General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) What it’s all about?

The countdown has begun here a brief overview.

The new GDPR is meant to protect all EU citizens  their privacy and data.  The new General Data Protection Regulation (GDPR) will come into force on 25th May 2018. In the data driven world that organisations operate this has been a crucial change superseding the UK Data Protection Act 1998. The major changes are how they affect organisations and their operations. When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC) General Data Protection Regulation (“GDPR”), the Article 29 Working Party (“A29WP”)

​Who does the GDPR apply to?

The GDPR applies to ‘controllers’ and ‘processors’ in all types of organisations. The definitions are broadly the same as under the DPA – the controller states how and why personal data is processed and the processor acts on the controller’s behalf

When does the right to data portability apply?

The right to data portability only applies:

  • Personal data an individual has provided to a controller;
  • Where the processing is based on the individual’s consent or for the performance of a contract; and when processing is carried out by automated means.

Consent

Valid consent must be explicit for data collected and purposes data used (Article 7; defined in Article 4). Consent for children must be given by child’s parent or custodian, and verifiable (Article 8).

Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn

Data Controller

Majority of the change applies to data controllers. Organisations enforced by the data controller must designate a Data Protection Officer.  The data controller has the responsibilities of processing and monitoring of data subjects.  We are talking about automated data here.

Who is the data controller?

A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files

Data Subject

Article 10

Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:

(a) The identity of the controller and of his representative, if any,

(b) the purposes of the processing for which the data are intended,

(c) any further information such as

  • the recipients or categories of recipients of the data;
  • whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply;
  • the existence of the right of access to and the right to rectify the data concerning him insofar as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.

Penalties

The new GDPR penalties states that organisations that are breached can be fined can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).  The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

 

About the Author: Christie Ogubere

Christie Ogubere MSc, CISSP, CISM, ISO 27001 Lead Auditor is Principal Information Security Consultant at Intex IT. Christie and has consulted for our clients as a Information Security Consultant and Trainer. Areas of expertise are ISO 27001 Auditing, Risk Management, and Pen Testing. Christie has a degree in Computer Studies and a master’s degree in Computer Forensics and System Security from the University of Greenwich.