top of page

General Data Protection Regulation (GDPR)

Samuel Cork

The General Data Protection Regulation (GDPR) is a law passed and put into effect by the European Union (EU) on May 25, 2018. This law enforces regulations on organizations collecting data from EU citizens. Violations of this law will result in fines as high as €20 million. This law applies to any entity processing EU data, even in other nations.

Man writing on stack of papers.
Image from Unsplash

Data Protection

The GDPR covers the data processed of EU subjects, including how the data is processed, stored and treated.

  • Data collected and processed must be transparent by explaining what data is being collected, why it is being collected and any information related to it. The data collected must have a valid reason for its collection and use for legitimate purposes. (Think about cookie agreements on websites, they state they are collecting data, sometimes for ads or analytics).


  • Data should only be collected as necessary for the intended purpose. The data collected should be minimized to what is necessary for the goal of data collection. For example, data collected for ads typically should not need information such as an ID, banking information, or address.


  • Personal data should be accurate and up to date.


  • Personal data in storage should only be stored for as long as necessary. When data is no longer needed, it should be removed from storage.


  • Security of data must be a priority to ensure data safety. Data processed must be secured by proper standards and practices to protect user privacy.


  • The data holder will need the ability to prove they can demonstrate compliance with the GDPR standards.


Processing Data

Personal data may not be touched, altered, collected or stored in any way shape or form without consent from the data subject. However, there are special cases where it is permissible.


  • In cases where processing of data is necessary to form a contract as long as the person the data is being processed from is a part of the contract.

  • Legal obligations require you to process the data in some form.

  • To save someone's life.

  • If it is necessary to perform a task in the publics interest.

  • Legitimate interest in the data for use where data collected is absolutely necessary for the use or task. This part of the law is almost a grey area as it is the most flexible but not well defined. Data processed using legitimate interest must have a valid reason but also weigh in on the subjects rights.


If you are not sure that legitimate interest applies, then it does not apply. If it is possible to complete the task without the data processed, then it does not apply. If it may cause any harm, then it does not apply. If the subject may not reasonably suspect the data collect or reasonable not like its use, then it does not apply.


Consent

Consent must be given for the collection of data. Consent may only be given if the subject is informed on the matter and the consent is freely given. Children under the age of 13 may not give consent without their parents. Evidence of consent must be documented.


Consent may be recalled at anytime, which would require the processed information to be deleted, removed, or no longer processed.


Subject Rights

Data subjects have the following rights; To be informed of data collection, have access to the data, the ability to correct information, have the data erased, restrict what is processed, the right to obtain their own information for their own use, the ability to object and right to automated decision making and profiling.



Reference

GDPR. (n.d) What is GDPR, the EU’s new data protection law?. GDPR. https://gdpr.eu/what-is-gdpr/


Comments


bottom of page