Do you know your data controllers from your data processors? The General Data Protection Regulation (GDPR) is an important, but not particularly easy to understand piece of legislation that will come into play from May 25 2018.
You can dive deeper into GDPR with our introduction or work through our GDPR Checklist. But if you’re brand new to the topic, this Glossary should get you up to speed with the correct terminology.
Personally Identifiable Information – GDPR only applies to any information related to a person. Personal data, or ‘Personally Identifiable Information’ (PII) is any data that can be traced to an individual. For example an email address, telephone number or IP address (when linked with an identifier).
Sensitive Personal Data – Any information that can be used to discriminate against an individual can be classed as Sensitive Personal Data. This includes: religious or ethnic origin; political opinions; religious beliefs; sexual orientation; health data; genetic data; or bio-metric data that can processes to uniquely identify a person.
Identifier – Whilst not strictly PII, this is a piece of data that can allow a person to be identified by referencing it, either directly or indirectly. Examples of personal identifiers include a person’s first name, location data or even online behavioural data.
Anonymised data – Also called ‘pseudonyms data’, anonymised is data that has been modified so that it can no longer be used to identify an individual. It’s worth noting that, whilst it may be impossible to identify individuals in one data set, it may still be able to identify individuals from that data set by bringing in identifiers from other data sources.
Legitimate Interest- Businesses can process data where there is a ‘legitimate interest’ on the part of the Data Controller or the Data Processor, except where these interests are overridden by the interest or fundamental rights of the customer.
This is a confusing one, but it essentially means that businesses do not necessarily require explicit consent from individuals to process data where there is a legitimate reason for a business to do so, such as moving data from one part of a business to another, direct marketing, personalising web content for users. But this is by no can justify all uses of data, and customers should always be able to opt-out at any time. Econsultancy have a good overview with examples.
Consent – This requires businesses to collect users’ explicit consent, either through a statement (for example, answering “Yes” to a request for consent over the phone) or an action (such as ticking a consent box on an online form).
The key here is that consent must be freely given by the customer, it must be opt-in, and the customer must clearly understand how their data will be used (including passing data to third parties). Businesses must be able to demonstrate how, where, when and what they secured consent for. It must also be possible for the data subject to remove their consent at any time.
Data Subject – This is the person whose data is being collected or processed. For the majority of businesses this will be their customers, though it can also include your employees.
Data Controller – The Data Controller is the person or organisation that determines a method for collecting data, the purpose for which data is processed, and how it is processed. A data controller is responsible for ensuring any of it’s data processors (see below) are compliant under GDPR.
Data Processor – The Data Processor is a person or organisation who processes data on behalf of the data controller. Processors are individuals or organisations that gather, record, stores or process data on behalf of a Data Controller.
Processing – This covers a wide range of actions that can be performed on data and information: organising, modifying, searching, making it available to other people or organisations, using data for decision making, or the destruction of data.
If you’re confused by the notion of a ‘controller’ and a ‘processor’, it’s not just you. We’ve got a quick guide to the differences here.
Now that we’ve covered the key definitions relating to GDPR, we should not that there are six principles relating to the ‘lawfulness of processing’, or, six principles relating to when it is ok to process an individual’s data.
We’ve already covered Consent and Legitimate Interest above, perhaps the two key principles, so we’ll keep the definitions of each nice and short.
Remember, a business must satisfy at least one of these principles in order to lawfully process customer data.
- Consent – The data subject (customer or individual) has given your business permission to process their data for specific purposes.
- Contractual – Processing a customer’s data is required in order to fulfill a contract in which the customer is involved.
- Legal obligation – A business can process customer data if doing so is necessary to comply with a legal oblication the business is subject to.
- Vital interest – When processing is necessary to protect the vital interests of the customer or another person.
- Public interest – When processing is carried out in the public interest, or by an official authority.
- Legitimate interest – Processing can take place for the purpose of legitimate interests pursued by the controller or a third party, except when overridden by the interests of the customer or individual.
Please note that for principles 3 and 4, individual countries may choose to implement stricter provisions, and so it’s always worth seeking specific legal advice if you are not sure how these principles apply to your business.
Want more information?
If you would like more information about GDPR you can visit our Legal & HR advice hub which has a number of articles about GDPR, you can claim a free 15 minute GDPR consultation with legal services provider Lawbite, or you can contact the ICO’s GDPR hotline for SMEs on 0303 123 1113. Watch the video below for more information.