https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018
- PII
- Under GDPR there's also a few special categories of sensitive personal data that are given greater protections. This personal data includes information about racial or ethic origin, political opinions, religious beliefs, membership of trade unions, genetic and biometric data, health information and data around a person's sex life or orientation.
- GDPR's seven principles are:
- lawfulness,
- fairness and transparency;
- purpose limitation;
- data minimisation; - do not collect more information than necessary
- accuracy;
- storage limitation;
- integrity and confidentiality (security); data is protected
- and accountability
- For companies that have more than 250 employees, there's a need to have documentation of why people's information is being collected and processed, descriptions of the information that's held, how long it's being kept for and descriptions of technical security measures in place. GDPR's Article 30 lays out that most organisations need to keep records of their data processing, how data is shared and also stored.
- Rights
- Subject Access Request (SAR) - reply within a month
- the right to be informed
- the right of access
- ** As well as the information that's asked for, an organisation has to provide details of why it was processing the personal information, how the information is being used, and how long it is due to be kept for.
- the right to rectification
- the right to erasure - Delete data if consent is withdrawn
- the right to restrict processing
- the right to data portability - transfers my data in X to Y
- the right to object and also
- rights around automated decision making and profiling.
- Opt out of automatic processing - within limits
- Access to my data
- Subject Access Request (SAR) - reply within a month