Under the legislation, there are several key requirements that relate directly to the data companies hold and the rights of the individual. Some differ from the current directive, while others expand on it.
What data falls under GDPR?
The GDPR is designed to protect the rights of EU citizens whose data is held by organisations. Under the legislation, private data is any data that can be used to identify an individual.
The legislation offers quite clear guidelines on what this constitutes. Simple things such as names, addresses, and photos – information that you would expect to find on a CV– all constitute personal data.
More confidential data such as bank details, medical records and IP address are also covered, as are slightly more esoteric data sets such as social media posts and browsing activity.
These are all items that would conceivably be held by most organisations and across different departments. Human resources hold CVs and medical information, accounts will hold bank details, and marketing holds an array of data on existing and prospective clients.
To expand on the above, consider the following: When an individual makes a purchase from a website, they leave payment and billing information. This information can be used for future purchases or follow-on services. This data falls under GDPR.
Similarly, someone visiting the site may be subject to GDPR without actually making a purchase. Information gathered, whether it exists online (IP address, browsing history) or in the real world (home address, vehicle registration) falls under the legislation.
A further obligation to comply with GDPR when the entity holding the data i.e. the company (known as the controller in GDPR) passes this data to a vendor or third party (known as the processor) for processing. Both organisations are obliged to ensure their diligence is paid, as well as that of the other party.
Given the importance of this activity to the organisation, this data must be managed under GDPR.
Data rights of the individual
The GDPR stipulates several rights for individuals and the data held about them by organisations. The legislation makes organisations far more accountable and gives control of the data back to the individual. Companies need to be aware.
Right to Access: Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
Right to be forgotten: The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Privacy by design: At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically - 'the controller shall...implement appropriate technical and organisational measures...in an effective way... to meet the requirements of this Regulation and protect the rights of data subjects'.