Everything You Wanted to Know about GDPR (But Were Afraid to Ask)

Written By: Cudy

23rd April 2023

Everything You Wanted to Know about GDPR (But Were Afraid to Ask)

This is a quick introduction to the General Data Protection Regulation (GDPR) which comes into force on 25 May 2018. The new regulation replaces the current Data Protection Act 1998.

It affects any organization that processes personal data about individuals or offers goods or services to them.

Why Does GDPR Matter?

Under the current Data Protection Act, fines for non-compliance can be up to £500,000. The maximum fine under GDPR will be €20 million (£17 million) or 4% of global turnover, whichever is greater.

In addition, they can fine organizations up to €10 million (£8.8 million) or 2% of global turnover for not having their records in order (for example, failing to keep proper employee records).

grayscale photo of person using MacBook
Photo by Sergey Zolkin on Unsplash.

What Has Changed?

GDPR sets out several key changes that make it easier for businesses and organizations to comply with data protection laws and principles:

The GDPR will replace the Data Protection Act 1998. It applies to all companies processing the personal data of EU citizens, regardless of where the company is based.

GDPR is technology-neutral. This means that it will apply to any business that uses technology, from apps and websites to CCTV systems and databases.

GDPR clarifies that data protection laws apply not just to ‘personal data' but also to ‘special' categories of data, such as genetic or biometric data.

It also clarifies the definition of ‘sensitive personal data’, which can be about criminal offenses or convictions.

For example, names and addresses are likely to be sensitive personal data because they can identify an individual.

Rules Relating to Children Under 16-Year-Old

As well as being more explicit about the definition of sensitive personal data, GDPR has strengthened provisions relating to children under 16 years old, particularly about online services such as social media platforms and online games.

In addition, it sets out stricter rules on consent for processing special categories of personal data or sensitive personal data. These rules include:

  • Individuals must give unambiguous consent before organizations can process their sensitive personal information (for example, ticking a box). This includes information relating to criminal convictions and offenses.
  • The organization must clarify what the individual is consenting to, for example, whether they are consenting to market materials or an app.
  • Individuals must be able to withdraw their consent at any time.
  • Wherever possible, the organization should use ‘granular’ opt-in consent mechanisms (for example, asking people to tick a box if they want to receive marketing materials from the organization).
  • Where it is not possible to use granular opt-in, then organizations must explain why it is not possible in their privacy notice. For example, they may need to provide an ‘opt-out’ option for those who do not want their data processed for marketing. They must also explain how individuals can withdraw their consent at any time.

Getting Consent from Individuals

The GDPR will introduce more stringent rules on obtaining consent from individuals before processing their personal data. In particular:

  • It will clarify that consent must be freely given, specific, informed, and unambiguous. They cannot assume it from silence, pre-ticked boxes, or inactivity.
  • It will also require organizations to keep evidence of consent (for example, by asking individuals to sign a form).

The GDPR is likely to have a significant impact on how organizations interact with their customers and business partners.

For example, if an organization has an app that requires location data for the app to work, then it may need to get explicit consent from users before collecting and using this data.

The same would apply if an organization wanted to send marketing materials via email or SMS text messages.

Organizations must get clear consent from individuals before collecting any sensitive personal data or special categories of personal data (such as criminal convictions).

They must also make sure that the individual understands what they are consenting to (for example whether they are agreeing to receive marketing materials).

person using laptop
Photo by Thomas Lefebvre on Unsplash.

Transparency about Information Usage

Organisations must provide transparent information about why they need the information and how it will be used. This includes:

  • The organizations that might use the data (for example, direct marketing companies or debt collection agencies). The type of processing that will take place (for example, using the data to send marketing materials or to conduct a credit check).
  • Individuals must be able to withdraw their consent.

The Right to be 'Forgotten'

The GDPR introduces a ‘right to be forgotten'. This gives individuals the right to have their personal data deleted in certain circumstances, for example, if it is no longer necessary for the purpose it was collected.

The GDPR also clarifies that individuals may ask an organization to transfer their personal data from one service provider to another.

Organizations must have a lawful basis for processing personal data. The most common lawful basis is ‘consent’, but there are other grounds for processing too, such as ‘contract’ and ‘legitimate interests. Organizations will need to make sure they have evidence of consent before collecting and using personal data, such as

  • Recording how and when individuals gave consent.
  • Where appropriate, keep evidence of consent in an accessible format (for example, by asking people to sign a form).
  • Organizations must keep accurate records of all personal data they hold. They must also make sure that the records are easily accessible and readable.

This will help them identify any personal data that they no longer need to process, or that is incorrect.

Read similar articles about Privacy Policy and other related internet security articles on the Cudy Blog page!


Written by

Cudy

Cudy is an online marketplace for real-time learning where students can achieve mastery over their subjects by learning live from educators who are passionate about providing the best learning experience for their students.

More stories

The Ideal Process Of Creating eLearning Content
Learning is a process of doing and observing the eLearning content, which is carried out by the learner through their interaction with the content. This interaction between the learner and the content is what constitutes the learning process, and this is the main focus of this article. How To Implement The Process Of eLearning Content […]

Cudy

25th April 2023

How Can I Learn Japanese If There Are No Tutors in My Area?
The Internet has made it possible for individuals who are located in different parts of the world to interact with each other. Since there are no physical barriers in cyberspace, people from different parts of the world can share information and learn from each other. With the emergence of online tutoring websites, you can find […]

Cudy

25th April 2023

Top 6 Tips For Using Videos In Your eLearning Courses
Videos allow for better communication between learners and instructors. For example, videos can be used to show learners how to do something. This article has been published on eLearning Industry. How To Create Engaging Videos For Your Courses Video in eLearning has come a long way since the days of slideshows and PowerPoint. Today, video […]

Cudy

25th April 2023

The Limitations Of Educational Technology
There are always advantages and disadvantages to each type of educational technology. But it is up to you to decide which type of online course will work best for you. This article has been published on eLearning Industry. The Pros And Cons Of Using Technology In Education The internet is changing our lives in ways […]

Cudy

25th April 2023

Subscribe to our blog