General Data Protection Regulation
The Data Controller has 72 hours to alert the ICO in the event of a GDPR breach.
Fines of up to £8.7 million, or 2% annual global turnover – whichever is higher, for infringements of an organisation's obligations (e.g. data security breach).
Fines of up to £17.5 million, or 4% annual global turnover – whichever is higher, for infringements of an individual's privacy rights.
Always delete personal data that you no longer require.
Don't keep personal data locally, only on secured shared drives or in a database.
Don't update personal data without explicit permission.
Don't share login details as this will corrupt any audit trail.
Don't share personal data with those not authorised to see it.
Key Principles:
Lawfulness, Fairness and Transparency
Purpose Limitation
Data Minimisation
Accuracy
Storage Limitation
Integrity and Confidentiality
Accountability
Right to Access (see SAR)
Right to Rectification
Right to Erasure (where data can be legally deleted)
Right to Restrict Processing (in certain circumstances)
Right to Portability (only applies to information the Data Subject has provided to a Data Controller, not data about the Data Subject that has been gathered from elsewhere)
Right to Object
CNDP - Luxembourg National Commission for Data Protection
Data Journey
DPA - Data Protection Act
DPIA - Data Privacy Impact Assessment
DPO - Data Protection Officer
GDPR - General Data Protection Regulation
ICO - Information Commisioner's Office
PII - Personal Identifiable Information
ROPA - Record of Processing Activities
SAR - Subject Access Request
SCD - Special Category Data
Name
Address and contact details
Date of birth
Spouse/partner details
National Insurance number
Bank details
Passport number
Driving licence details
Racial or ethnic origin
Political opinions
Religious/Philosophical beliefs
Trade Union membership
Genetic/biometric data
Health information
Sexual orientation
Sending personal data to an incorrect recipient
Computing and storage devices containing personal data being lost or stolen
Alteration of personal data without the Data Subject’s permission
Unauthorised access to personal data, or sending data outside the contracted jurisdiction zone
Loss of personal data
Data Controller must report a breach to ICO within 72 hours
Data Processor must report a breach to the Data Controller within 24 hours