Skip to content

Using Humap

Humap and The General Data Protection Regulation

What is it?

  • Summary: The General Data Protection Regulation (GDPR) is an EU regulation that governs the processing and protection of personal data for individuals within the European Union and the European Economic Area (EEA). Its main aim is to give individuals control over their personal data and to streamline the regulatory environment for international business by standardising data protection laws across the EU.
  • Further Reading: GDPR – Official Regulation Text

What are the key principles?

  • Lawfulness, Fairness, and Transparency: Personal data must be processed in a lawful, fair, and transparent manner. Organisations must be clear about how and why they use personal data.
  • Purpose Limitation: Data must only be collected for specific, legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Data Minimisation: Only data that is necessary for the purposes outlined should be collected and processed.
  • Accuracy: Personal data must be accurate and kept up to date. Inaccurate data should be erased or rectified promptly.
  • Storage Limitation: Personal data should not be kept for longer than necessary for the purposes for which it is processed.
  • Integrity and Confidentiality: Processing must ensure appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage.
  • Accountability: The data controller is responsible for demonstrating compliance with these principles.

What rights do data subjects have under it? 

  • Right to Access: Individuals have the right to request access to their personal data and obtain information about how their data is being processed.
  • Right to Rectification: Individuals have the right to have inaccurate personal data corrected or completed.
  • Right to Erasure (Right to be Forgotten): In certain circumstances, individuals can request the deletion of their personal data.
  • Right to Restrict Processing: Individuals can request the restriction of processing their data under specific conditions.
  • Right to Data Portability: Individuals can receive their personal data and reuse it across different services for their own purposes.
  • Right to Object: Individuals have the right to object to the processing of their data for reasons related to legitimate interests or direct marketing.
  • Rights Related to Automated Decision-Making and Profiling: Safeguards must be in place for decisions made without human intervention.
  • Further Reading: European Commission on Data Protection Rights

What are the compliance requirements for organisations?

  • Data Protection by Design and Default: Organisations must integrate data protection into their processing activities and business practices.
  • Data Protection Impact Assessments (DPIAs): Required for high-risk processing activities to identify and mitigate risks.
  • Appointing a Data Protection Officer (DPO): Necessary for public authorities or organisations that carry out large-scale monitoring or process sensitive data.
  • Breach Notification: Data breaches must be reported to the relevant supervisory authority within 72 hours, and affected individuals must be informed if the breach poses a high risk to them.
  • International Data Transfers: Transfers of personal data outside the EU/EEA are restricted unless the recipient country provides an adequate level of data protection.
  • Further Reading: GDPR Compliance Checklist

What are the consequences of non-compliance? 

  • Summary: Non-compliance with GDPR can result in significant financial penalties. 

Is GDPR just for EU Citizens?

GDPR (General Data Protection Regulation) was initially developed for the European Union (EU) and European Economic Area (EEA). However, its scope can extend beyond the EU in certain cases:

Primary Application

GDPR is directly applicable to all EU member states, governing the processing and protection of personal data within the EU and EEA.

Extraterritorial Scope

GDPR has extraterritorial reach, meaning it applies to:

  • Non-EU Businesses: If they offer goods or services to individuals in the EU or monitor their behaviour within the EU. This ensures that data protection follows EU residents, regardless of where the business is located.
  • International Operations: Companies outside the EU must comply with GDPR if they process the personal data of people residing in the EU for activities related to offering products/services or monitoring behaviour.

Implications for Non-EU Countries

Many non-EU businesses, especially those involved in online retail, digital marketing, or analytics that target EU citizens, need to comply with GDPR to legally handle personal data. This has influenced some non-EU jurisdictions to adopt similar data protection laws to align with or facilitate business with the EU.

Conclusion: While GDPR is primarily an EU regulation, its requirements can apply globally to non-EU entities that interact with EU citizens’ data in specific contexts.

Is the UK under GDPR post-Brexit?

UK GDPR

After the UK left the EU, it retained GDPR principles but adapted them into domestic law. This modified version is known as UK GDPR, which is essentially the same as the EU’s GDPR but with adjustments to reflect UK-specific governance.

  • Summary: The UK GDPR, together with the Data Protection Act 2018, forms the core framework for data protection in the UK. It ensures that personal data is processed lawfully, fairly, and transparently and grants individuals similar rights as the EU GDPR.

Key Differences from EU GDPR

  • Jurisdiction: UK GDPR applies specifically to the processing of personal data in the UK.
  • Supervisory Authority: The Information Commissioner’s Office (ICO) is the UK’s independent body responsible for enforcing data protection law.
  • International Transfers: The UK has its own rules for transferring data outside the UK, which include recognising the EU and other countries as adequate for data protection.

Applicability Beyond the UK

  • Non-UK Businesses: Just like the EU GDPR, the UK GDPR applies to businesses outside the UK if they offer goods or services to individuals in the UK or monitor their behaviour.
  • EU-UK Data Transfers: As of now, the EU has granted the UK an adequacy decision, meaning personal data can flow from the EU to the UK without additional safeguards. This is periodically reviewed.

Further Reading

Send a message

How can we help?

We usually respond in a few hours