Understand Personal Data Protection

The Institute of Continuous Professional Training and Education (ICPTE) offers an extensive variety of Self-Paced Online and Live Online seminars created by Professional and qualified Instructors with years of experience in their field.

The ICPTE platform allows You the flexibility to watch online self-paced seminars at Your own convenience, at Your own pace, in Your own time and place. Start watching a seminar today and complete it at Your own time. You can have access from anywhere. All self-paced online seminars are in the form of PowerPoint presentations.

Explore all seminars.

Understand Personal Data Protection

In 1995, the European Union (EU) passed the European Data Protection Directive (Directive 95/46/EC), that established the minimum data privacy and security standards. Upon this Directive, each EU Member State based its own implementing law for the protection of personal data.

In 2016, the EU adopted the General Data Protection Regulation [Regulation (EU) 2016/679 of the European Parliament and of the Council of April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR)]. Since May 25, 2018, all organizations were required to be compliant with the GDPR.

The key provisions of GDPR in brief:

The GDPR applies to all Member States of the European Union (EU) and countries in the European Economic Area (EEA). It protects the personal data of EU citizens and residents and applies to all organizations, large and small, across all industries, that process personal data, whether they are EU-based organizations or not.
The GDPR outlines a number of requirements that organisations must follow to process personal data legally, as well as it provides the right to data subjects to know what information is collected about them, have control over their personal data and know how their personal data is used and who it gets shared with.
A data subject is a person whose personal data is processed by an organisation and can be identified directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The GDPR follows seven principles of personal data protection:
a) Lawfulness, fairness and transparency.
b) Purpose limitation.
c) Data minimisation.
d) Accuracy.
e) Storage limitation.
f) Integrity and confidentiality.
g) Accountability.
An organisation must have a valid lawful basis to process personal data. The GDPR provides for six lawful bases for processing:
a) The Data subject has given a clear consent to process his/her personal data for a specific purpose.
b) The processing of personal data is necessary for the performance of a contract an organisation has with a data subject or a data subject has asked the organisation to take specific steps before entering a contract.
c) An organisation must comply with a legal obligation to which the organisation is subject.
d) The processing of personal data is necessary to protect someone’s life.
e) The processing of personal data is necessary for an organisation to perform a task in the public interest.
f) The processing of personal data is necessary for an organisation’s legitimate interests or for the legitimate interests of a third party, unless there is a good reason to protect the data subject’s personal data which overrides those legitimate interests.
An organisation must provide specific information to a data subject at the time the organisation collects data subject’s personal data. When the organisation collects personal data from a source other than the data subject it relates to, then the organisation needs to provide the data subject with information a) within a reasonable period of obtaining the personal data and no later than one month or b) if the organisation shall use the personal data to communicate with the data subject, then the organisation needs to provide the information to the data subject at the latest when the first communication takes place or c) if the organisation shall disclose personal data to a third party, then the organisation needs to provide the information to the data subject at the latest when the organisation shall disclose the personal data to the third party.
The GDPR established eight rights for data subjects. The scope of these rights is to enhance privacy protection for individuals and ensure transparency and control over their personal data. Some of these rights were already introduced through the earlier legislations and have been enhanced with GDPR, while some rights are first introduced with the GDPR. The eight rights are:
a) The right to be informed.
b) The right of access
c) The right to rectification.
d) The right to object processing.
e) The right not to be subject to a decision based solely on automated processing, including profiling.
f) The right to be forgotten.
g) The right to data portability.
h) The right to restrict processing.
An organisation is responsible to implement appropriate technical and organisations security measures to protect the personal data in processing and to ensure and be able to demonstrate that processes personal data in accordance with the provisions of the GDPR.
Each organisation that processes personal data shall maintain a Record of Processing Activities. A Record of Processing Activities is a document that outlines an organisation’s processing activities related to personal data. This document is an evidential mechanism to demonstrate an organisation’s compliance with the provisions of the GDPR, as well as to help an organisation to gain insights into its personal data processing activities.
An organisation is obliged to report a personal data breach to the relevant supervisory authority and inform the data subjects affected. The GDPR provides for the information to be reported accordingly, as well as the conditions when an organisation is not obliged to report a breach to the relevant supervisory authority and inform data subjects affected. A data breach is a breach of security that expose confidential, sensitive, or protected information to an unauthorized person. A personal data breach may be the result of both accidental and intentionally causes.
The GDPR introduces an obligation for an organisation to appoint a Data Protection Officer (DPO) if its core activities involve processing of sensitive personal data on a large scale or involve large scale, regular and systematic monitoring of individuals. A public authority must always appoint a DPO. A DPO can play key role in an organisation’s personal data processing activities and help an organisation to maintain compliance with GDPR provisions. A DPO can be an existing employee or externally appointed.
The GDPR sets out specific rules for the transfer of personal data to a country which is not a member of the EU and to international organisations.
The GDPR introduces a tiered approach to fines when an organisation does not comply with GDPR provisions. That means that the severity of noncompliance will determine the fine that an organisation may suffer. Severe violation will subject to 4% of annual global turnover or €20 million, whichever is higher. Less severe violation will subject to 2% of annual global turnover or €10 million, whichever is higher.

Any organisation that falls under the scope of GDPR shall implement specific actions to ensure compliance with GDPR provisions. A number of actions are:

- develop and keep updated a “Personal Data Privacy Policy”.
- ensure that a “Privacy Notice” is uploaded on its website informing website visitors for the processing of their personal data.
- implement and maintain appropriate technical and organisational security measures to protect personal data in process.
- provide the necessary information to data subjects.
- adhere to the GDPR principles.
- process personal data for a lawful reason.
- develop and maintain a Record of Processing Activities.
- appoint or designate a DPO.
- ensure that relevant procedures are in place to meet data subjects’ rights.
- ensure that relevant procedures are in place to report a personal data breach to the relevant supervisory authority and inform data subjects affected.

Looking to enhance your knowledge and learn new skills on GDPR?

▶️Click HERE to find online self-paced seminars on GDPR topics.

▶️Click HERE to find Templates (in English language) of Policies and Programs that You can easily use to develop Your Company’s policies and programs.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Follow us on Facebook and LinkedIn for all the latest Online Seminars and Posts

Submit a Comment Cancel reply

ICPTE

About Us

Meet our Instructors

Corporate Account

Blog

Certificate Verifier

For you

All Courses

Become an Instructor

Find your new job

Post your open job positions

Help Center

+357-25755911

info@icpte.com

Get Connected