GDPR is coming up quick, although it’s not enforceable until 25th May 2018, businesses need to start thinking and acting on how they secure people’s data before it’s too late. Companies who suffer data leakage incidents are already being compared to what it will cost under GDPR guidelines. For example recently Tesco Bank suffered such as incident and under GDPR, they would have been fined around £1.9bn.
Getting up to speed with GDPR means understanding a number of terms, that should be known if your business is registered with the UK Data Protection Act.
GDPR Glossary of Terms
Accuracy Principle: Is where personal data must be accurate and is kept up to date and every reasonable step must be made to ensure that inaccurate information is erased or is rectified without delay.
Accountability Principle: Is where the data controller has responsibility for and must be able to demonstrate compliance with all the principles listed in this post.
Binding Corporate Rules: Personal data protection polices which are adhered to by a data controller or processor, which is established on the territory of a Member State or a set of transfers of personal data to a data controller or processor in one or more countries within a group of undertakings or group of enterprises engaged in a joint economic activity.
Data Subject: A person which is the subject of the data
Data Controller: Is the person, authority, agency or body which alone, or jointly with others, determines the purpose and means of processing the personal data of the person of interest. Where the purpose and or means of processing of data are determined by European law or the associated member state’s law.
Data Processor: Is the person, authority, agency or body which actually processes the personal data on behalf of the data controller.
Data Processing: Is any operation, or set of operations that are performed upon the personal data, or set of data, whether this is by manual or automated systems. Examples of data processing explicitly listed by the GDPR guidelines are follows:
collection, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasure or destruction.
Data Subject’s Consent: When information is freely given, whether its specific, informed or is the unambiguous indication of the persons wish by statement or is a clear affirmative answer. This signifies the agreement to personal data relating to them being processed.
Fairness Principle: The basis of fairness is achieved when the data controller has put in place working procedures for the person requesting the information in an effective manner for the following rights:
- Right of access to the data (to know what data is held about the individual).
- Right to rectification of the data.
- Right to erasure of the data (to be forgotten).
- Right to restriction of processing.
- Right to data portability (to be given personal data in a structured and commonly used and machine-readable format and transmit such data to another controller).
- Right to object to the processing of personal data, including profiling.
- Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects him/her.
Integrity and Confidentiality Principles: Where personal data must be processed using appropriate technical and business security measures, including the protection against unauthorised and unlawful processing of data and against accidental loss, destruction and or damage.
Legality Principle: Is personal data that must be processed only on the basis of one of the legal grounds that are specified by the GDPR. This means that for any personal data element which is processed, a business must be able to indicate on which of the following it is processed:
- Individual’s own consent.
- Contract with the individual.
- Complying with an existing legal obligation.
- Necessary to protect the vital interests of a person.
- Necessary for a task in the public interest or in the exercise of public authority.
- Necessary in the pursuit of the legitimate interest of the organisation or a third party.
Transparency Principle: Is when any information that the data controller for the business gives to the person requesting the information about its data processing practices. This must be concise, transparent, intelligible and provided in a an easily accessible form. The information must be provided at the most within a month from request and in writing.
The data controller can only refuse to provide this information, if it can demonstrate that it is not in a position to identify the person. If the data controller does not take appropriate action on the request, it must information the person requesting the information within a month of request, explaining the reasons.
Information should be provided free, unless the information requests are unfounded, excessive or repetitive, in which case the data controller may charge an administrative free
Personal Data: Any information that is found to be linked in any way to a person. This person is one who could be identified directly or indirectly by a number of identifiers, such as: ID number, location, online identifier, physical location, genetic, mental, economic, cultural or social identity of that person.
Profiling: Is any form of automated processing of personal information, which is being used to evaluate, analyse or predict certain personal aspects of a person.
Pseudonymisation: Is the processing of personal information so that is can no longer be linked to a specific data subject without the use of additional information. This ensures that additional information is kept separate, including the use of technical and organisation measures to ensure that nothing is linked or identifiable to the person.
Personal Data Breach: Is the breach of security, which leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Principles: Are all of the fundamental principles which are in the GDPR, which are further translated into the detailed rights for the individual and corresponding obligations for the business. Additionally, all of the principles are reinforced with the overarching Accountability principle: which means that the Data Controller for the business must follow each Data Protection principle, including being able to prove how they are putting each principle into practice.
Purpose Limitation Principle: Personal data must be collected for specific, explicit, legitimate purposes only and not for be further processed in any other way. Public interest archiving, scientific, historical, statistical research are deemed to be compatible with the initial purpose.
Minimisation Principle: Where personal data must be adequate, relevant and is limited to what is necessary in relation to the purposes for which it is processed.
Storage Limitation Principle: Where personal information must be kept in a form which permits the identification of subjects for no longer than is necessary for the processing of their data. Data must be stored for longer periods for only public interest archiving, scientific, historical or statistical research purposes.