GDPR covers the UK’s General Data Protection Regulation (UK GDPR) and was formulated from the Data Protection Act 2018. It is now the toughest privacy and security law in the world and if it’s breached then it could lead to heavy fines and penalties. The EU says GDPR was designed to provide greater protection and rights to individuals. It was also created to alter how businesses and other organisations can handle the information of those who interact with them.
What does personal data include?
Personal data is more than just data that is used to identify a ‘natural person’. Under the GDPR, it includes metadata. The UK GDPR provides a non-exhaustive list of identifiers, even including:
- Location data
- Online identifiers
- Political opinions
- Religious beliefs
- Trade Union membership
- Biometrics (where used for identification)
- Sex life or orientation
What are the principles of GDPR?
There are a set of seven Data Protection Principles laid out in Article 5 of the legislation. You have to follow these principles when processing personal data. The seven principles include:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
The principles are similar to the rules set out in the previous data protection laws, the only ‘new’ principle is ‘accountability’. To fully understand the key principles, head over to our Twitter page.
What are the penalties for non-compliance?
The financial implications of GDPR non-compliance are quite substantial, as you could be facing a maximum fine of 17.5 million or 4% of annual global turnover – whichever is greater.
The Information Commissioner’s Office (ICO) can also enforce:
- Warnings and reprimands
- Imposing a temporary or permanent ban on data processing
- Ordering the rectification, restriction or erasure of data
- Suspending data transfers to third countries.
- Administrative fines
The ICO determines the level of penalties by taking a number of factors into consideration. For example, the ICO will look at the nature, gravity and duration of the infringement. Other factors include:
- What was the extent of the damage in terms of the people affected?
- Was the breach intentional?
- Are there any previous instances of noncompliance?
- Has any action been taken to reduce the damage?
- Did the data controller notify the ICO, and were they cooperative?
How can I request my data from a company?
One of the benefits of GDPR for individuals is that it gives you the right to access information regarding how organisations are processing personal data.
The GDPR does not specify in which format your data should be made accessible to you but it does specify that such format is ‘machine readable’ and ‘commonly used.’ The way in which you can access your data should be made clear to you by the company or organisation when you provide them with the information. You cannot ask for data portability from third-party trackers. Information about the processing of your personal data must be provided free of charge as well as the first copy of your data. However, for further copies, the company or organisation can charge a fee that they deem reasonable but they cannot make a profit out of it.
Where can I seek help?
That’s where we come in! Here at GDPR Defender, we provide you with everything you need to know in your journey towards compliance. After completing our 100 points initial GDPR audit, we can provide you with a list of non-compliant issues, and aid you with the solutions.
To find out more, head over to our website.