GDPR Summary and Data Protection Act 2018
Get in touch
Data protection law
See what people are saying about us
Who does the GDPR apply to? What about post-brexit changes?
The GDPR impacts most organisations around the globe that sell goods/ products to the EU and process data of EU residents and citizens. It applies to both data processors and data controllers, therefore, legally holds them liable in case of personal data breaches.
This includes both data controllers and processors and covers multiple aspects of data usages, such as collection, storage, retrieval, alteration and destruction. Businesses can ensure adherence to EU law (GDPR) by examining the data relationship with their customers. This will help them evaluate and ensure the need for privacy mechanisms or regulatory policies to meet the expectations and specifications of GDPR.
The UK left the EU on 31st January 2020. After the transition period (from 01.01.2021), the EU GDPR no longer applies directly to the UK. UK’s equivalent of GDPR is called ‘UK-GDPR’. The DPA 2018 puts EU GDPR’s requirements into practice.
Cyphere’s network pen testing engagement lifecycle methodology is broken into five phases, as demonstrated in the penetration testing methodology diagram.
What are the seven principles of GDPR?
How does GDPR define personal data?
Article 4 of GDPR provides a broad context of personal data under its regulatory regime. It refers to personal data as any information relating to an identified or identifiable natural person. This definition of personal data processing includes all information that could directly or indirectly identify the individual through any one or more combination of sources.
The GDPR protects personal data irrespective of technology and applies to manual and automated processing. Some examples of personal data are:
- a name or an email address such as name or [email protected];
- an ID card number such as driving license, National Insurance (NI) number;
- home address or location data e.g. location services using mobile applications;
- IP address or online identifiers such as cookie ID, advertising identifier, etc;
- Records containing personal data such as health records, HR records, customer details, payment details, etc.
How does the GDPR differ from the Data Protection Act (DPA) 2018?
GDPR regulates the whole EU citizens’ personal information protection and is far more detailed and demands far more compliance than DPA 2018, that is, the UK implementation of GDPR. The following eight areas are the main differentiators between EU GDPR and DPA 2018.
Personal Information An extended definition of personal data includes identifiers such as IP addresses, Internet cookies, and DNA.
Right To Be Forgotten
GDPR grants the right to an individual to request the removal of personal data
GDPR supports individual to consent to refuse automated decision profiling
GDPR imposes an increased level of penalties in case of a data breach or failure to comply with the regulations
Data Protection Officer
GDPR mandates the appointment of a Data Protection Officer for specific organisations that process a large amounts of particular categories of data
GDPR mandates the privacy impact assessment to verify if the organization fulfills the individual’s privacy expectations and conditions
In the case of GDPR, children over the age of 16 can consent to data processing, whereas the DPA sets this at 13.
Data Subject RightsGDPR embraces protected measures on subject rights , whereas DPA 2018 has waived the subject rights in some cases (scientific, historical or archiving)
Article 5 GDPR - The data protection principles
The design of GDPR to protect the data privacy rights of EU citizens is mainly developed over six fundamental principles, with the seventh principle ‘accountability’ as the UK GDPR principle. These principles are the central approach to processing personal data in line with GDPR.
- Lawful, fairness and transparency: Organization will collect and processes personal data lawfully, fairly and in a transparent manner
- Purpose limitation: The collected personal data must be used for specified, explicit and legitimate purposes
- Data minimisation: It should be adequate, relevant and limited to what is necessary
- Accuracy: Personal data records collected should be accurate and where possible kept up to date
- Storage limitation: Data should not be stored longer than required
- Integrity and confidentiality (security): Personal information processing must be done in a secure manner, ensuring data protection against unauthorised processing or unlawful processing and accidental loss, destruction or damage.
- Accountability: According to the UK GDPR regulator, ICO, accountability is the seventh data protection principle. It states: “The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your GDPR compliance.“
See what people are saying about us
Excellent people to work with.
Very good knowledge of requirement and give us correct findings with excellent remedy to improve our security for our B2B portal site.
Harman was great, really knowledgeable
Harman was great, really knowledgeable, helpful and on hand to answer any questions. The final report was very clear providing the technical information in an easy to read format which could be understood by the leaders of the business.
My experience of the team was 5 star.
They were so helpful, and their technical delivery and client communication were excellent.
Extremely satisfied with approach, speed and end results. Thanks.
Our GDPR solutions are not aimed to push false promises with 100% security and sell fear and uncertainty. The tailored approach helps to assess and address gaps in your cyber security controls as well as strategy, helping you to prepare for detection, response and recovery against the inevitable.
Since the GDPR came into effect in May 2018, there have been a number of high-profile data breaches and fines. Here are some of the most notable ones:
- In 2019, British Airways was fined £183 million for a data breach that occurred in 2018. The breach impacted 380,000 customers/public authorities.
- In 2018, Facebook was fined £500,000 for its role in the Cambridge Analytica scandal.
- In 2018, Marriott International was fined €110 million for a data breach that impacted 500 million customers under certain circumstances.
- These are just a few examples of the GDPR breaches and fines that have been levied since May 2018. The GDPR allows for massive fines of up to €20 million or four percent of global turnover.