On 25 May 2018, long- planned data protection reforms started to be enforced. The mutually agreed General Data Protection Regulation (GDPR) has now been in place for over two years and has modernised the laws that protect the personal information of individuals.
GDPR has replaced previous data protection rules across Europe that were almost two decades old, with some provisions being drafted in the 1990’s. Since then, our data-heavy lifestyles have emerged, with people routinely sharing their personal information freely online.
New GDPR rules were designed to ‘harmonise’ data privacy laws across all of the European Union’s Member States as well as providing greater protection and rights to individuals. GDPR was also created to alter how businesses and other organisations can handle the information of those that interact with them.
What is GDPR?
GDPR can be considered as the world’s strongest set of data protection rules, which enhance how people can access information about them and place limits on what organisations can do with personal data.
The regulation exists as a framework for laws across the continent and replaced the previous 1995 data protection directive. Following four years of preparation and debate, GDPR was approved by the European Parliament in April 2016 and the legislation came into force across the European Union on 25 May 2018. The United Kingdom also introduced the Data Protection Act 2018, superseding the previous 1998 Data Protection Act.
What is GDPR Compliance?
Data breaches inevitably happen, information can be lost, stolen or otherwise released into the hands of people who were never intended to see it and those people often have malicious intent.
Under the terms of GDPR, not only do organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners.
Who does GDPR apply to?
The purpose of GDPR is to protect personal data, this can be something obvious, such as a person’s name, location or it can be something that may be less instantly apparent, such as IP address. The GDPR rules apply to all people, businesses and all other organisations.
Under GDPR rules, there is also special categories of sensitive personal data that are given greater protections. This personal data includes information about racial or ethnic origin, political opinions, religious beliefs and health information. Personal data can be constituted as a piece of information that allows a person to be identified.
What are the principles?
Article 5 of the United Kingdom GDPR sets out seven key principles which lie at the heart of the general data protection regime: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.
These governing principles embody the spirit of what the GDPR regime stands for and as such, there are very limited exceptions.
Compliance with these seven principles is therefore a fundamental building block for good data protection practice. Failure to comply with the principles may leave you open to substantial fines. Article 83(5)(a) states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines.
Are there rights under the GDPR rules?
The UK GDPR provides the following rights for individuals:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object;
- Rights in relation to automated decision making and profiling.
GDPR rules will work for the benefit of the United Kingdom despite the country ceasing to be an European Union member.
If you desire further information on this topic, please contact John Szepietowski or Kay Stewart at Audley Chaucer Solicitors on 01372 303444 or email us at admin@audleychaucer.com or visit our Linkedin page.