The Key Concepts Of GDPR
GDPR - The Key Concepts
Last September I wrote about 'An Introduction To GDPR'
In this, my second article, I consider the core key concepts of the new GDPR legislation, of which all businesses should be aware prior to the implementation of the new regulations on 25th May this year.
The GDPR will apply to any organisation that fits the following criteria:
- Processes personal data as a controller or processor in the EU (regardless of whether the actual processing takes place within the EU);
- Processes personal data an EU controller, even where actual processing takes place outside the EU;
- Processes personal data as a processor on behalf of a client controller subject to the GDPR even if it is based outside the EU, or the processing takes place outside the EU;
- Any organisation not established in the EU but which processes the personal data of data subjects who are EU citizens in relation to:
- Offering goods or services to them, regardless of whether such goods or services are paid for by them, or
- Monitoring their behaviour taking place within the EU.
‘One Stop Shop’
An organisation with more than one establishment within the EU could potentially deal with a single national data protection authority as its ‘lead supervisory authority’ for regulation of cross-border processing activities carried out by that organisation.
Controllers will now be responsible for (and must be able to demonstrate compliance with) the principles relating to the processing of personal data.
Data controllers must now ensure that consent is freely given, specific, informed and an unambiguous indication of the data subject’s wishes which, by a statement of affirmative action (such as physically ticking a consent box for example) signifies agreement to the processing of their personal data for a specific purpose.
For the avoidance of doubt, pre-ticked consent boxes and any reliance on implied consent will no longer be valid.
Under the GDPR there is an obligation on data controllers to ensure that all personal data stored is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Therefore, as an example, it would obviously not be appropriate for a company providing car insurance to ask its customers to provide it with details of their respective religious beliefs or sexual orientation, as this would be outside the scope of what data is necessary for the company to collect and process in relation to the product being offered.
Direct Processor Obligations
Data Processors will have strict obligations under the GDPR when processing data on behalf of controllers in relation to matters such as; data security, international data transfers and security breach notification.
The GDPR codifies new ‘adequate safeguards’ for all data transfers outside the European Economic Area by binding corporate rules, introducing standard contractual clauses and approved codes of conduct and certification mechanisms.
Such measures are intended to provide clarity and certainty as well as effectively creating a minimum standard of corporate conduct where personal data transfers are concerned.
Watch this space for further updates from me on the GDPR over the coming months…
In the meantime, feel free to contact our Corporate Team if you have any queries or concerns regarding your business’s obligations under the new legislation.