General Data Protection Regulation – A beginner’s guide

Background

The General Data Protection Regulation, which became directly applicable in EU member states on 25 May 2018, was implemented in response to the privacy issues raised by a modern information society and was designed to align data protection law more closely with modern technology and establish ‘harmony’ across the EU.

However, while the GDPR governs the overall processing of personal data, member states can restrict, adapt and derogate from the GDPR in certain areas, which has led to some differences. In the UK, the GDPR was implemented through the Data Protection Act 2018 (DPA).

It should be noted that despite the end of the Transition Period on 31 December 2020, the GDPR was incorporated into UK data protection law and sits alongside the DPA, which means that there is little change now that the UK has left the EU.

Who does the GDPR apply to?

The GDPR applies to both ‘controllers’ and ‘processors’.

A controller is an entity that determines the purposes and means of processing personal data. Controllers have the highest level of responsibility under the GDPR and, in addition to various other requirements, must comply, and demonstrate compliance, with all data protection principles (see below).

Controllers are also held responsible for the compliance of their processors.

A processor on the other hand is responsible for processing personal data on behalf of a controller, although they do have other specific obligations of their own, including for instance a duty to maintain records.

For further information on controllers and processors and how they interact, the European Data Protection Board (EDPB) published updated guidelines on these concepts in September 2020.

Personal data and processing?

For the purposes of the GDPR, personal data is information that relates to an identified or identifiable individual (a data subject). A person is identifiable if they “can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.”

Processing is very broadly defined under the GDPR and includes (among others) collecting, recording, organising, storing, using, disclosing and erasing personal data.

The data protection principles

The following seven principles lie at the core of the data protection regime:

  • Lawfulness, fairness and transparency – personal data must be processed fairly and lawfully and in a transparent manner.
  • Purpose limitation – personal data must be collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes. In practice, this means that broadly a controller cannot use an individual’s personal data for any purposes other than those notified to the individual at the point their personal data was first collected or obtained from a third party.
  • Data minimisation – personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
  • Accuracy – personal data must be accurate and, where necessary, kept up to date.
  • Storage limitation – personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is processed. However, personal data may be kept for longer periods in specified circumstances.
  • Integrity and confidentiality – personal data must be processed in a manner so that the controller can demonstrate compliance with the principles and be responsible for compliance.

There are very few exceptions to these principles and compliance with them is fundamental to good data protection practice.

There are substantial fines of up to £17.5m, or 4% of the organisation’s global turnover (whichever is higher), that may be imposed on controllers that fail to comply with these principles.

Considerations

Every organisation processes personal data to some extent and significantly, under the GDPR, controllers must not only comply with the general principles, but also be able to demonstrate compliance with them. It is therefore crucial that organisations understand their role and obligations in relation to data protection to ensure compliance.

In this regard, the Information Commissioner’s Office (ICO) maintains a detailed guide to the GDPR, which is updated monthly with links to key developments. The ICO website also has a lot of useful information relating to the GDPR.

If you have any questions on GDPR compliance, please do not hesitate to contact us by emailing [email protected].