Name: General Data Protection Regulation (GDPR) for Individuals
Rating: 4.56043956043956 (17 reviews)

Find out what the GDPR is and why it matters to individuals.

General Data Protection Regulation
What is the GDPR and why does it matter?


What is the GDPR?
It's a set of rules related to controlling and moving personal data and governs how organisations process personal data.


The GDPR unifies data privacy laws across European Union (EU) countries.


It provides organisations with guidelines on what they can and can't do with personal data.
It also gives individuals more clarity about how their data is being collected and used.


The GDPR is applicable to any citizen of the EU, and any organisation doing business with a citizen of the EU.
This means that regardless of the company's location, the GDPR will still apply.


Which of the following is an example of personal data?


Racial or ethnic origin
Political opinions
Religious or philosophical beliefs (where used for identification purposes)
Genetic data
Biometric data
Health
Sex life
Sexual orientation


Special category data includes information related to someone's:


How did Brexit affect the GDPR?


What is GDPR and why does it matter?

How can an organisation use and control your data under the GDPR?

General Data Protection Regulation
How do businesses interact with my data under GDPR?


Data Controllers and Processors
Businesses can be classified as data controllers or data processors.


A Data Controller is a natural or legal person, public authority, agency or other body who controls how and why personal data is processed.


The Controllers are the main decision-makers, they control the purposes and means of processing the personal data.


A Data Processor  is a natural or legal person, public authority, agency or other body who processes personal data on behalf of the data controller.
They rely on the instructions of the controller.


Data Processing Principles
The following Data Processing Principles must be followed under the GDPR.


Overview
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability


Lawfulness, fairness, and transparency
Personal data must be processed lawfully, fairly and transparently about individuals.
Except for special categories of personal data, which cannot be processed except under certain circumstances, personal data can only be processed for specific reasons, called the Lawful Bases for Processing.


** Limitation of purpose, data, and storage**
Personal data must be collected for specified, explicit and legitimate purposes.
It should not be processed in a way that is incompatible with these purposes.


Data minimisation
Personal data must be collected in a way which is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.


Accuracy
Every reasonable step must be taken to ensure that any personal data that is inaccurate, regarding the purposes for which it is processed, is deleted without delay.


Storage limitation
Personal data should be retained only for as long as necessary for the data's processing purposes.
Organisations must be able to justify the length of time they hold on to your data.
They may be able to keep it longer if it is in the interest of public interest archiving, scientific or historical research, or statistical purposes.


Integrity and confidentiality
Personal data must be processed securely using appropriate technical or organisational measures.
This includes protecting it against unauthorised or unlawful processing and accidental loss, destruction, or damage.


Accountability
The controller must take  responsibility for what they do with your personal data, and must have records and measures in place to demonstrate their compliance with the GDPR principles.


Your consent can be withdrawn at any time.  The organisation must make it as easy for individuals to withdraw their consent as it was to give it.
You can also withdraw your consent through any medium.
If you withdraw your consent and request that your data be deleted, the organisation is obliged to do so.


Question:
Can I withdraw my consent after I have already given the organisation permission to process my data?


Which of these are lawful bases of processing?


Which of the following statements are true under the 2021 GDPR updates?


How do businesses interact with my data under GDPR?

General Data Protection Regulation
How does the GDPR affect me?


Right to be Informed
Organizations must explain why they collect personal data, how long they keep it, and with whom they share it. This should be clear and given at the time of collection to ensure transparency and fairness.


** Right of Access**
The Right of Access allows individuals to obtain information from the controller about their processed data. This includes processing purpose, personal data categories, and data recipients. Additionally, individuals have the right to request a copy of their personal data.


** Right to Rectification**
You can request to have inaccurate data corrected or completed if it's incomplete, and this request can be made verbally or in writing. Organisations have one month to respond to your request.


** Right to Erasure**
Also known as the right to be forgotten, this means that you can ask an organisation that possesses your data to delete that data.
The right to be forgotten is not absolute, and certain conditions apply.


** Right to Restriction of Processing**
You can limit the way an organisation uses your personal data, if you are concerned about the accuracy of the data or the way it is being used.
You can also stop an organisation from deleting your data.


** Right to Data Portability**
You can access your data from an organization in a commonly used machine-readable format. You may also request the transfer of your data to another organization if technically possible. However, this only applies to data you provided to the organization and held electronically.


The UK GDPR has provisions for automated individual decision-making and profiling.
These involve decisions being made about you without people being involved.
Automated individual decision-making is when a decision is made without human involvement and through automation.
Profiling is when the automated processing evaluates certain things about an individual.
Automated individual decision-making does not always involve profiling, although it will often do.
In many circumstances, you have the right to prevent these processes taking place.
You have the right to not be subject to a decision which is solely based on automated processing, if for example it will affect your legal rights.
You also have the right to understand the decisions which are made about you via automated processing, and the possible consequences of these decisions.


Rights regarding automated individual decision-making, including profiling.


Notes on Erasure
*Let's step back a few steps, and look closer at your right to erasure *
Some reasons you may want to request your data to be deleted include:


The organisation no longer needs your data for the original reason which they collected or used it for.


You initially gave your consent to the organisation using your data, but now have withdrawn consent.


You have objected to the organisation using your data, and your interests around the data use outweigh the organisation's.


You have objected to the use of your data for direct marketing purposes.


The organisation has collected or used your data unlawfully (such as not complying with rules on data protection).


The organisation has a legal obligation to erase your data.


The data was collected for an online service while you were a child.


You should contact the organisation and let them know what personal data you want them to erase.


You can do this verbally or in writing; you don't have to talk to any particular person in the organisation to present your request.


They should delete your data, unless an exemption in data protection law applies.
They should also tell anyone else whom they shared the data with about the erasure.
They can refuse to inform the other party if it would be impossible or involve disproportionate effort.
If you ask, the organisation must tell you that they have shared your data with other organisations.
If your data has been made public online, such as through social networks, then the organisation must inform those with the responsibility of these sites to erase links or copies of the data.


New

free course

General Data Protection Regulation (GDPR) for Individuals

General Data Protection Regulation (GDPR) for Individuals Lessons

Course overview

The full course includes

Explore more

EdApp is easy to use and free for you and your team. No credit card required.