Removing personally identifiable information.
Binding Corporate Rules:
Binding Corporate Rules (BCRs) are agreements governing international transfers made between organizations within a corporate group, such as a multinational corporation. Consent Consent is a lawful basis to transfer personal data under the GDPR. If we want to rely on consent as the lawful basis for any of our processing activities, we need to ensure that:
- Data subjects are provided with a clear explanation of the processing to which they are consenting
- The consent mechanism is genuinely of a voluntary and “opt-in” nature (e.g., pre‑ticked boxes do not constitute valid consent)
- Data subjects are permitted to withdraw their consent easily
- Any consent is really freely given (e.g., an individual must have a genuine or free choice and the ability to refuse or withdraw consent without detriment)
- Consent is documented and recorded
Data Protection Principles:
Article 5 of the GDPR sets out the regulations for the processing of personal data. Article 5 is commonly referred to as the data protection principles of the GDPR. These principles govern the way that personal data is collected and processed. They state that:
- Any personal data that you collect must be processed lawfully, fairly, and in a way that is transparent to the data subject.
- Personal data that you collect can only be used for specified, explicit, and legitimate purposes. You cannot process the data in any way that is incompatible with the purposes you specify when collecting the data.
- You can only collect personal data that is adequate, relevant, and limited to the purposes for which you need to process the data. This is referred to as data minimization.
- Any personal data you collect must be accurate and, where necessary, kept up to date. You need to take every reasonable step to ensure that personal data that is inaccurate, with regard to the purposes for which it is processed, is erased or rectified without delay.
- You must keep any personal data you collect in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. In certain situations, you can store personal data for longer periods if the personal data will be processed solely for archiving purposes in the public interest, or for scientific, historical research, or statistical purposes.
- You must ensure the security of the personal data that you process. You must protect it from unauthorized or unlawful processing. You also need to protect it against accidental loss, destruction or damage.
An identified or identifiable person to whom the “personal data” relates.
The European Economic Area (EEA) comprises the EU member states as well as Norway, Iceland, and Liechtenstein. It is an area of free trade and free movement of people.
The process of converting information or data into a code, especially to prevent unauthorized access.
General Data Protection Regulation.
Model clauses are based on standard contractual clauses that the EU Commission accepts provide adequate safeguards for the protection of data privacy.
Personal data is any information relating to a living individual which allows the identification of that individual, either directly or indirectly. Personal data can include a name, an identification number, details about an individual’s location or any other detail(s) that is specific to that individual and that would allow the individual to be identified or identifiable.
Personal Data Breach:
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. Some examples include having your laptop stolen, losing your phone, responding to a phishing mail requesting personal employee information, or sending an unprotected Excel file to an unauthorized person, etc.
Privacy by Default:
Privacy by default means that the strictest privacy settings automatically apply for products and services (by “default”) and no manual change to such privacy settings should be required on the part of the user. Any product or service that is released to the public must have privacy by default. That means that companies cannot rely on the data subject to implement privacy settings – the strictest setting must be automatically enabled. For example, if you sign up for a service that includes a published profile, such as a profile on a social media site, the profile should show the minimum information required and not add additional elements, such as age and location.
Privacy by Design:
All companies subject to the GDPR will need to review their systems for processing personal data to ensure that privacy is built into the design during the whole lifecycle of the system. Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. Organizations must ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle.
For example, when:
- Building new IT systems for storing or accessing personal data;
- Developing legislation, policy or strategies that have privacy implications;
- Embarking on a data sharing initiative; or
- Using data for new purposes.
Organizations should, therefore, ensure that they integrate core privacy considerations into existing project management and risk management methodologies and policies.
A privacy statement specifies how an organization will process any personal data that it collects.
Replacing personally identifiable material with artificial identifiers.
Each EU member state has a Supervisory Authority (SA) to hear and investigate complaints, and impose sanctions for breaches of the GDPR.
A Subject Access Request (SAR) is a request filed by an individual in the EU with an organization for access to the data the organization holds on the individual and for details on how the organization processes the individual’s data.
This content is an extract from the GDPR Training course.