The General Data Protection Regulation (GDPR)

What is Personal Data?

Personal Data refers to any information relating to an identified natural person, including biometric data, genetic data, health data, and more.

Genetic Data refers to any information concerning the physiological and genetic structure of a natural person.

Biometric Data refers to any genetic information that confirms the identity of a natural person.

Health Data refers to any information concerning the state of mental or physical health, or any health care services used to manage a natural person’s health.

A Personal Data Breach refers to an accidental or illegal loss, adjustment, unauthorized communication of, or access to, personal data.

What is the General Data Protection Regulation?

The General Data Protection Regulation, or GDPR, is an essential component of EU Privacy Laws and Human Rights Laws. It is an important part of the Charter of Fundamental Rights of the European Union. This regulation governs the protection, processing, and free movement of personal data. 

The regulations cover the movement of data within the EU and from outside the EU, creating a secure, international business standard.

The regulations’ laws concern the rights of the natural persons involved, rather than a company or business as a whole. The laws extend to the movement and processing of personal data within a semi- or fully automated, or non-automated system.

There are no restrictions on the movement of personal data within unions if it concerns the protection or processing of such data.

The Principles of GDPR

Lawfulness, fairness, and transparency

This principle states that all processing or movement of personal data must abide by the laws, and allow complete, equal trust between both parties.

Purpose Limitation

Purpose limitation is a fancy way of saying, “do only what you came here to do.” This means there should be a set purpose as to why the organization is processing the personal information of the data subject/s.

The actions taken with regard to the data should only concern the purpose. The data should not be processed in any way that goes beyond the original intention.

Data Minimisation

Similar to purpose limitation, but governs the limitation of what data is taken from natural persons in the first place. Meaning that the least amount of data should be recorded in order to complete the task. If an organization doesn’t need the personal names, ages, or gender for whatever purpose it may be, it’s best to leave those questions out.

Accuracy

The principle of accuracy refers to ensuring that any personal data is up-to-date and reflects the natural persons true personal data. Using inaccurate data can be detrimental to the client as well as the organization’s intentions for the data.

Any inaccurate personal data must be updated or removed immediately.

Storage Limitation

This refers to limiting the period over which personal data is used for specific purposes. The only exceptions are for authorized archiving purposes, such as for scientific or historical research.

Integrity and Confidentiality 

This refers to an organization’s ability to securely process personal data, and ensure that no risk of damage, loss, or unauthorized access will occur.

Accountability

An organization is accountable for damage to, loss, or accidental distribution of personal data without prior consent. As well as they are accountable for any unforeseen outcomes of processing and moving such data. It is up to the organization to ensure lawful use of data and to take responsibility when this obligation is splintered.

GDPR Rights

The Right of Access to Personal Data

Article 15 confirms that access to personal data is a data subject’s right. This allows access to anything regarding the data, including the actual process used on the data and a copy of the data itself.

The Right to Rectification

At any moment, a data subject may reach out to a data controller and immediately correct any false or out-of-date personal data. This includes the ability to complete any incomplete data, or further expand on existing data.

The Right to Erasure

Originally “the right to be forgotten”, the right of erasure refers to a data subject’s right to retract or remove any personal data. There are a multitude of accepted justifications for erasure, as long as it occurs within 30 days of the personal data being received.

The Right to Restraint of Processing

This allows any data subject to reject data processing by data controllers that have justified rights to hold onto personal data. In such cases, the data controller may keep the information with them, but cannot use it.

The Right to Data Portability

This is the data subject’s right to attain personal data from a data controller. The data must come in a machine-readable format. This also covers the right to transfer the data to another data controller without issues from the original controller.