To understand GDPR, we first need to understand the different elements involved. The most import of these is personal data:

 

​

Personal data

​

Data that can be used to identify a living individual

​

Examples of personal data are email addresses, telephone numbers, and payment information.

The definition of personal data includes data which would allow identification of a living individual, when combined with other commonly available information. For example an individual's address would be personal data, since while it may not identify them on it's own, it could easily be cross referenced with Electoral Register data to find the individual's name. 

​

When talking about personal data, we often used the term data subject:

​

​

Data subject

​

An individual who is the subject of personal data

​

The key concept of GDPR is your responsibility to data subjects whose data you control.

These responsibilities include:

• Transparent, secure, and fair processing

• Minimising the amount of personal data processed

• Ensuring the data is accurate

These responsibilities are defined by the articles in GDPR, which state specifically how data should be handled.

 

If you store, collect, or process personal data, then you will need to comply with GDPR. Depending on what you are doing with personal data, you will be either a Data Controller, Data Processor, or both. The definitions for these terms are defined below:

​

​

Data controller

​

The person / organisation that decides how and why data is processed

​

​

Data processor

​

The person / organisation that processes data on behalf of a controller

​

Both controllers and processors have obligations under GDPR that they must fulfil. You should ensure that you are aware of your obligations under GDPR well before May 25th 2018, as the requirements for your organisation may be significant.

The rights of data subjects, and the responsibilities of your organisation will be enforced by a Supervisory Authority, which will ensure compliance with GDPR. Your supervisory authority will depend on which country your organisation is based in, for example in the UK this will be the ICO.

​

​

Supervisory authority

​

An independent public authority established by a member state

​

The supervisory authority will ensure organisations are complying with GDPR. In cases where organisations do not comply, they will have the authority to issue fines of up to €20m or 4% of turnover.

To coordinate communication and compliance, some organisations are required to have a Data Protection Officer (DPO). The main DPO responsibilities are shown below:

​

Data protection officer

​

• Monitors GDPR compliance

• Communicates with data subjects

• Communicates with supervisory authorities

​

Not all organisations are required to have a Data Protection Officer, however it is recommended that you appoint someone to fulfil the role - since it will make GDPR compliance a lot easier.

GDPR contains many other detailed areas that organisations will need to comply with, and Rizikon can help your organisation prepare for GDPR.