GDPR for individuals
The General Data Protection Regulation (GDPR) from 25th May 2018 will replace current data protection laws in the European Union.
The new law will give individuals greater control over their data by setting out additional and more clearly defined rights for individuals whose personal data is collected and processed by organisations. The GDPR also imposes corresponding and greatly increased obligations on organisations that collect this data.
Personal data is any information that can identify an individual person. This includes a name, an ID number, location data (for example, location data collected by a mobile phone) or a postal address, online browsing history, images or anything relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
The GDPR is based on the core principles of data protection which exist under the current law. These principles require organisations and businesses to:
- collect no more data than is necessary from an individual for the purpose for which it will be used;
- obtain personal data fairly from the individual by giving them notice of the collection and its specific purpose;
- retain the data for no longer than is necessary for that specified purpose;
- to keep data safe and secure; and
- provide an individual with a copy of his or her personal data if they request it.
Under the GDPR individuals have the significantly strengthened rights to:
- obtain details about how their data is processed by an organisation or business;
- obtain copies of personal data that an organisation holds on them;
- have incorrect or incomplete data corrected;
- have their data erased by an organisation, where, for example, the organisation has no legitimate reason for retaining the data;
- obtain their data from an organisation and to have that data transmitted to another organisation (Data Portability);
- object to the processing of their data by an organisation in certain circumstances;
- not to be subject to (with some exceptions) automated decision making, including profiling.
Organisations and businesses collecting and processing personal data will be required to meet a very high standard in how they collect, use and protect data. Very importantly, organisations must always be fully transparent to individuals about how they are using and safeguarding personal data, including by providing this information in easily accessible, concise, easy to understand and clear language.
For organisations and businesses who breach the law, the Data Protection Commissioner is being given more robust powers to impose very substantial sanctions including the power to impose fines. Under the new law, the DPC will be able to fine organisations up to €20 million (or 4% of total global turnover) for the most serious infringements.
The GDPR will also permit individuals to seek compensation through the courts for breaches of their data privacy rights, including in circumstances where no material damage or financial loss has been suffered.
In the coming period further information will be provided here on the rights of individuals under the GDPR.