So much content has been produced about GDPR, it can be difficult for readers to make out the wood from the trees.
One of the things about legislation like this, is that it isn’t written in a way that’s clear and easy to understand.
I sometimes wonder if that’s deliberate; the language is intentionally ambiguous, businesses interpret it how they see fit, and then the regulator claims the interpretation isn’t the right one!
There are several terms relating to GDPR which regularly appear whenever it is discussed. To support your understanding of the subject, it helps to get familiar with these terms and what they mean.
To help you do that, here’s a glossary of GDPR terms you should know:
This occurs when Personal Data (see definition below) is changed so that individuals cannot be identified.
That makes it safer for the Data Subject (see definition below)and means the information can be used more widely since the risk of a breach has been reduced.
This refers to the permission which must be sought – and given– to collect and process data.
With GDPR, there must be clear proof of consent provided by a Data Subject.
The common misconception is that data breaches involve the loss of data only.
In reality data breaches happen when a failure in security results in the unintentional or deliberate destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Under GDPR, Data Processors have to report the breach to their Data Controller as soon as they find out about it, and Data Controllers then have obligations to report this to the Lead Supervisory Authority (see definition below)no later than 72 hours after becoming aware.
This is the organisation that determines the purpose and means for processing Personal Data (see definition below). So if your business collects any sort of data, you’re a Data Controller.
It means you will have to instruct any third party you ask to process data on your behalf, such as a cloud computing provider, and you need to ensure that your contractual arrangements with that third party cover how they process data in a manner that is compliant.
Note that a Data Controller can also be a Data Processor.
This is the organisation responsible for processing data on behalf of a controller.
For example if you use an application like Stripe to accept credit card payments, that application is functioning as a Data Processor on your behalf.
Data Processors have to maintain records of the personal data they hold, and how it is processed.
A Data Subject is the individual or customer whose Personal Data has been collected and processed.
The Data Subject has to provide consent for this to happen, and has Individual Rights pertaining to how his / her data is handled and kept.
You may hear this mentioned about the wider reach of the new regulations.
It refers to the fact that the GDPR is not restricted to businesses which operate within the borders of EU.
As well as all businesses in the EU, it applies to any businesses that serve or monitor customers resident in the EU, regardless of where those businesses are headquartered or located in the world.
For example, GDPR will apply to companies like Facebook, Amazon Web Services, Microsoft, Salesforce, Trello, Twitter and InfusionSoft, as long as they have EU residents as customers and hold their data.
Each EU country has a regulator overseeing the new GDPR.
In the UK, that is the Information Commissioner’s Office (ICO).
Data Subjects have 8 Individual Rights, which are:
1. Right to be Informed
Refers to the processing information to be provided by businesses as part of their privacy notification. Encourages Data Controllers to be transparent about how they use the data in their care, and here are details of the information that must be supplied.
2. Right of Access
Refers to the rights individuals have to access their personal data.
This will be requested via a Subject Access Request, and the data is to be provided free of charge.
The data must be provided within a month of receiving the request; there is scope to extend this by a further two months if the requests are many and complex.
3. Right to Rectification
Where personal data is wrong or incomplete, individuals can ask for them to be rectified.
The data must be rectified within a month of receiving the request; there is scope to extend this by a further two months if the request is complex.
4. Right to Erasure
Also known as the Right to be Forgotten, this refers to an individual’s right to ask for their personal data to be deleted.
5. Right to Restrict Processing
Refers to an individual’s right to stop their personal data being processed.
There could be a number of reasons for such a request, such as when the accuracy of the data is in question.
6. Right to Data Portability
Refers to an individual’s right to have their data moved, copied or transferred, typically from one technical system or environment to another.
7. Right to Object
Refers to an individual’s right to object to their personal data being processed and used for direct marketing or research.
Data processing must be stopped once such an objection is received.
8. Rights related to Automated Decision Making
Refers to the provisions for profiling and automated decision-making, such as in the case of loan and credit card applications.
Any data that can be used to identify a Data Subject.
Includes – and is not limited to – information about name, date of birth, address, email address, bank details, medical information, social media posts, and IP addresses.
Privacy by Design
This is an approach that puts data privacy and protection front and centre of a business’s projects, systems and processes. Instead of being an afterthought, which is usually the case, Privacy by Design means organisations make data privacy and protection a priority when designing and planning projects, products, systems and processes.
Special Category Data
This includes details of race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life or sexual orientation.
Special Category Data contains details which are more sensitive than Personal Data, and can only be requested in certain circumstances since they present significant risks to fundamental rights and freedoms.
*Please note that this blog post does not constitute advice on the legalities of GDPR or data protection. It is for awareness and information purposes only; you remain responsible for getting independent advice and ensuring your business complies with the regulation.