top of page

Pre-Event

Data Protection / GDPR compliance

What is GDPR?

GDPR is a new data privacy regulation adopted in 2016, the most significant and far reaching of its kind, which applies in full from 25th May 2018. The regulation applies to a wide definition of personal data, in short "any information relating to" an individual (i.e. includes identifiers such as name, ID numbers, phone number, online ID, mobile device ID, or one or more factors about an individual’s physical, physiological, genetic, mental, economic, cultural or social identity).

In the event of a data protection breach or other types of infringement, the European regulatory body has been given the mandate to act. For organisations – GDPR regulates every entity worldwide that provides services and / or handles information relating to individuals in the EU – compliance is key, as non-compliance to the regulation can result in big penalties. Fines can be up to €20 million or 4% of worldwide turnover (whichever is higher).

Key Terms

The following definitions are crucial to understanding the General Data Protection Regulation.

Data Subject: An EU citizen who is alive.

Personal Data: any information relating to an identified or identifiable Data Subject; an identifiable Data Subject is one who can be identified, directly or indirectly, such as a name, an identification number, location data, an online identifier or to one or more factors.

Sensitive Data: special categories of information relating to a Data Subject. E.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, sex life of sexual orientation. Basically any data that can create a bias to someone.

Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, erasure or destruction, just to name a few.

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a Data Subject, in particular to analyse or predict aspects concerning that Data Subject’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Consent: any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law.

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Information Security: The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Subject Access Request (SAR): A request, made by a natural person, to access personal data held by a controller or processor.

Data Protection Officer (DPO): a person with knowledge of data protection law and practices who assists the controller or processor to monitor internal compliance with GDPR. In Abbey’s case, it’s Ray Lowry.

Personal Data

Using the above definitions, all the values below could be considered Personal Data:

 

                                                           Fig.1 Example of Personal Data

The above list is not exhaustive, but it should give you food-for-thought as to the far-reaching scope of GDPR. Directly Identifiable Personal Data would be something like a unique identifier (e.g. Passport or Driving Licence No.) because these identifiers are typically linked to only one person. Indirectly Identifiable Personal Data would be data points that can be pieced together to identify the Data Subject. For example, Post Code and Date of Birth would be enough in most cases to uniquely identify an individual. In addition to direct and indirect data points, profiling or scoring derived from personal data, in itself, becomes personal data.

Sensitive Data

The reason why sensitive data is defined as sensitive is that people have been negatively targeted throughout history because of where they sit in these sensitive categories. Imagine if someone were to get hold of a database full of personal data which he or she used to send out hate mail or target people for physical violence, or worse. This is why GDPR prohibits processing of such sensitive data unless under very specific conditions and only under the obligation of professional secrecy (e.g. A Doctor, a Lawyer or a Journalist). The conditions are:

The Data Subject has given explicit consent

  • Processing is necessary for the purposes of carrying out the obligations and exercising specific rights.

  • Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

  • Processing is carried out in the course of its legitimate activities with appropriate safeguards

  • Processing relates to data which is already public

  • Processing relates to legal action

  • There is substantial public interest

  • Processing relates to Medical or Social Care including public health

  • Archiving purposes in the public interest or for scientific or historical research purposes.

To comply with GDPR, organisations broadly speaking need to embed six privacy principles within their operations:

1. Lawfulness, fairness and transparency

  • Transparency: Tell the subject what data processing will be done. 

  • Fair: What is processed must match up with how it has been described.

  • Lawful: Processing must meet the tests described in GDPR

 

2. Purpose limitations

Personal data can only be obtained for “specified, explicit and legitimate purposes”. Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent. Applied Consent or Opt out are no longer acceptable under GDPR.

 

3. Data minimisation 

Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. In other words, no more than the minimum amount of data should be kept for specific processing. The excuse “I might need it later” is also no longer acceptable under GDPR.

 

4. Accuracy

Data must be “accurate and where necessary kept up to date”. Baselining ensures good protection and protection against identity theft. Data holders should build processes that has the data subject’s rights in mind into data management / archiving activities for subject data. 

 

5. Storage limitations

Regulator expects personal data is “kept in a form which permits identification of data subjects for no longer than necessary”. In summary, data no longer required should be removed, retention periods are key.

 

6. Integrity and confidentiality

Requires processors to handle data “in a manner ensuring appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage”.

gdpr.png
bottom of page