Frequently asked questions about the GDPR and data protection
What is personal data?
The General Data Protection Regulation (GDPR) defines personal data as “any information which are related to an identified or identifiable natural person.” By using the term ‘any type of information’, it can be determined that the intention of the GDPR is to be as broad as possible. Identifiers can be a name, an identification number (e.g. national insurance number, car registration plate), location address (e.g. information from the network or service about the location of a phone or other device), an online identifier (e.g. IP address) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data may still be considered ‘personal data’ even without one of the above identifiers, e.g. if the content or subject matter is about an individual.
What is a data subject?
The UK’s Information Commissioner’s Office (ICO) defines a data subject as “the identified or identifiable living individual to whom personal data relates.” A data subject refers to any individual person who can be identified, directly or indirectly, via an identifier, such as a name, an identification number (e.g. national insurance number, car registration plate), location address (e.g. information from the network or service about the location of a phone or other device), an online identifier (e.g. IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
What does ‘processing’ of personal data include?
‘Processing’ covers a wide range of activities performed on personal data, including by both manual and automated means. It includes collecting, recording, storing, organising, structuring, analysing, modifying, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying personal data.
What is a data controller?
A data controller can be defined as an organisation or individual which makes decisions about personal data processing activities, most notably ‘why’ (the purposes for which) and ‘how’ (the means by which) personal data is processed. Data controllers exercise overall control of the personal data being processed and are ultimately in charge of, and responsible for, the processing.
A controller can be a company or other legal entity, or an individual (e.g. sole trader or self-employed professional). However, an individual processing personal data for purely personal or household purposes is not subject to the GDPR.
What is a joint controller?
If an organisation jointly determines, with one or more other organisations, ‘why’ and ‘how’ personal data should be processed, it is a joint controller. It is important to note that joint controllers have the same or shared purposes. Controllers will not be joint controllers if they are processing the same data for different purposes. Joint controllers are required to enter into an arrangement with the other organisation/s setting out their respective responsibilities for complying with the GDPR rules. Joint controllers must also communicate the main aspects of the arrangement to the relevant data subjects.
What is a data processor?
If an organisation processes personal data purely on behalf of a data controller, it is a data processor. Data processors are typically external to data controllers and can be a company or other legal entity (e.g. partnership or public authority), or an individual (e.g. consultant). However, employees of a data controller who are fulfilling their duties are regarded as agents of the controller, not processors.
Data processors act on behalf of the relevant data controller and under their authority. In doing so, they serve the controller’s interests rather than their own. Although a processor may make its own day-to-day operational decisions, Article 29 of the GDPR specifies that it should only process personal data in line with a controller’s instructions, unless it is required to do otherwise by law.
It should be noted that if a data processor acts without the data controller’s instructions in such a way that it determines the purpose and means of processing, including to comply with a statutory obligation, it will be a data controller in respect of that processing and will have the same liability as a data controller.
What is the difference between GDPR recitals and articles?
The GDPR contains 99 articles and 173 recitals, but what is the difference between these 2 components? The articles represent the legal requirements which an organisation must meet in order to demonstrate compliance with the Regulation. The recitals, on the other hand, provide supporting information and further guidance to supplement the articles. Organisations can use the recitals, for example, to learn more about how to comply with the GDPR.
What is a privacy notice?
A privacy notice is an external statement which informs data subjects how and why their personal data will be processed and is a key document in satisfying the transparency requirements of the GDPR (see Lawfulness, Fairness and Transparency Principle). Whilst not defining a privacy notice, the GDPR does provide a minimum set of information which an organisation should include within its privacy notice. Data subjects should be provided with the organisation’s contact details and be informed of such things as:
- The type of personal data being collected
- How their personal data is collected and where from
- Why their information needs to be collect or held and the lawful basis* for doing this
- Whether personal data is passed to any third party and the reasons for doing this
- How or where their personal data is kept, how long the organisation intends to keep it for and then how it will be securely destroyed or disposed of
- Their data protection rights
- How to make a complaint to both the organisation and also to the supervisory authority
* If an organisation is relying on consent to process an individual’s information, then it should also tell the individual about their right to withdraw consent and how they can do this.
It is important to note that an organisation is required to write the privacy notice in clear and plain language and keep it concise, transparent and easily accessible and provided free of charge
What type of data breaches do the ICO need to be notified about?
If an organisation is involved in a personal data breach, one of the decisions it needs to make is whether to report it to the supervisory authority (ICO in the UK). That decision will need to be made on an assessment of the risks to the data subjects involved. Organisations need to consider both the severity and likelihood of the potential negative consequences of the breach, including the risks to the rights and freedoms of the data subjects. Recital 85 of the GDPR provides a steer on the types of negative consequences which can result from a data breach, including loss of control over personal data, limitation of rights, discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality etc. As such, organisations need to consider a range of adverse effects on individuals, which includes emotional distress, and physical and material damage. These effects need to be assessed on a case-by-case basis, looking at all relevant factors. Apart from the potential consequences, organisations should also be considering other factors, such as how easy is it to identify individuals from the data, what type of a breach is it (e.g. loss of data or disclosure), how sensitive is the data, are vulnerable individuals involved etc.
If, following a risk assessment, an organisation decides that it doesn’t need to report a breach, it needs to be able to justify this decision and document it.
If it is necessary to report a data breach to the ICO, there are various criteria which the GDPR requires an organisation to meet, including the requirement to report within 72 hours of becoming aware of a breach. Given that breach reporting is an area where organisations understandably have limited expertise and experience, this is where third party assistance from specialist organisations such as URM can be invaluable.
What are the key differences between the GDPR and the Data Protection Act 2018?
When the GDPR, as a European regulation, came into effect on 25 May 2018, all European Union member states, including the UK, were required to comply and adopt it into national law. The Regulation, however, contains a number of ‘derogations’, where EU member states have a degree of flexibility over the application of certain provisions. Any derogations implemented by a member state need to respect the ‘essence’ of data protection rights and be a proportionate and necessary measure. The Data Protection Act 2018 (DPA), which came into effect on the same date as the GDPR, tailors how the Regulation applies in the UK. The DPA, for example, provides an exemption from certain requirements of personal data protection where personal data is being processed for publication in the public interest. It also allows certain data subject rights to be ignored if compliance with these rights would significantly impact an organisation’s ability to carry out their functions when processing data for scientific, historical, statistical and archiving purposes. The DPA also sets out separate data protection rules for law enforcement authorities and extends data protection to some other areas such as national security, immigration and defence. The DPA also sets out the functions and powers of the ICO, the UK’s supervisory authority. There are some other specific differences between the GDPR and the DPA 2018, for example, the GDPR states that a child can consent to data processing at the age of 16, whilst the DPA sets the age at 13. Another specific difference centres on automated decision making or profiling. With the GDPR, data subjects have a right not to be subject to such practices, but automated decision making or profiling is permitted under the DPA, providing there are legitimate grounds for doing so and safeguards are in place to protect individual rights and freedoms.
More about GDPR
GDPR and DP Training
URM is dedicated to providing high quality, cost-effective and tailored consultancy and training in the areas of information security, data protection, business continuity and risk management.