GDPR has come into effect on May 25, 2018. To help, we've put together a quick guide that might help you as you try to navigate these complicated waters.
Data Subject: The only person who "owns" their personal data. If we have a database we do not own the data, we just own the platform.
Personal Data: Is "any information relating to an identified or identifiable natural person."
Controller: Is the entity who "determines the purposes and means of processing personal data."
Processor: Is the entity which "follows the instructions of the controller."
Data Processor Agreement: Is between a controller and a processor - it specifies the instructions and says the processor must handle the data in a secure way.
Processing: "any operation which is performed on personal data". Information left on a desk which people can read is processing.
Processing: Has 6 legal bases
- Consent : is "a clear affirmative action which is must be freely given, specific, informed, and unambiguous"
- Legitimate interest : where "our legitimate business interests are balanced with the rights and freedoms of natural persons"
- Contract : where "processing is necessary for the performance of contract"
There are 3 more, which we will not be relying on for IDGC business purpose, but they are: Compliance with a legal obligation; Protection of vital interests; and Acting in public interest or acting under official public authority.
Security of Processing: Both controller and processor must use "state of the art" to implement "technical and organizational measures" which are appropriate to the risk.
Third Countries: Relates to "cross-border processing outside the EEA" where the controller has to make sure the data is secure. The EC confers "adequacy status" on countries which are safe and entities that receive data within those countries also have to give contractual commitments to the controller such as "standard contractual clauses "scc's" or binding corporate rules "bcr's".
Subject Access Requests (SAR's): Data subjects' requests for information on the data we hold, including erasure - for us to respond without undue delay, up to 1 month.