The General Data Protection Regulation (GDPR) was introduced in May 2018 in response to the UK’s General Data Protection Regulation (GDPR). The GDPR replaces the 1995 Data Protection Act and sets out specific regulations surrounding data protection. The GDPR applies to all organisations with EU or national customers and applies to any type of data, including personal data, processing activities and storage.
The GDPR sets out ten key requirements that organisations must comply with to protect the personal data of EU citizens. These requirements are:
1. Lawfulness, Fairness and Transparency
Organisations must ensure that any processing of personal data is lawful, fair and transparent to the data subjects. This means that personal data must only be collected and processed in accordance with the data subject’s rights and with the explicit consent of the data subject. Furthermore, organisations must provide data subjects with clear and understandable information about how their data is being used and the purpose for which it is being collected.
2. Purpose Limitation
Organisations must ensure that the personal data they collect is only used for the specific purpose for which it was collected. This means that organisations must not process personal data for any other purpose unless the data subject explicitly consents to it. Additionally, organisations must ensure that personal data is only processed for as long as necessary for the purpose for which it was collected.
3. Data Minimisation
Organisations must ensure that personal data is collected and processed only for specified, explicit and legitimate purposes, and is not excessive in relation to those purposes. Data controllers must ensure that the data collected is adequate, relevant and limited to what is necessary for the purposes for which it is processed.
Organisations must take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. Data controllers must ensure that inaccurate or incomplete personal data is erased or corrected without delay.
5. Storage Limitation
Organisations must not keep personal data for longer than is necessary for the purposes for which it is being processed. Data controllers must take appropriate measures to ensure that personal data is securely destroyed or pseudonymised when it is no longer needed.
6. Integrity and Confidentiality
Organisations must take appropriate technical and organisational measures to ensure that personal data is protected against unauthorised or unlawful processing, accidental loss or destruction, and against any other form of unlawful processing. These measures must be proportionate to the risks posed by the processing.
Organisations must be able to demonstrate that their processing of personal data is compliant with the GDPR. Data controllers must implement appropriate measures to ensure that their processing is compliant with the GDPR and must be able to demonstrate compliance when requested.
8. Data Subjects’ Rights
Organisations must ensure that data subjects are aware of their rights under the GDPR, and must provide them with a data protection notice specifying the specific rights that the individual has. Data controllers must take appropriate steps to ensure that individuals are able to exercise their rights under the GDPR.
9. Data Security
Organisations must ensure that personal data is kept secure and confidential. This includes taking measures to protect the data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, and other forms of misuse. The security measures must be appropriate to the nature and scope of the processing and the risks posed.
10. Cross-Border Data Transfers
Organisations may transfer personal data to another country as long as the data is protected in the same way as it would be in the UK. This is known as an ‘adequacy decision’. If an adequacy decision is not available, organisations must use specific measures to ensure the data is protected, such as EU-approved standard contractual clauses or Binding Corporate Rules.
The GDPR contains 10 key requirements that organisations must comply with to protect the personal data of individuals in the European Union. These requirements relate to topics such as data collection, storage, destruction, retention, and cross-border data transfers. Organisations that process the personal data of EU citizens must take these requirements into account to avoid penalties and fines.
Briefed is a firm that provides legal advice to businesses to ensure they comply with existing regulations and laws. Our barristers are highly experienced in helping companies stay compliant and achieve their business objectives. We provide guidance and support in all areas of regulation, including compliance frameworks. Contact us to find out how we can help!