The GDPR (General Data Protection Regulations) is a large and often times confusing document written with a lot of legal jargon. This is understandable because it has to capture the regulating of companies of all shapes and sizes and all manner of possible scenarios.
But this doesn’t bring comfort to the business owner or operator who needs clear actionable guidance on a real world problem. In this guide, we seek to address this. We have taken the important points from the text, explained them in clear English and given actionable insights.
We hope that this guide can answer some of your questions and gives you some tangible advice. If we have failed address your question directly – we’d love to hear from you – we’re seen it all so hopefully we’ll be able to help!
These principles form the building blocks of the GDPR regime. They don’t give hard & fast rules but embody the spirit of GDPR. When building a Privacy Program, these concepts should be referred to for best practices.
The GDPR lays out seven key Principles:
1. Lawfulness, Fairness & Transparency
2. Purpose Limitation
3. Data Minimisation
5. Storage Limitation
6. Integrity & Confidentiality (security)
Lawfulness of Processing
Every business must rely on a legal basis for processing personal data. There are six legal bases laid out in the GDPR. Business can rely on a combination of bases for different parts of their business operations.
The six legal bases are:
1. Consent must be freely given, clearly distinguishable from other matters and simple to withdraw at any time.
2. Contract: the processing is necessary for a contract you have with the individual.
3. Legal Obligation: the processing is necessary for you to comply with the law
4. Vital Interests: the processing is necessary to protect someone’s life.
5. Public Task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
6. Legitimate Interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Data Subject Rights
The GDPR sets out new rights that business now must afford to European citizens, regardless of where the business itself is located. These are:
1. The right to be informed
2. The right to access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
Controller v Processor
The GDPR sets out two key business relationships – the controller and the processor.
Whether you are a controller or processor depends on a number of issues. The key question is – who determines the purposes for which the data are processed and the means of processing?
Organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services.