9 GDPR Basics You Need to Know

Also known as the right to rectification. This part of GDPR gives people a chance to change any information an organisation may hold about them. This must be done without undue delay.

A person must be CLEARLY informed and consulted of any processing of their data and how it is being used. They must also positively opt in to ensure that they are aware of signing up. Default consent or pre-ticked boxes are not classed as consent.

If a person has gone silent or inactive for a long period of time, they will need to opt-in again. In terms of records, evidence of consent such as who, when, how and information given to data subject, must be recorded.

Formerly known as right to be forgotten. If a person wishes to be removed from a database, all information/ data linked to them must be erased. This has to be done without undue delay (up to 1 month). This includes notification to any third party who may also withhold said data. The right to erasure only applies in certain circumstances.

A person must be informed of any data endangerment that is linked to their information. They must also be kept up to date on what is happening along the course of the data handling process.

Organisations will also need to notify a Data Protection authority of any possible breaches within 72 hours of discovery. Technology will need to be in place so that these problems can be detected as soon as it happens.

Data can only be handled and processed according to the terms agreed between both parties, unless agreed otherwise. According to the ICO, ‘you have a general obligation to implement technical and organisational measures. This will show that you have considered and integrated data protection into your processing activities.’ This means that software will need to be built with GDPR in mind, which could be a difficult task for developers.

Controllers and processors can both be held responsible for negligence of data security or non-compliance. Also, separate from fines and penalties from these violations, data subjects will be given the right to claim compensation for any damage suffered as a result of violation of terms.

Complying with GDPR is not something you can pick and choose… the consequences are serious and severe. All penalties are effective, proportionate and dissuasive. They can amount to up to 4% of total annual turnover, or up to 20M euros – whichever is greater.

All data processes and actions must be visible and traceable. Data mapping is the process of identifying and understanding the data flows within an organisation. This is essential as it is a way in which organisations can assess their privacy risks. It is also an essential step for completing a data protection impact assessment (DPIA). DPIAs are mandatory for certain types of processing.

There cannot be any gaps in security from the moment data is given, to the moment ‘right to be forgotten’ is requested.