GDPR provides data protection and privacy for all individuals within the European Union by emphasising that control over data belongs to the citizen and it harmonises the regulatory environment for international organisations operating within the EU.
GDPR applies if the data controller (an organisation that collects date from EU residents) or processor (an organisation that processes the data on behalf of a controller), or the data subject (the person) is based in the EU. Under certain circumstances GDPR also applies to organisations outside the EU if they collect or process personal data belonging to individuals inside the EU.
Personal data is any information relating to an individual, whether it relates to their private, professional or public life. It can be anything from a name, a home address, a photograph, an email address, bank details, posts on social networking sites, medical information or a computer’s IP address. GDPR does not apply to processing of personal data for national security reasons or law enforcement of the EU.
Under GDPR, data controllers are under a legal obligation to notify the supervisory authority (Information Commissioner) without undue delay if there is a data breach unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals. Sanctions are in place if the required standards are not met. Data subjects have a number of rights:
- The right to be informed – that data is being collected and what it will be used for
- The right of access – to see what personal date organisations hold and what they use it for
- The right to rectification – to have inaccurate data amended
- The right to erasure – of personal data relating to them on a number of grounds
- The right to restrict processing – personal data may be stored but not processed
- The right to data portability - to transfer personal data from one electronic processing system into another without being prevented from doing so by the data controller
- The right to object – to stop data being used in certain circumstances
- The right not to be subject to automated decision making i.e. profiling
NW Brown complies with the GDPR and the Financial Conduct Authority (FCA).