Beruflich Dokumente
Kultur Dokumente
Data Secure
Understanding GDPR
Keith Grinsted
1. Lawfulness, Fairness, and Transparency Article 5(2) requires that the c ontroller shall
Processed lawfully, fairly and in a trans- be responsible for, and be able to d emonstrate,
parent manner in relation to individuals; compliance with the principles.
2. Purpose Limitation
Collected for specified, explicit and Who Does It Apply to?
legitimate purposes and not further The UK Information Commissioners Office
processed in a manner that is incompatible (ICO) defines those to whom GDPR applies
with those purposes; further process- as follows:
ing for archiving purposes in the public
interest, scientific or historical research ■■ The GDPR applies to “controllers” and
purposes or statistical purposes shall not “processors.”
be considered to be incompatible with ■■ A controller determines the purposes and
the initial purposes; means of processing personal data.
■■ A processor is responsible for processing Personal data that has been pseudony-
personal data on behalf of a controller. mized—for example, key-coded—can fall
■■ If you are a processor, the GDPR places within the scope of the GDPR depending
specific legal obligations on you; for on how d ifficult it is to attribute the
example, you are required to maintain pseudonym to a particular individual.
records of personal data and processing
activities. You will have legal liability if Sensitive Personal Data
you are r esponsible for a breach. The GDPR refers to sensitive personal data
■■ However, if you are a controller, you are not as “special categories of personal data.”
relieved of your obligations where a proces- The special categories specifically i nclude
sor is involved—the GDPR places further genetic data and biometric data processed
obligations on you to ensure your contracts to uniquely identify an individual.
with processors comply with the GDPR. Personal data relating to criminal c onvictions
■■ The GDPR applies to processing carried and offences are not included, but similar
out by organizations operating within the extra safeguards apply to its processing.
EU. It also applies to organizations out-
side the EU that offer goods or services The Rights for Individuals
to individuals in the EU. One key area covered by GDPR is the rights
■■ The GDPR does not apply to certain activi- for individuals:
ties including processing covered by the
Law Enforcement Directive, processing ■■ The right to be informed
for national security purposes, and pro- ■■ The right of access
cessing carried out by individuals purely ■■ The right to rectification
for personal/household activities. ■■ The right to erasure
■■ The right to restrict processing
■■ The right to data portability
What Information Is Included? ■■ The right to object
Again, the ICO refers to personal data and ■■ The right not to be subject to automated
sensitive personal data: decision making including profiling.
Personal Data
The GDPR applies to “personal data,” m eaning What Do You Need to Do?
any information relating to an identifiable The UK ICO gives plenty of guidance on
person who can be directly or indirectly GDPR and provides a simple 12-step plan
identified in particular by reference to an for you to adopt. The key points of the plan
identifier. are as follows:
This definition provides for a wide range
of personal identifiers to constitute personal 1. Awareness—You should ensure that
data, including name, identification number, decision makers and key people in
location data, or online identifier, reflecting your organization are aware that the
changes in technology and the way organi- law is changing to the GDPR. They
zations collect information about people. need to a ppreciate the impact this is
The GDPR applies to both automated likely to have.
personal data and manual filing systems 2. Information you hold—You should
where personal data are accessible accord- document what personal data you hold,
ing to specific criteria. This could include where it came from, and who you share
chronologically ordered sets of manual it with. You may need to organize an
records containing personal data. information audit.