GDPR Fact Sheet

Personal data

Data from which a living individual is identified or identifiable whether directly or indirectly
Sensitive data includes data relating to race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sex or sexual orientation, generic data, biometric data.

Six Lawful Bases for Processing Data

Consent – informed, freely given and verifiable
Contractual necessity
Legitimate interest of the data controller
To comply with a legal obligation
To protect vital interests
Public interest, Official duty

Six Principles for data processing and one Overriding Principle

Processing must be fair, lawful, and transparent
Data must be collected for a specified explicit purpose and used for that purpose
Data Controller must obtain data that is adequate, relevant and not excessive
Data controller must keep data accurate and up to date
Data controller must only keep identifiable data for as long as necessary
Data controller must not lose data, damage it or put in a physically unsafe environment

The Overriding Principle to which Data Controllers must adhere is Accountability

Data Subject Rights

Right of Access to data
Right to have data corrected
Right to be forgotten
Right of Portability
Right to object to processing
Right to be notified of their rights
Restrictions on automated decision taking which have a significant effect
The requirement for parental consent for data processing decisions by children under the age of 13

Reporting obligations

Data breaches must be reported by data controllers to the ICO as soon as reasonably possible and within 72 hours of becoming aware if the breach is likely to result in a risk to the rights and freedoms of natural persons
The ICO may require data controllers to communicate any breach to those affected by it unless the breach is likely to have a high risk for the rights and freedoms of data subjects, appropriate technical and organisation protection were in place at time of the incident, or it would be disproportionate to do so.

Fees

Tier One organisations – fewer than 10 staff or turnover less than £632,000 - £40 per year
Tier Two organisations – fewer than 250 staff or turnover less than £36 million - £60 per year
Tier Three organisations –more than 250 staff and turnover greater than £36 million - fees of £2900 per year

Fines

Infringement of certain provisions such as rights of data subjects or lack of consent have maximum fine of €20 million or 4% of worldwide turnover, whichever is the higher,
Infringement of other provisions have maximum fine of €10 million or 2% of worldwide turnover, whichever is the higher.

Although correct at the time of publication, the contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article. Please contact us for the latest legal position.

How can we help?

Please send us your enquiry in the form below and we'll get back to you as soon as possible

Forename Please enter your forename

Surname Please enter your surname

Email Please enter your email address

Telephone Please enter your telephone number

Your question Please enter a question

How did you hear about us?

Please let us know how you heard about us

I consent to receiving the occasional email regarding legal news, seminars and your other services which may be of interest.

Please enter the verification code

GDPR Fact Sheet

GPs Not Liable for Woman's Death from Stroke

Wrong Address a Reasonable Excuse for Landlord