities are shown below:
Data Protection Officer:
Monitors GDPR compliance
Communicates with Data subjects
Communicates with supervisory authorities
Not all organisations are required to have a Data Protection Officer, however it is recommended that you appoint someone to fulfil the role - since it will make GDPR compliance a lot easier.
To find out more about GDPR, take a look at the other articles on this site, or sign up for our GDPR mailing list to receive monthly guidance on GDPR compliance.