In the Isle of Man, we have implemented this via our Data Protection Act 2018 and the associated Data Protection (Implementation of GDPR) Order 2018
The GDPR is worth reading. It is shorter and actually quite simple to understand. You can find it, in full here.
The purpose of GDPR is to simply to protect the rights of natural persons (‘Data Subjects’) in the EU in respect of the use and processing of their ‘Personal Data’.
Personal Data includes any data relating to person – such as – name, address, images of them, email address, credit history, telephone number etc. The relevant definitions are set out in Article 4.
The legislation applies in the Isle of Man and also to any business based in the EU (Article 2) and also any business based outside the EU if they process the Personal Data of natural persons resident in the EU (Article 3).
The first step to understanding GDPR is to recognise that it is based on a set of underlying Principles (Chapter 2 – Article 5).
If you keep these Principles in mind when you are processing personal data then you are already a long way down the road to complying with the law:-
Principle 1 – Process lawfully, fairly, and in a transparent manner in relation to the data subject. (Lawfulness, Fairness and Transparency)
Principle 2 – Collect for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. (Purpose Limitation)
Principle 3 – data should be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed; (Data Minimisation)
Principle 4 – data should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is accurate having regard to the purposes for which they are processed, is erased or rectified without delay; (Accuracy)
Principle 5 – Data to be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. (storage Limitation).
Principle 6 – Data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. (Integrity and Confidentiality)
Article 6 – is important as it sets out the conditions under which holding / processing personal data is lawful.
At least one of the following must apply…
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
You should note from condition (a) above that ‘consent’ is only one of the six legitimate reasons for holding / processing data. There are plenty of other legitimate reasons for holding / processing data that don’t require consent at all.
For example – No consent is required (b) where data is held / processed in performance of a contract, (c) where data is held / processed as required by law or (d) where data is held / processed in the data subjects or a 3rd parties vital interests.
These are important conditions as they can frequently be relied upon by businesses acting in the normal course of business for their clients.
Where data is processed on the basis of “consent” from the subject then Article 7 requires that – Consent should be express, can be revoked, must be able to be demonstrated.
The rest of Articles 8 – 99 deal with the implementation of the Principles. Most importantly they provide Data Subjects with specific rights and place specific obligations on data processors and controllers:
Chapter 3 – Articles 12-23 sets out the rights of the Data Subjects. These include the following:
Right of access by the Data Subject (Article 15)
Right to rectification by the Data Subject (Article 16)
Right of Erasure – right to be forgotten (Article 17)
Right to Object to automated decision making (Article 21)
Chapter 4 – Articles 24-43 details the Obligations placed on Controllers and Processors. These are many..but highlights are noted below:
General responsibility of a Processor (Articles 24-31)
Responsibility of Security of Processing – (Article 32)
Obligation of Communication of Data Breach to Data Subject (Article 34)
Obligation to appoint a Data Protection Officer (Articles 37-39)
The remaining parts of the regulation are comparatively uninteresting and deal with the following:
Transfers of Data to 3rd Countries (Chapter 5 – Articles 44-50),
National Supervisory Authorities (Chapter 6 – Articles 51-59)
Cooperation and Assistance between Authorities (Chapter 7 – Articles 60-76),
Remedies and Penalties (see Chapter 8 see article 83) – Yes, the horror stories are correct – the fines for non compliance are upto Euro 20m or 4% of turnover.
The law places heavy responsibilities on data processors and controllers but, overall they seem proportionate and sensible.
DISCLAIMER; THIS ARTICLE IS A GENERAL EDITORIAL COMMENTARY ONLY. IT IS NOT INTENDED TO BE AND DOES NOT CONSTITUTE LEGAL ADVICE.