GDPR for beginners

Personal data is any data that can identify a person.

Examples:

• An email can be used to identify a person.
• A telephone number can be used to identify a person.
• An address can be used to identify a person.
• An IP address can be used to identify a person.
• The national ID number can be used to identify a person.
• The passport number can be used to identify a person.
• A credit card number can be used to identify a person.

Data that adds to what we know about a person is personal data.

• Hobbies
• Interests
• Consumption
• Behavioral patterns
• Accent
• Physical characteristics

Most data processed by companies could be considered personal data.

The GDPR applies to all companies, organisations, and institutions in the EU.

The GDPR also applies to any company, organisation or institution which offers goods or services to any person in the EU. This applies whether payment is involved or not.

Example

Any webshop or service selling to the EU market, whether this business is based in the US or Australia will need to comply with the GDPR.

The GDPR applies to the processing of personal data by controllers not established in the EU if they process personal data of data subjects based in the EU.

The GDPR requires every data controller to follow the principles stated in article 5 of the GDPR.

Lawfulness, fairness, and transparency

You shall process personal data lawfully, fairly and so that the processing is transparent to the data subject.

Purpose limitation

You shall only collect personal data for specified, explicit, and legitimate purposes. You may not process these personal data in an incompatible way with the purposes.

Data minimisation

You shall only process personal data that are adequate, relevant and limited to what is necessary to the original purposes for the processing.

Accuracy

The processing of personal data shall be accurate and up to date. You shall make an effort to ensure that inaccurate data are erased or rectified.

Storage limitation

The processing of personal data shall be limited to the period for which it is necessary for the purposes of which the personal data were processed. Therefore, personal data should be deleted or anonymised when no longer needed for the original purpose. 

Integrity and confidentiality

Personal data shall be processed securely to protect personal data against unauthorised or unlawful processing. It shall also be protected against accidental loss, destruction or damage by using appropriate technical or organisational measures. 

Accountability

As a data controller, you shall be responsible for complying with these principles and be able to document this compliance.  

A data controller is a business that determines the purposes and means of processing personal data. 

This is an essential concept to understand as it determines your obligations concerning the GDPR.

A data processor is a business that processes personal data on behalf of the data controller. 

This is an essential concept to understand as it determines your obligations concerning the GDPR.

A processor always needs to enter into a data processing agreement with the controller, according to article 28 in the GDPR. 

When you collect personal data from the data subject(person), you must provide the person with information about why and how you will process this data. These requirements are written in articles 13-14 of the GDPR.

In practice, you could provide this information in a privacy policy that should be accessible to the person when collecting personal data. 

Wow. That is a big question that is not quickly answered.

A primary requirement in the GDPR is to maintain a record of processing activities under your responsibility (article 30). 

You will also need to provide this information to your data subjects in a privacy policy (article 13+14).

You will need to process data according to the principles of this regulation (article 5).

You will need to enter data processing agreements with all data processors you have contracted to process data on your behalf (article 28).

You will need to do risk assessments of your processing activities and, based on these, implement appropriate organisational and technical measures to ensure that personal data is treated securely.

These requirements are just some of the many requirements of the GDPR.