simplebooklet thumbnail

of 0
Understanding the General Data Protection Regulation
Content  Page  Introduction  4  Controllers and processors  7  Personal data  7-8  sensitive personal data  8  data protec...
Accountability governance requirements  31  - records  32-33  - data protection assessment  33-34  - data protection offic...
General Data Protection Regulation Introduction UK data protection law will change on 25 May 2018, when the EU General Dat...
It is divided into five sections  i   Terminology and principles  ii   Individual rights  iii  Accountability and governan...
Terminology and principles
   Controllers and processors    - A controller says how and why personal data is processed and - A processor acts on the ...
most organisations the change to the definition should make little practical difference. Sensitive personal data The GDPR ...
b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible wi...
- Necessity for either  - the performance of a contract  or entering a contract  with the data subject - the protection of...
- The protection of the vital interests of a data subject another individual where the they are physically or legally inca...
Consent Obtaining consent becomes more onerous under GDPR so remember that other fair processing conditions do exist. Alwa...
Individual rights
In summary The GDPR provides individuals with the rights to  - be informed - access - rectification - erasure - restrict p...
What information  Data  Data not  must be  obtained directly obtained  supplied   from data subject directly from data sub...
The legitimate interests of the controller or third party, where applicable Categories of personal data Any recipient or c...
The existence of each of data subject   s rights The right to withdraw consent at any time, where relevant The right to lo...
Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequen...
The information should be provided either at the time the data are obtained or within a reasonable period of having obtain...
for collecting the data, the legal basis for collecting the data, how it will be stored and the individual   s rights. Inf...
If you process a large quantity of information about an individual you are permitted to ask what information the request r...
The right to erasure     the right to be forgotten     An individual can request the deletion or removal of personal data ...
If you have disclosed the personal data in question to third parties, you must normally inform them about the erasure of p...
You must inform individuals when you decide to lift a restriction on processing. The right to data portability This right ...
other rights covered above the request has to be responded to within one month with a possible extension by two months for...
If you process personal data for direct marketing you must stop as soon as you receive an objection. There are no exemptio...
Profiling is as any form of automated processing intended to evaluate certain personal aspects of an individual, in partic...
- Implement appropriate technical and organisational measures to enable inaccuracies to be corrected and minimise the risk...
Accountability and governance
The requirements You will be required to demonstrate compliance with the data protection principles. You must  - Put in pl...
Records If your organisation has more than 250 employees, you must maintain additional internal records of your processing...
- Description of the categories of individuals and categories of personal data. - Categories of recipients of personal dat...
A DPIA should contain  - A description of the processing operations and the purposes, including, where applicable, the leg...
- advise the organisation and its employees about their compliance obligations to comply with the GDPR and other data prot...
Breach notification
Breach notification A personal data breach means a breach of security leading to the destruction, loss, alteration, unauth...
- the categories and approximate number of individuals concerned  and - the categories and approximate number of personal ...
Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of...
Transfers outside the European Union
Restrictions and compliance requirements The GDPR imposes restrictions on the transfer of personal data outside the Europe...
- standard data protection clauses in the form of template transfer clauses adopted by the Commission  - standard data pro...
specific situations. A transfer, or set of transfers, may be made where the transfer is  - made with the individual   s in...
The GDPR permits transfers in certain circumstances even where the above derogations apply. Legal advice should be obtaine...