GDPR – rationale and overview – Background
How does the GDPR work? Essentially, it establishes a set of rules that companies and organisations who process personal data must follow. This provides a level playing field across Europe. Each EU country has a supervisory authority to enforce those rules. In the UK, this is the Information Commissioner’s Office, ICO.
In this lecture, we’re going to discuss why data protection regulation is necessary.
I’ll speak a little bit about key data protection concerns, the purpose of GDPR, and how it operates.
I’ll talk about changes from earlier data protection regulation. And, I’ll outline some of its headline features.
Why do we need data protection regulations?
So why is data protection regulation necessary? Well, since the 1980s, computers have been increasingly used to store personal information. Especially for customers and staff. This personal information is usually stored in computer databases.
The personal information you’d typically find includes names, addresses, contact details, employment history, medical information and financial information. Databases do make it easy to access, search and edit personal information.
Networked computers and internet connectivity have made it easier to share personal information and as more organisations have adopted computers to store personal information, the risks and dangers of our personal information getting into the wrong hands have steadily increased.
Data protection concerns
The key data protection concerns are: who’s got access to this information, how accurate is the information they can get at? And can personal information be stored without the individual’s knowledge or permission?
The EU wanted to streamline, update and simplify the data protection laws. They wanted to give citizens back control of their personal data. They also wanted to simplify the regulatory environment for EU-based businesses.
So how does the GDPR work?
Essentially, it establishes a set of rules that companies and organisations who process personal data must follow. This provides a level playing field across Europe. Each EU country has a supervisory authority to enforce those rules. In the UK, this is the Information Commissioner’s Office, ICO.
The GDPR hasn’t arrived out of nowhere. It’s built on the foundations of the earlier DPA regulation. If a UK organisation already complies with the DPA, then complying with the GDPR is an evolutionary rather than a revolutionary step.
Notable changes from DPA
Many of the definitions and data protection principles in the GDPR are very similar to those in the earlier DPA. There are however, a few notable changes. Some of these changes are:
- Enhanced privacy notices.
- The amount of information that an organisation must provide to an individual has increased considerably.
- The time to respond to information requests has reduced. Under the DPA, requests had to be responded to within 40 days. Now, under the GDPR, this is reduced to one month. Although for complex cases, this can be extended further and unlike the DPA, in normal circumstances, a fee can no longer be charged.
- Personal data breach notification. In certain scenarios, the data controller must inform the ICO of a personal data breach and sometimes, even the data subjects directly.
- The definition of personal data has been considerably widened. This now includes online identifiers such as IP addresses, cookies, location information, plus biometric and genetic information.
Additional GDPR headline features include:
- Organisations have to notify the supervisory authority of significant personal data breaches. The ICO must be notified within 72 hours of an organisation becoming aware of them. This is a major change.
- The ‘right to be forgotten’. People now have the right to ask to be forgotten.
- Increased fines, sanctions and penalties. Failure to comply, in the most serious circumstances, can result in fines of up to 4 percent of global annual turnover. Or up to 20 million euros, whichever is the greater.
This is a preview lecture from our online course ‘GDPR – In nutshell’, for the full course please visit https://www.udemy.com/gdpr-in-a-nutshell/
Questions about this course?
Start a conversation today.
Email David Chapman email@example.com