The GDPR reinforces the established principles governing data protection. These principles include processing data lawfully, obtaining valid consent from individuals you are collecting data from, and making sure the rights of individuals are protected (ie the right to object to their data being processed).
When collecting personal data, you must make sure the data is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is necessary
- kept safe and secure
- not transferred outside the European Economic Area (EEA) without adequate protection
The new law makes it more difficult to obtain a valid consent from individuals whose data is to be collected. To be valid, consent must be freely given, specific (ie limited to a specific purpose), informed and unambiguous. It must consist of a clear affirmative action, therefore silence, pre-ticked boxes or inactivity don't constitute valid consent. In addition, consent to process 'sensitive personal data' or data that comes within the 'special categories of personal data' (ie information about racial origin, political opinions, religious beliefs, health, sexual orientation or criminal records) and consent to transfer personal data outside the EU must be explicit.
Individuals can also withdraw their consent at any time and consent must be as easily withdrawn as it was given (eg if data subjects simply ticked a box to express their consent, they should be able to withdraw the consent as easily).
The GDPR provides new rights for individuals, including :
- The right to erasure (or 'right to be forgotten'): individuals have the right to ask companies holding data about them to erase that data upon request, if there's no compelling reason to continue processing the data.
- The right to access data: data processors must comply with a request to access data without delay, and at the latest within one month of the request (this can be extended to two months if the request is too complex). However you can refuse to respond to the request if it is manifestly unfounded or excessive.
- The right to data portability: when data processing is carried out by automated means, individuals have the right to access their personal data in a machine-readable format, ie in a way that is portable and safe.
All organisations must report data breaches to the relevant supervisory authority and if the breach is high risk, to the affected individuals. Data breaches are breaches of security that lead for example to the destruction, loss, alteration or unauthorised disclosure of personal data. If feasible the breach must be reported within 72 hours.