What are the key provisions of the GDPR?

Chapter 1 of the GDPR (General Data Protection) outlines four general provisions that summarise the Regulation’s aims, regulatory requirements and key definitions.

Understanding these are essential for GDPR compliance, so if there’s anything that you’re unsure of, you’ll benefit from this guide.

1. Subject matter and objectives

The first provision is a basic explanation of what the GDPR is – i.e. a set of rules that are intended to protect people’s personal data and their rights related to them.

It adds that, although safeguards must be in place, there are no restrictions on the free movement of personal data within the EU.

2. Material scope

The second provision outlines what information is and isn’t subject to the GDPR’s requirements.

This means, first of all, understanding the definition of personal data – which is much broader under the GDPR than its predecessor, the DPA (Data Protection Act) 1998.

In basic terms, personal data is any piece of information that someone can use to identify, with some degree of accuracy, a living person. Article 4 of the GDPR adds that this is

in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Second, you need to understand that the use of this information is only subject to the GDPR if the processing is done “wholly or partly by automated means” or when being used, or intended to be used, within a filing system.

‘Processing’ includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval and disclosure of personal data.

3. Territorial scope

The third provision explains how the GDPR’s requirements are affected by the physical location of the organisation and data subject.

It states that the rules apply:

  • To all EU residents’ personal data – irrespective of whether the organisation processing the information is within the EU or not;
  • To all processing that takes place on behalf of data controllers or processors that are established in the EU, regardless of whether the actual processing takes place in the EU; and
  • Where an EU member state’s law applies by virtue of public international law.

4. Definitions

The final provision defines the key terminology used in the GDPR. Some of the explanations that you might find helpful and which we’ve not already covered include:

  • Pseudonymisation

Pseudonymisation is the process of replacing personally identifiable information with artificial identifiers (pseudonyms) in order to conceal the data subject it relates to.

For example, you might replace data subjects’ names, addresses or other data with reference numbers.

If that data is then breached, there would be no way of connecting it with the data subject without additional information – which should, of course, be held separately.

  • Data controller

A data controller is the person or group that decides when and why an organisation collects data.

If you have the authority to determine that information needs to be collected, you are a data controller.

  • Data processor

A data processor does the work associated with processing personal data. It is the organisation that the individual provides their information to and is responsible for storing and protecting that information.

The data controller and data processor will be the same organisation if it performs both functions.

  • Personal data breach

A data breach is any incident that results in the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.

As this definition suggests, data breaches aren’t always a result of cyber criminals hacking into an organisation’s systems.

Indeed, many incidents are the result of employees inadvertently making information public, whether that’s through a technical error on the organisation’s website, sending an email to the wrong person or losing a laptop or removeable device that contains sensitive information.

  • Supervisory authority

Each EU member state has a public body that’s responsible for overseeing GDPR compliance. These are known as supervisory authorities.

The UK’s supervisory authority is the ICO (Information Commissioner’s Office).

  • Genetic data and biometric data

Genetic data and biometric data are similar, but distinct, categories of sensitive information.

The GDPR defines genetic data as information “inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that […] person”.

Biometric data, by contrast, consists of personal data gathered from “specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”.

GDPR compliance support with GRCI Law

Are you looking for help meeting your GDPR compliance requirements? If so, should take a look at our Privacy as a Service solution.

Led by a team of experienced DPOs (data protection officers), lawyers, barristers, and information and cyber security experts, we’ll work with you to develop a tailored solution that suits your needs.

This includes help with your DPO requirements, breach notification processes and data privacy management, and support completing DSARs (data subject access requests).