Access the essential membership for Modern Managers
The European General Data Protection Regulation (GDPR) sets out rules for all organizations that keep or process personal information on individuals. Here's an overview of the GDPR and how to comply with its terms.
This article does not constitute legal advice. Please consult a legal practitioner for further information.
What Does GDPR Cover?
The GDPR protects people’s right to privacy and defines personal data as information that relates to an individual – processed in digital form or as part of a filing system. Sensitive personal data with a higher level of protection includes race, political opinions and biometric data. Personal data can also include information relating to criminal convictions and offenses. The GDPR protects information such as a person’s name, identification number and location data. And online personal data such as internet protocol (IP) addresses, cookie identifiers and device fingerprints. If data tells you something about an individual, it’s covered by GDPR. That includes ‘one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. [1] If organizations are unsure if data is personal, the Information Commissioner’s Office (ICO) recommends they:
- keep the information secure
- protect it from inappropriate disclosure
- be open about how they collect the information
- ensure they’re justified in any processing of the data. [2]
Who Is Responsible for Data Protection?
The GDPR applies to ‘controllers’ and ‘processors’. The former determines the purposes and means of handling personal data. The latter processes personal data on behalf of a controller. Processors must maintain records of personal data and processing activities and are liable for any breach of data. Controllers must ensure their contracts with processors comply with the GDPR. [3]
The Six Principles of Data Protection
Any organization handling personal information must follow the six principles of data protection. They state that personal data must be:
- processed lawfully, fairly and in a transparent manner
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- adequate, relevant and limited to what is necessary for the purposes for which they are processed
- accurate and up to date - organizations must take every reasonable step to ensure inaccurate personal data are erased or rectified without delay
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. [4]
Individual’s Rights - and the Role of Organizations
The GDPR gives people the right to access, rectify, erase, restrict processing of, make portable and object to data - as well as the right to automate decision making and profiling. Under the GDPR, individuals have the right to be informed about the collection and use of their personal data. That means organizations must provide them with ‘privacy information’ or:
- purposes for processing their personal data
- retention periods for that personal data
- who it will be shared with
Organizations must provide privacy information to individuals at the time they collect their personal data. [5]
Why Comply?
Failure to comply with the GDPR is a criminal offense and can result in fines up to 20 million euros – or four percent of global turnover. But there are other reasons organizations should comply with the GDPR:
- sending correspondence from inaccurate or out-of-date records wastes time and money
- effective handling of information can enhance business reputation and increase customer and employee confidence
- effective information handling reduces the risk of complaints and lowers the risk of legal action
Further Information
The Information Commissioner's Office is an independent body set up to protect personal information (www.ico.org.uk).
References[1] ICO. (2023).
What is Personal Data? [online]. Available
here. [Accessed 29 August 2023.]
[2] ICO. (2023).
What are Identifiers and Related Factors? [online]. Available
here. [Accessed 29 August 2023.]
[3] ICO. 2023).
Key Definitions [online]. Available
here. [Accessed 29 August 2023.]
[4] ICO. (2023).
Principles [online]. Available
here. [Accessed 29 August 2023.]
[5] ICO. (2023).
The Right to be Informed [online]. Available
here. [Accessed 29 August 2023.]
