You are on page 1of 4

GDPR Principles

Lawful Processing
Sometimes you want to share your toys with other children, but sometimes you don’t. That’s
fine. You’re allowed to share your toys if you want to, but you don’t have to. You can keep
some toys just for yourself. If someone wants to play with your toys then they should ask you
first. If you say “yes” they are allowed to play with the toy. Of course, that only counts if you
have a real choice. If another child threatens to hit you if you don’t say “yes” then that isn’t
Sometimes other children are allowed to play with your toys without asking. For example, if
your friends are waiting in your house for you to come home to play football, it might be okay
for them to practice with your football while they’re waiting. Sometimes your parents might
give someone permission to play with one of your toys, even though you would rather they
didn’t. That might make you feel sad or cross, but the other child wouldn’t be doing anything
wrong when they played with the toy.
GDPR says that all processing of personal data must be lawful. The simplest example of lawful
processing is when someone gives you permission to process their data, but there are other
circumstances that can make your processing lawful, for example if you need to use the data
to deliver a service that the customer has bought from you, or if a court of law instructs you to
do something with the data.

Individual Rights
If you lend a toy to a friend, it’s still your toy. Your friend needs to look after your toy
properly and make sure they act fairly to you.
The following are your rights – with your toys and your data.

The right to be informed

When someone wants to borrow a toy, they must identify themselves, tell you what toy
they’re borrowing, how long they’re going to keep it, and who else they might share it with;
and they must be aware that you can ask for the toy back at any time. They should also let
you know who you can go to, to complain, if they aren’t being fair.
Similarly, with your data: If you ask a user to share their data with you, you must identify who
you are, what data you need, why you need it etc.

The right of access

If you ask someone which of your toys they’ve borrowed, they must let you know. It might
take them a little while to be 100% sure of exactly which toys of yours they’ve got, but they
must tell you within one month of you asking. If there’s a really good reason, then it might
take up to three months, but they can never take longer than that.

Similarly, with your data: If someone asks your organization what data you have about them,
you must respond within one month, or in some circumstances you may have up to 3 months.

The right to rectification

If someone borrows one of your toys they must look after it. If they damage a toy, then you
can ask them to fix it and they need to agree to that.
Similarly, with your data: If someone asks you to correct the personal data you have stored
about them then you must do so.

The right to erasure (also known as the right to be forgotten)

You can ask someone to stop using your toy at any time, and they should stop straight away,
unless they have a very good reason for carrying on. For example, if they’ve borrowed your
bike then they might need to get home first. Bottom line - they shouldn’t keep the toy after
you’ve asked them to give it back.
Similarly, with your data: If someone withdraws their consent for you to process their data, or
if the data is no longer needed for the purpose for which it was collected, then you must erase
the data. Of course you are allowed to keep the data if it’s needed to defend a legal claim or
for some other good reason like that.

The right to restrict processing

If you ask someone to stop playing with your toy, you might not want it back straight away.
You could let them keep the toy for a while, but not play with it. They still have to look after
the toy and make sure it stays safe.
Similarly, with your data: If someone asks you not to use their personal data, then you must
not use it any more. This might happen if there is a dispute about your right to use the data,
or about the accuracy of the data.

The right to data portability

If you ask someone to give your toy back, then you should be able to use it as originally
intended when you get it back. For example, it wouldn’t be fair if they borrowed your bike,
then took it apart and gave you back a box full of bike parts, would it?
Similarly, with your data: If someone asks for a portable copy of their personal data then you
must provide it to them in a commonly used, and machine readable, form.

The right to object

If you don’t like the way that someone is using your toy, then you can ask them to stop. They
must stop straight away, unless there’s a very good reason not to. For example, if they’re
using your skipping rope to save someone who is stuck in a river, then they can continue.

Similarly, with your data: If someone objects to how you’re using their personal data, then you
must stop processing it, unless you can show compelling reasons why you have to override
their rights. If you’re using the data for direct marketing, then there are no exemptions or
grounds to refuse.

Rights related to automated decision making and profiling

When you lend your toys, you need to be able to talk to a real person about what they’re
doing with them, and why. It’s not right if a computer makes all the decisions without
explaining. Let me explain…
Suppose you lend all your toys to a toy library that has a computer in charge of lending and
returns, and fining people for losing or damaging toys. The toy library must make sure that
you can talk to a person, and not just a computer, if one of your toys gets lost, or if you’re
fined unfairly for not returning a toy that you know you’ve returned. You must be able to tell
that person what you think is wrong, and they must explain what has happened.
This rule doesn’t always apply. It doesn’t apply if you make a deal with the toy library that
allows the computer to make decisions without having to talk to you about them; and it
doesn’t apply when there are laws that allow the computer to make decisions. It also doesn’t
apply to decisions that don’t have a bad effect on you - for example deciding to close the toy
library a few minutes early on a day you didn’t visit, or fining someone else.
Similarly, with your data: If you use automated processing to make decisions that affect
people, then you must make sure that they can talk to a human being about the decision and
be offered an explanation and an opportunity to challenge the decision.

Accountability and Governance

If somebody borrows your toy, then they might have to show that you gave them permission,
and that they looked after it properly. It’s not enough to ask for permission and take good
care of the toy, they must be able to prove that they did so.
Organizations need to keep good records, so they can prove that they have lawfully obtained
and processed data. It’s not enough to just show you had no breaches, and nobody

Breach Notification
If someone breaks a toy that they’ve borrowed, or loses it, then they must tell you within
three days. If they just lose it for a few minutes and then find it again, and nothing bad
happens to you because of this, then they might not need to tell you. But they must tell you
about any serious loss or damage.
They must also tell your parents (the “regulatory authority”). They must explain whose toy it
was, what damage was done, what they’re doing to make up for it, and how they’re going to
stop it from happening again.

Many organizations will find this requirement to notify the authorities, and the affected
people, within 72 hours of a data breach quite difficult. You need a well-designed and
rehearsed security incident management process. If you get this wrong, then it could be very

Transfer of Data
You’re allowed to lend your own toys to other people, but if you’ve borrowed someone else’s
toy then you can’t lend it to another person, unless you can be certain that the person you’re
lending it to will look after it just like you would.
Personal data can’t be transferred to another organization unless you ensure there are
adequate safeguards. There are further specific requirements for data being transferred
outside the EU.

National Derogations
Sometimes there are special, local, rules about lending toys. For example, one country might
have a law saying you can’t lend toy guns to people. In another country there could be a law
saying that the church can borrow religious toys without having to ask for permission.
EU governments can introduce exemptions from some of these rights, but only for specific
reasons such as national security or law enforcement.

My Conclusions
GDPR is going to have a huge impact on any organization that controls or processes personal
data. You not only have to comply with all the requirements, but you must be able to
produce records showing that you have. This regulation applies to any organization that
offers goods or services to individuals in the EU, even if they are based somewhere
completely different.
If you haven’t started planning for GDPR yet then you urgently need to get started. There is a
lot of work to do to ensure that you are compliant, and that you can show that you’re
compliant. You’ll find there are lots of “GDPR consultants” ready and willing to help you, but
do take care to review their experience before taking them on.
Remember, you can’t borrow toys without having permission (or another legitimate reason),
and you must look after them properly.