The GDPR is based upon six core principles, and confers eight rights upon individuals in respect of their personal data.
Together, these fourteen points summarise the intent of the regulation and convey how organisations must acknowledge their duty to manage and protect the individual.
It is not unreasonable to expect every member of Human Resources, Finance, Health and Safety, and indeed, every manager or director to become familiar with all of these points.
GDPR: 6 Principles of the Regulation
There are six core principles within the GDPR, with the major change from the Data Protection Act (1998) being defined in Article 5(2).
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Of particular importance is that ‘the controller shall be responsible for, and be able to demonstrate, compliance with the principles’. We will explore how the above shall be achieved in a separate post, but do not under-estimate the critical nature of this demand: you must be able to prove to a court how your organisation abides by their legal obligations in respect of data for which you are responsible.
Article 5 of the GDPR requires that personal data shall be:
(1) Fair and transparent
processed lawfully, fairly and in a transparent manner in relation to individuals
(2) Legitimate and explicit
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(3) Adequate and limited
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(4) Accurate and current
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(6) Secure and protected
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The 8 Rights of Individuals
Under GDPR, individuals will benefit from increased rights than under the Data Protection Act.
(1) The right to be informed
The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
(2) The right of access
Under the GDPR, individuals will have the right to obtain confirmation that their data is being processed, access to their personal data, and other supplementary information. Note that this largely corresponds to the information that should be provided in a privacy notice.
(3) The right to rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
(4) The right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
(5) The right to restrict processing
Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
(6) The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
(7) The right to object
Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics.
(8) Rights in relation to automated decision making and profiling
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA.
We recommend watching this brief video by Stuart Room of PwC: he summarises the regulation rather well.