The GDPR is Europe's new framework for data protection laws – it replaces the previous 1995 data protection directive. Previous UK law was based upon this directive. The EU's GDPR website says the legislation is designed to "harmonise" data privacy laws across Europe as well as give greater protection and rights to individuals. Within the GDPR there are large changes for the public as well as businesses and bodies that handle personal information, which we'll explain in more detail later. After more than four years of discussion and negotiation, GDPR was adopted by both the European Parliament and the European Council in April 2016. The underpinning regulation and directive were published at the end of that month. After publication of GDPR in the EU Official Journal in May 2016, it will come into force on May 25, 2018. The two year preparation period has given businesses and public bodies covered by the regulation to prepare for the changes.
Any organisation which processes and holds the personal data of data subjects residing in the EU will be obliged to abide by the laws set out by GDPR. This applies to every organisation, regardless of whether or not they themselves reside in one of the 28 EU member states.
Much like the Data Protection Act 1998, GDPR applies to personal data. The current Data Protection Directive defines personal data as; "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity." However, although this definition will mostly remain unchanged, it will be slightly more detailed in that it will make clear that online identifiers, such as an IP address, will also be classed as personal data.
There are 8 fundamental rights of individuals under GDPR. These are: The right to be informed - Organisations must be completely transparent in how they are using personal data. The right of access - Individuals will have the right to know exactly what information is held about them and how it is processed. The right of rectification - Individuals will be entitled to have personal data rectified if it is inaccurate or incomplete. The right to erasure - Also known as 'the right to be forgotten', this refers to an individual's right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue. The right to restrict processing - Refers to an individual's right to block or supress processing of their personal data. The right to data portability - This allows individuals to retain and reuse their personal data for their own purpose. The right to object - In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest. Rights of automated decision making and profiling - The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.
At CheckHub, privacy is our number 1 priority. From the first day, we have been building CheckHub with a Privacy-by-design approach. Our internal processes have been built together with GDPR certified experts and acknowledged by our DPO (Data Protection Officer).