The following terms defined here will be used heavily when referring to the GDPR regulations. This will also help understand what GDPR does and does not refer to:
- This is any information relating to a living individual (not an entity like a company) either directly or indirectly. This can be:
- Name, address, phone number.
- An individuals email address (eg: [email protected]), mobile device ID, photograph of a individual, social media post, username used on website, IP address, Internet of Things (IoT) collected data about the individual.
- Data does not have to be directly personally identifiable but can still classed personal data.
- You must now carefully consider how you classify data, as on it’s own it may not directly identify someone, eg: last 4 digits of a credit card. However when it’s combined with another piece of data (eg: a post code), an individual may be identified. Each piece of data is therefore considered personal data.
Processing of data
- Anything that is done with personal data.
- Either manually (by hand) or automated (by a computer).
- This includes: Collecting, storing, using, transferring or the deletion of any part of personal data.
- A “natural person” is the owner of their own personal data.
- This can be a someone who uses your services, a customer, employee, contractor, supplier etc.. Typically, a computer will hold personal data on all of these data subject types.
- Data subjects have rights in regards to any personal data held on or about them. More on this later.
- If these rights are infringed they can complain directly to the ICO.
- A person, company or public body who determines the means and purpose of processing of personal data, ie: Who has the freedom to decide what is done with the data.
- They have a duty to fulfil the rights of data subjects and obligations towards the ICO.
- These duties and obligations cannot be outsourced.
- The person, company or public body that is processing the personal data under instruction of the data controller, e.g.: a cloud service like Google, Dropbox, Amazon Web Services who are providing a service for your data, or an outsourced provider carrying out set tasks for you, eg: a payroll processor).
- Data processors now have more stringent obligations under the GDPR. Such as:
- Data processing agreements must be in place with their data controllers stating exactly what they can do and what measures are in place to protect the data controllers data.
- Processing activities must be documented.
- Breaches must be reported and the processor will be legally liable if found responsible for the breach.
- Data controllers may only rely on data processors that provide sufficient security controls and GDPR compliance.
- Data processors who have legal obligations to report certain activity (eg: banks, accountants) take the role of data controllers, due to their responsibility in deciding whether data needs to be reported.
- A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- It’s important to note here that a data breach isn’t only considered when personal data is stolen, it can also occur through the unauthorised access by an employee or even the accidental loss of data.
- If this personal data gets into the wrong hands it can cause a risk to the rights and freedoms to the individual.
- Certain types of data breaches have be reported to the ICO and the data subject concerned. More on this later.
Special categories of personal data
- Additional restrictions are placed on personal data when it fits into one of these groups:
- Race – Race, ethnic origin.
- Beliefs – Political opinions, religious and philosophical beliefs, trade union memberships.
- Body – Health data (including height, weight) or genetic and biometric data when used for identification.
- Sex – Sexual orientation, sex life.
Due to the sensitivity of the data in these categories, certain conditions comes when processing this data. More on this later.