Understanding GDPR and data protection
You have probably heard quite a lot about GDPR recently and may already be familiar with the ins and outs of GDPR and data protection. However, if you are wondering what GDPR is and why it is important for you, we are here to help. In this guide, we will cover everything you need to know about GDPR and data protection.
What is GDPR?
GDPR stands for the General Data Protection Regulation which has transformed the way businesses process and handle our data. In May 2018, GDPR was introduced to replace the existing Data Protection Directive 95/46/ec. Within the UK, the introduction of GDPR further led to the creation of the Data Protection Act (2018), which superseded the previous 1998 Data Protection Act.
This change was brought in to help regulate how companies protect EU and UK citizens’ personal data. The EU says GDPR was designed to “harmonise” data privacy always across all of its member countries to ensure individual consumers are provided with greater levels of protection. GDPR was also created to regulate how businesses and organisations are allowed to handle the personal information that they receive. Companies that breach the rules set out by GDPR are at risk of large fines and reputational damage.
Who does GDPR apply to?
The protection of personal data lays at the heart of GDPR. Therefore, GDPR is applicable to anyone who can be identified either directly or indirectly from data that is collected on them. This personal data could be any obvious identifiable information such as a name, physical location, email address, financial information, or a username. Alternatively, the personal data collected on an individual could be less recognizable such as IP addresses and cookie identifiers that are used to store information about individual website users.
GDPR also takes sensitive personal data into consideration and sets out measures to ensure greater protection for these sensitive details. This includes personal data collected about racial or ethnic origin, political opinions, religious beliefs, genetic and biometric data, and medical information.
The important thing to note about personal data is that anything that allows a person to be identified can constitute as personal data. Under this reasoning, even pseudonymized data that aims to hide identifying information can still fall under the definition of personal data.
As an individual, you have a right to know that your personal data is being correctly and securely handled as per GDPR.
Businesses, therefore, have a duty to protect your data. As part of their adherence with GDPR, businesses should have appointed data controllers and data processors. The data controller will be the employee within the business who is responsible for handling the data and deciding why and how personal data will be processed.
The data processor will be a third party that processes collected data on behalf of the data controller, and as per the data controllers instruction. A data processor could be a company, other legal entity, for example a public authority, or individual (such as a consultant).
Key Principles of GDPR and data protection
There are seven key principles of GDPR. Any company that collects, processes, stores, or handles data must do so according to these seven protection and accountability principles:
- Lawfulness, fairness and transparency – processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation – You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization – You should collect and process only as much data as absolutely necessary for the purposes specified.
- Accuracy – You must keep personal data accurate and up to date.
- Storage limitation – You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality – Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
- Accountability – The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
These principles should lie at the heart of an organisations approach to processing personal data. Compliance with these principles will ensure that the company collecting your data is doing so in a secure and legal manner. Failure to comply with these principles may leave the non-compliant business open to substantial fines.
What are your GDPR rights?
As an individual, GDPR provides a number of individual rights to protect your data. According to GDPR, your rights are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Your right to be informed about the collection and use of your personal data is a key transparency requirement under GDPR.
When collecting your data, companies must also provide you with their purpose for processing your data, their retention period and who it will be shared with. This is known as ‘privacy information’ and must be provided to you at the time of data collection, or within a reasonable period of your data being collected. In some circumstances, a company may not need to provide you with privacy information such as if they already have the information or if providing privacy information would involve disproportionate effort.
As part of your individual rights, you also have a right to object to the processing of your personal data in certain circumstances. You have an absolute right to stop your data being used for marketing purposes and therefore, companies should provide you with the ability to object to data collection for these purposes. However, if you exercise your right to objection and your request is found to be manifestly unfounded or excessive, an exemption may apply.
What is a personal data breach?
A personal data breach refers to a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. Personal data breaches includes breaches that occur as a result of both accidental and deliberate causes.
While companies following GDPR will be at a lower risk of personal data breaches, they can still fall victim to security breaches. If a company does experience a security breach that impacts your personal data, they are required to inform the ICO within 72 hours of becoming aware of the breach. If the breach is likely to result in risk to your rights or have negative impacts for you, the individual, then the company must also make you aware of the personal data breach.
There are a number of ways in which a data breach of your rights take place, the most common examples being:
- Unauthorised access by a third party
- Deliberate or accidental action (or omission) by someone holding your data
- Sending your personal data to an unauthorised person
- Computing devices containing your personal data being lost or stolen
- Alteration of your personal data without permission
- Loss of your personal data
Depending on the type of data breached, the responsible party must inform you of the breach without undue delay and must also notify the Information Commissioner’s Office.
A data breach can have many potential negative consequences. The adverse effects that can occur following a personal data breach include emotional distress, financial loss and physical and material damage. For example, if an online retailer is subject to a malicious security hack that targets the customer database, the theft of that data could be used to commit identity fraud. This identity fraud could cause significant financial loss or emotional distress the individuals effected due to their personal data being compromised.
A personal data breach can happen to any organisation that collects your data. This includes private companies such as shops and online retailers, educational institutions, medical providers including doctors and dentists, the government, and the police.
GDPR and Brexit
The United Kingdom left the European Union at the end of 31 January 2020. So what effect did leaving have on GDPR? The short and easy answer is, very little. This is because the Data Protection Act 2018 enshrines the GDPR’s requirements in law. In addition to the Data Protection Act 2018 the UK government has issued a statutory instrument [The Data Protection, Privacy and Electronic Communications (Amendments Etc) (EU Exit) Regulations 2019!!] which amends the original law and merges it with the requirements of GDPR. The result is a new data protection framework for the UK, handily known as UK GDPR. The good news is that there is virtually no difference between the UK GDPR and the current EU regime. So data controllers and processors should continue to comply with the requirements of EU GDPR. For readers wanting to know more about data protection post-Brexit, the ICO has published a useful guide here.
How to claim for a GDPR personal data breach
If you have been made aware of a security breach affecting your personal data, you may be able to claim compensation.
The consequences of a personal data breach can be extremely distressing. Whether your data has been accidentally or deliberately breached, you may find that the data breach results in numerous negative consequences for you.
The emotional and psychological effects of being victim to data breach include stress, anxiety, and distress. Further to these emotional effects, the personal data breach could have serious financial and physical consequences such as financial loss due to credit card details being stolen or being put in physical danger due to personal information, including home address, being disclosed to unauthorised persons.
Ultimately, if an organisation has failed to protect your personal data, you have a right to claim compensation. Your right to claim stands regardless of whether you have suffered as a result of the data breach. The Court of Appeal has recently ruled that breaches leading to loss of control over data ought to be compensated without proof of distress or pecuniary loss.
At DRM Legal, we are here to help individuals with their GDPR and personal data breach compensation claims. Our specialist team at DRM Legal has a wealth of experience in handling sensitive legal issues, and therefore, are well-equipped to support you with your compensation claim in a professional and sympathetic conduct.
If you are concerned that you may have been a victim of a personal data violation as a result of a security breach, you can complete a claim submission form on our website. We will then review your case and let you know how we can best support you with your compensation claim. Acting as no-win-no-fee lawyers, we will ensure your compensation claim process is as stress-free as possible.
Submit your compensation claim form now.
If you have found out that your personal data has been breached by a public or private company, DRM Legal is here to help. Get in touch for advice on how to make a claim or complete our simple claim form here.