When did GDPR / Data Protection Act come into force?
25 May 2018
What does this Act cover?
A complete data protection system so as well as governing personal data covered by the GDPR, it covers all general data as previously covered by the 1998 Act
What data does it relate to?
It relates to personal data
What is its aim?
Aims to create a single data protection regime for anyone doing business in the EU and to empower individual to take control of how their data is used by third parties
Provides a right to know how a person’s data is used
What must be conducted for high risk holding of data?
An obligation to conduct data protection impact assessments for high risk holding of data
What new rights do individuals have?
New rights for individuals to have access to info on what personal data is held and to have it erased
What is data accountability?
Data Accountability – ensuring organisations can prove to the Information Commissioners Office how they comply with the regulations
How long after a data breach must you report it?
Data breaches to be reported within 72 hours
What are the fines for data breaches under GDPR?
An increase in fines up to 4% of company’s global turnover or 20m euros (whichever is great)
What does a data controller do?
A data processor decides how and why personal data is processed and is directly responsible for GDPR
What are the principles Article 5(1)?
Data must be:
Processed lawfully, fairly and collect in a transparent manner
Collected for legitimate purposed
Relevant for the reason in which it is processed
What are the principles Article 5(2)?
The controller shall be responsible for and be able to demonstrate compliance with principles
What are the 8 individual rights under GDPR? ERA RADIO
Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability (to use for their own purposes)
Right to object
Right to automated decision making and profiling
What is the Freedom of Information Act 2000?
Gives individuals the right of access to information held by public bodies
Public bodies usually required to provide info within 20 working days
It can charge to provide info
What are the exemptions?
If contrary to GDPR
It would prejudice a criminal investigation or person/organisation’s commercial interest
How can you ensure the security of electronic data?