Understanding the Purposes of GDPR

GDPR stands for the General Data Protection Regulation. It was established in 2018 when the European Union passed it into law.

The EU wanted to consolidate the different data protection rules found across Europe. Standardising data protection would help businesses safeguard information and increase customer confidence in proper data handling. It did this by establishing the GDPR, one act that governed data protection across all European Union member states, including the UK at the time.

After Brexit, the UK incorporated GDPR into its laws via the Data Protection Act 2018 (DPA). The DPA created what became known as the UK GDPR. The UK GDPR is effectively identical to the original EU version and shares its overall aims:

• Help businesses understand how to keep information safe
• Give people more control over their personal information
• Give people insight into how their data is used

UK GDPR is enforced by the Information Commissioner’s Office (ICO). The ICO also offers guidance and resources to businesses navigating data protection legislation.

It’s necessary to understand key terms before exploring the purposes of GDPR.

Personal Data refers to any information that relates to and can identify an individual. It can directly identify a person or be used in combination with other data to identify someone indirectly.

Data Processing is any operation performed on personal data. Processing is an extremely broad term, covering the collection, storage, retrieval and even destruction of personal data.

Essentially, if you’re doing anything with personal data, it’s considered processing under GDPR.

Data Controller is the person or organisation that determines the purposes and means of the processing of personal data. In simpler terms, the data controller decides how and why personal data is used. They also hold the final responsibility for ensuring that their processing activities comply with GDPR.

Data Processor is the entity (whether a company, an organisation or an individual) that processes personal data on behalf of the data controller. The processor is responsible for handling the data per the controller’s instructions and in compliance with the GDPR.

An example would be a cloud hosting provider. A retail company may use this provider for data storage, making it a data processor. The retailer remains the data controller as they decide what information to collect and why.

Data Subject is the individual whose personal data is being processed.

The UK GDPR is built around seven key principles that lay the foundation for the secure and respectful handling of personal information. Understanding these principles gives insight into how data should be treated and what rights subjects have over it:

1. Lawfulness, Fairness and Transparency: All personal information must be collected and processed legally, fairly and transparently. You must handle data respectfully and be clear about how you intend to use it.
2. Purpose Limitation: You can only collect personal data for a specific, legitimate purpose. This purpose should be immediately clear and new consent must be given if that purpose changes.
3. Data Minimisation: Sometimes referred to as the ‘Goldilocks’ principle because it relates to the right amount of data. You can only collect information that’s strictly necessary for your stated purpose and no more.
4. Accuracy: Data should be kept current and accurate. You must correct any false or outdated information.
5. Storage Limitation: Personal information shouldn’t be kept longer than needed. Once the reason for processing the data has passed, you must delete or anonymise it.
6. Integrity and Confidentiality (Security): Personal data must be protected from unauthorised access, accidental loss, destruction or damage through appropriate security measures.
7. Accountability: You must comply with the GDPR and be able to prove it. Compliance can only be achieved through both technical and procedural measures.

Another one of the purposes of GDPR is to empower individuals with specific rights over their personal information. These rights are intended to protect privacy and give subjects control over their personal details. The eight rights are:

1. The Right to Be Informed: Individuals have the right to know how their data is being used. You must clearly explain your data processing activities, including what data is being collected, its use and why.
2. The Right of Access: Individuals can request access to their personal data. You must honour these requests within one month of the subject reaching out.
3. The Right to Rectification: If held information is inaccurate or incomplete, subjects have the right to see it corrected.
4. The Right to Erasure (‘Right to Be Forgotten’): Subjects can request their personal data be deleted where there’s no compelling reason for its continued processing. This right may apply if the data is no longer necessary for the purpose it was collected or if the subject withdrew consent.
5. The Right to Restrict Processing: Subjects have the right to block or suppress the processing of their personal data. While the data may still be stored, further processing is limited.
6. The Right to Data Portability: Subjects can gather and reuse personal data across different services.
7. The Right to Object: Individuals can object to the processing of their personal data in certain circumstances. A common example is when data is used for unsolicited direct marketing purposes.
8. Rights Related to Automated Decision Making: Individuals have the right to challenge automated decisions, including profiling. You cannot rely on decisions made entirely without human involvement.

Compliance with the UK GDPR is about more than avoiding penalties. The overarching purpose of GDPR is to ensure the privacy and security of personal data. Providing this security helps build consumer trust and can support the long-term success of your organisation.

Here’s a general guide on what organisations must do to align with UK GDPR:

Understand the data being processed: You need to decide what type of data to process, why it must be processed and the legal basis to do so.

Implement data protection measures: You must implement sufficient technical and organisational data protection measures. This includes securing data against unauthorised access, data breaches and loss.

Maintain records of data processing activities: Under the UK GDPR, detailed records of data processing activities are mandatory. These records should include the purpose of processing, data categories and whether the data is transferred to another country.

Respect user rights: You must respect the eight individuals’ rights under UK GDPR.

Report data breaches: In the event of a data breach, you have a duty to report it to the ICO within 72 hours.

Financial penalties under the UK GDPR can be substantial. Fines need to serve as a deterrent against non-compliance, so they must be steep enough to punish some of the world’s largest and most profitable companies.

The ICO divides fines into two tiers based on the severity of the violation. The lower of the two is referred to as the standard maximum amount. The greater fine is known as the higher maximum amount.

• Standard maximum amount: The ICO can impose fines of up to £8.7 million or 2% of the organisation’s total annual turnover of the last financial year, whichever is higher. These penalties are handed out for administrative failures, such as incomplete records or failing to notify the ICO about a data breach.
• Higher maximum amount: For more severe infringements, fines can escalate to £17.5 million or 4% of the total annual turnover of the last financial year, whichever is higher. This tier includes violations like not obtaining proper consent for processing data, violating the core principles of GDPR and transferring data to third countries without adequately protecting it.

A crucial step towards UK GDPR compliance is training staff as every employee plays a role in ensuring data protection. Training should cover data protection fundamentals, the legal framework and strategies to maintain compliance with GDPR.

Our online GDPR Training course is designed to give your team a solid understanding of data protection. Suitable for employees at all levels, it covers practical ways to handle data with confidentiality and integrity. By taking this course, you can improve data security awareness and demonstrate your organisation has acted to uphold the purposes of GDPR.