Data Protection and GDPR

What is personal data?

Personal data is any data that can identify a specific individual (either directly, or indirectly by combining it with other information).

Read on for some examples of personal data.

What is data protection?

Data protection is the process of keeping personal data safe from misuse.

Why is data protection important?

Data protection matters because of the harm that can potentially be done to people using data about them.

In the contemporary world, crimes like identity theft and types of fraud like phishing rely on misusing data. Historically, data about people’s race, ethnicity, and political views has been used to persecute them.

The purpose of data protection regulations is to make sure companies keep people’s data safe, so that it isn’t misused in this way.

What is GDPR?

GDPR stands for “General Data Protection Regulation”. It’s an EU law on privacy and data protection that covers citizens of the European Union and European Economic Area.

GDPR is intended to give people more control over their data, by forcing companies to be more transparent about what they do with personal information. Companies that don’t comply with GDPR can be fined up to €20 million (or 4% of their annual turnover, if that’s more than €20 million).

All businesses based in the EU, and all businesses that hold data on individuals in the EU, have to comply with GDPR.

When did GDPR come into force?

GDPR came into effect on the 25th May 2018

What are the 7 principles of GDPR?

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

What data is protected by GDPR?

GDPR protects personal data. Examples of things GDPR regards as personal data include:

  • Your name
  • Your email
  • Your home address
  • Unique identification numbers (for example, your National Insurance number)
  • Location data from your phone
  • The IP address of your computer, tablet, or phone
  • Cookies on your devices
  • Your medical records
  • Genetic data
  • Biometrics (such as fingerprints or images of your face)
  • Data about your race, ethnic origin, or sexuality
  • Data about your political or religious affiliations
  • Membership of trade unions

What is a data subject?

“Data subject” is the legal term for the person who some data is about.

What is a data breach?

A data breach is when data ends up in the hands of someone who doesn’t have permission to access it.

That can happen deliberately if a hacker successfully attacks a company’s computer systems, and steals data. It can also happen accidentally if one of the company’s employees leaves their laptop on a train, or drops a USB stick containing personal data in a pub.

Are data breaches on the rise?

In the first half of 2019, the total number of reported data breaches increased year-on-year by 54% to 3,813, according to the company Risk Based Security.

Recent high-profile examples of companies suffering data breaches include:

  • Capital One – a hacker gained access to 106 million accounts
  • British Airways – attackers harvested data from 500,000 BA customers by redirecting them to a fraudulent website
  • Equifax – hackers exploited a vulnerability in the online credit report system to access the details of 147 million people
  • Roll20 – personal data was taken from 4 million users of the tabletop gaming site
  • Canva – a hacker claims to have accessed the data of 139 million users
  • Yahoo! – multiple data breaches between 2012 and 2016 affected over 500 million accounts
  • Mariott – an attack on the guest reservation database led to data on 500 million customers being exposed
  • TalkTalk – 4% of the company’s customers were affected by a hack in 2015
  • Morrisons – an employee of the supermarket stole the salary and bank details of 100,000 staff
  • Sky – the company wrote to customers telling them to re-set their passwords in July 2019, prompting rumours of a data breach
  • NatWest – a former employee reported that she had been holding sensitive personal information on 1,600 customers at her home for 10 years
  • Target – 41 million payments cards were affected by an attack using data stolen from a third-party website

It’s important to bear in mind that regulations have changed over time, meaning there are more circumstances in which companies are required by law to report data breaches. As a result, it’s possible that data breaches aren’t on the rise, but just that more of them are being reported.

Are data processors liable for GDPR fines?

Yes, under GDPR data processors (as well as data controllers) are liable for fines. This is different to the previous Data Protection Act regulations.

Fines for data processors breaching GDPR are up to €10 million, or 2% of global turnover (whichever is the greater).

Do I need a checkbox on contact forms under GDPR?

Maybe. However, GDPR isn’t explicit about the use of checkboxes or other design elements of forms.

The regulations say that when you get consent from someone to use their data, it must be specific, informed, freely-given, and unambiguous. You also need to make it clear what you’re planning to do with the data you collect.

If you plan to send marketing to people, a checkbox with text that meets this requirement is a practical option (as long as it isn’t checked by default).  

Are Google Forms GDPR compliant?

As Google only transfers personal data outside the EU in ways that comply with GDPR, Google Forms can be used in a GDPR-compliant way.

However, if you use Google Forms to collect personal data, don’t forget that you still have a responsibility to comply with GDPR.

To learn more about how Google complies with GDPR and European data protection law, read Google’s compliance page. Alternatively, to read more about the data which other Google products and services use, check out the Google Data article.

%d bloggers like this: