1. What is GDPR?
Hello again! In this video, we'll learn about some key concepts and definitions related to the scope of GDPR, that is: types of data and processing activities and what it means to comply with GDPR.
2. GDPR scope
We've already seen that GDPR covers the EU territory. It has global scope since any organization that processes the data of EU citizens needs to comply with it.
GDPR applies to a variety of automated and manual personal data processing activities. For instance, information retrieval from an online database is considered automated, while fetching a paper record from a filing system is manual.
Personal data, according to GDPR, belongs to natural persons, that is, individuals who are currently alive. Let's dive more into personal data and processing definitions.
3. Personal data under GDPR
Only personal data, not all data, falls under GDPR.
Personal data is any information that can directly or indirectly identify a natural person, also known as the data subject.
Personal data elements include name, surname, photograph, Social Security numbers, IP addresses, description of physical traits, cultural identity, socio-economic status of a natural person;
This is not a full list of personal data elements, because any data that fits these characteristics is personal data. And there are also some special categories of personal data.
4. Special categories
Special categories of data are considered highly sensitive due to their potential impact on human rights and safety.
Healthcare records, biometric data, sexuality and sexual orientation, criminal records, religious and political beliefs, and trade union membership information are highly sensitive.
Personal data from vulnerable groups, such as children under 13, also falls under this special category.
GDPR places more restrictions and additional obligations for data processing activities concerning highly sensitive data.
But what is data processing according to GDPR?
5. Data processing
According to GDPR, any manual or automated operation that involves personal data is considered data processing. Data processing activities include the collection, organization, analysis, storage, retrieval, sharing, and even erasure of personal data.
These are only a few examples of data processing activities, there are many more. Anything you do with personal data falls under data processing in GDPR.
In real life, data processing activities are wide-ranging. Examples include video surveillance of your office using CCTV cameras, sharing personal data or selling it to third parties, human resources management systems including payroll, accessing information from a database, and even shredding documents, that contain personal data.
6. What the law says
GDPR says don't do anything with personal data.
Unless: You have one of the six legal grounds stated in Article 6. And that you follow all the GDPR principles listed in Article 5. that you fulfill the requirements of all the ten articles in chapter 3 about data subject rights. You must implement additional measures for special category or sensitive data like a data protection impact assessment.
Hold on; I'm not trying to overwhelm you with all these legal text references. We will discuss all these terms with practical examples in chapter 2. But for now, remember that you need to comply with all these articles if you do process personal data.
The consequences can be heavy if you don't comply with these rules.
7. GDPR fines
One of the strongest deterrents for the non-compliance of GDPR, unlike any other comparable law, is the massive financial penalty.
Companies can be fined up to 20,000,000 euros or 4 % of the worldwide annual turnover – whichever is higher.
That seems quite impressive and scary. So who is responsible for ensuring that companies comply with GDPR to avoid such fines, and who enforces and monitors the compliance?
8. Let's practice!
Let's find out in the following video after some exercises testing your knowledge on personal data and processing.