General Data Protection Regulation (GDPR) for Individuals

FREE

What is the GDPR? The General Data Protection Regulation (GDPR) is a set of rules related to the control and movement of personal data, and which governs how organisations process personal data.

Which of the following is an example of personal data? Select all correct answers.

What is special category data? This is data which needs more protection because it is sensitive. For this data, personal data processing is prohibited, except under certain circumstances. In order for an organisation to process data of this type, there must be a lawful reason. Special category data includes data related to someone's.... Racial or ethnic origin Political opinions Religious or philosophical beliefs (where used for identification purposes) Genetic data Biometric data Health Sex life Sexual orientation

Data Processing principles The following Data Processing principles, must be followed under the GDPR...

Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality (security) Accountability Let's look at the first in more detail...

Lawfulness, fairness and transparency Personal data must be processed lawfully, fairly and in a transparent manner in relation to individuals. Except for special categories of personal data, which cannot be processed except under certain circumstances, personal data can only be processed for specific reasons, which are called the Lawful Bases for Processing.

** Limitation of purpose, data and storage** Personal data must be collected for specified, explicit and legitimate purposes. It should not be processed in a way which is incompatible with these purposes.

Data minimisation Personal data must be collected in a way which is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Accuracy Every reasonable step must be taken to ensure that any personal data that is inaccurate, regarding the purposes for which it is processed, is deleted without delay.

Storage limitation Personal data should be retained only for as long is necessary for the purposes for which the data was processed. Organisations must be able to justify the length of time they hold on to your data. They may be able to keep it for longer if it is in the interest of public interest archiving, scientific or historical research, or statistical purposes.

Integrity and confidentiality Personal data must be processed in a secure way, using appropriate technical or organisational measures. This includes, that it is protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Accountability The controller must take responsibility for what they do with your personal data, and must have records and measures in place to demonstrate their compliance with the GDPR principles.

Can I withdraw my consent after I have already given the organisation permission to process my data? Your consent can be withdrawn at any time. The organisation must make it as easy for individuals to withdraw their consent as it was to give it. You can also withdraw your consent through any medium. If you withdraw your consent, and request that your data be deleted, the organisation is obliged to do so.

Which of these are lawful bases of processing? (Legal reasons data can be processed) Select the three correct answers.

Right to be informed Any processing of personal data should be lawful, fair, and transparent. An organisation must inform you when they are using your personal data, why they are using it, how long they will keep it and with whom it will be shared with. Privacy information, should be shared with you at the time that the organisation begins collecting your data, and it should be written in a transparent, easily accessible, and simple way.

** Right of access** Individuals have the right to obtain information from the controller about what data is being processed. This may include the purpose of the processing, categories of personal data concerned or who receives their data. You also have the right to request a copy of your personal data.

** Right to rectification** You can request to have inaccurate data corrected, or completed if it's incomplete, and this request can be made verbally or in writing. Organisations have one month to respond to your request.

** Right to erasure** Also known as the right to be forgotten, this means that you can ask an organisation that possesses your data to delete that data. The right to be forgotten is not absolute and certain conditions apply.

** Right to restriction of processing** You can limit the way an organisation uses your personal data, if you are concerned about the accuracy of the data or the way it is being used. You can also stop an organisation from deleting your data.

** Right to data portability** You have the right to receive access to your data from an organisation, and they must provide it in a commonly used and machine-readable format. You also have the right to ask the organisation to transmit the data to another organisation, and they must do this if it is "technically feasible". This right only applies to data held electronically and which you provided to the organisation.

** Right to object** You can object to an organisation using your data, which essentially means you can prevent them from using it. This includes objecting to direct marketing, i.e. the organisation attempting to sell or promote things to you.

Rights regarding automated individual decision-making, including profiling The UK GDPR has provisions on automated individual decision-making and profiling. These involve decisions being made about you without people being involved.

The organisation no longer needs your data for the original reason which they collected or used it for.

You initially gave your consent to the organisation using your data, but now have withdrawn consent.

You have objected to the organisation using your data, and your interests around the data use outweigh the organisation's.

You have objected to the use of your data for direct marketing purposes.

The organisation has collected or used your data unlawfully (such as not complying with rules on data protection).

The organisation has a legal obligation to erase your data.

The data was collected for an online service while you were a child.

How do I ask for my data to be deleted?