Key Facts about the GDPR

The General Data Protection Regulation (EU) 2016/679 (GDPR), will apply from the 25th May 2018 when it supersedes the UK Data Protection Act (1998).

GDPR will apply to all EU organisations, whether they are commercial business, charity or public authorities that collect, store or process the personal data of individuals residing in the EU, which will extend to include non EU citizens.

 

What rights does the GDPR give individuals?

  • Right to be informed: Organisations must be transparent about how they use personal data
  • Right of access: Individuals have the right to access their personal data
  • Right to rectification: Individuals have the right to have their personal data rectified (for example if the data is inaccurate or incomplete)
  • Right to Erasure: Individuals have the ‘right to be forgotten’- Meaning they have the right (except in certain circumstances such as the exercise or defence of legal claims) to have their data deleted
  • Right to restrict processing: Individuals have the right to block or suppress processing of personal data
  • Right to data portability: Individuals have the right to obtain and reuse their personal data for their own purposes across different services
  • Right to object: Individuals have the right to object to processing of their personal data
  • Rights in relation to automated decision making and profiling Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

 

What qualifies as personal data?

Any information that can directly or indirectly identify a person, such as;

  • Name, Address, Email Address, Photo, IP address, Location data, Online behaviour (cookies), profiling and analytic data
  • Factors specific to a person’s race, religion, political opinions, trade union membership, sexual orientation, health information, biometric data, genetic data.

 

Administrative fines

The administrative fines are discretionary rather than mandatory; they must be imposed on a case-by-case basis and must be “effective, proportionate and dissuasive”.

There are two tiers of administrative fines that can be levied:

  • Up to €10 million (roughly £8 million), or 2% annual global turnover – whichever is higher- this would be in the case of not keeping proper records, violating data breach notification requirements, failing to appoint a data protection officer when necessary and more.
  • Up to €20 million (roughly £16 million), or 4% annual global turnover – whichever is higher- for violating the basic principles for processing, ignoring data subjects’ right, incorrectly transferring personal data and more.

Tags: GDPR | Business | Data Protection | Key Facts