Sign in Subscribe
Data

GDPR Laws - bringing order to the messy data landscape.

Omar Nousseir

3 min read
GDPR Laws - bringing order to the messy data landscape.
Photo by Tingey Injury Law Firm / Unsplash

In this article, I explain what GDPR is, why it is important and the consequences it can have for companies that fail to comply with it.

What is GDPR?

GDPR stands for General Data Protection Regulation. It came into force in the European Union in May 2018. The regulation sets out the criteria that third parties such as private companies, government and non profit organisations must follow when collecting, processing and storing personal data. In the UK, both GDPR and Data Protection Act 2018 form the legal basis for data privacy.

Why is it important?

Now, more than ever, we are producing a lot of data. To put this into perspective, below are examples of how much data was generated every minute in 2020:

  1. Google - 5.7 million searches
  2. Twitter - 575,000 posts
  3. Netflix - 452,000 hours watched
  4. Amazon - $283,000 purchases
  5. Facebook - 240,000 photos shared

In other words these big companies are collecting, processing and storing huge amounts of personal data on their customers. Hence, it is crucial that personal identity does not get compromised as a basic human right.

The most notorious example of personal data breaches is the Cambridge Analytica scandal. The company used Facebook's user data to build political profiles for targeted political advertising and consequently influenced the US election of 2016. They did this without asking their user's consent.

What is personal data?

Personal data is any piece of information that, either directly or indirectly, identifies a particular living person. Facts or opinions can be personal data. There are many examples of personal data such as a person's name, address, national insurance number or internet identifiers such as IP addresses.

Hypothetically, if I was to unintentionally leak information on a particular customer who purchased X items online by stating that this individual has the ability to run 100m in 9.58s, even though I haven't said whose name it was, there is pretty good chance that I am identifying the Olympic champion Usain Bolt. Hence, even a person's physiology can also be considered personal data. More specifically, demographic data has special importance under GDPR because it has a tendency to influence bias or discrimination.

GDPR Details

Under GDPR, there are different parties involved:

  1. Data Subject - The individual to whom personal data relates to.
  2. Data Controller - The agency responsible for governing how the data will be processed by the data processor and for what purpose.
  3. Data Processor - The agency responsible for processing the data on behalf of the data controller.
  4. Information Authority - In the UK, this is the Information Commissioner's Office (ICO). They uphold GDPR in the public interest.
  5. Data Protection Officer - The individual appointed by data controller to monitor and uphold GDPR.
  6. Recipient - Any person(s) to whom the data controller discloses personal data to.

The most important component of GDPR is Article 5, which entails 7 key principles about personal data. These are outlined as follows:

  1. Lawfulness, fairness and transparency - Pop up boxes on websites asking you to consent to their cookies is a prime example of this principle in action.
  2. Purpose Limitation - the data must be processed for the specified, explicit and legitimate purpose.
  3. Data Minimisation - the data collected must be adequate, relevant and limited to what is necessary.
  4. Accuracy - Personal data must be accurate and kept up to date where necessary.
  5. Integrity and Confidentiality - Personal data must be processed in an appropriate manner to maintain security.
  6. Storage Limitation - the data must only be retained for as long as necessary.
  7. Accountability - the Data Controller must demonstrate GDPR compliance.

Under GDPR, the Data Subject has fundamental rights in regards to their personal data. These are outlined as follows:

  1. Right to be informed
  2. Right to access
  3. Right to rectification
  4. Right to erasure
  5. Right to restrict processing
  6. Right to data portability, e.g. switching banks.
  7. Rights in relation to automated decision making and profiling

Data Breaches

When a data breach occurs, it must be reported to the ICO within 72 hours if it is likely to cause harm. Otherwise there are severe consequences for organisations whom can incur up to €20,000,000 or 4% of revenue.

Summary

To summarise, GDPR is the overarching regulation that ensures protection of personal data. This legislation is timely given that we live in an increasingly data driven world with companies learning more and more about their consumers through data. Hence, it is crucial that data such as personal data does not get compromised as basic human right, which GDPR continues to uphold through its principles and guidelines.

Thanks for reading and if you like to stay up to date with more content like this, then please subscribe.

Sign up for more like this.

Enter your email
Subscribe