What is Personal Data?
‘Personal data’ is any information about an identifiable person.
- An identifiable person can be directly or indirectly identified by reference to an identification number or one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.
- The ‘data subject’ is the title given to the person whose personal data are collected, held or processed.
- In the EU and worldwide, the data subject’s rights regarding the processing, handling and storing of their personal data are codified in law (better in some jurisdictions than others).
- And must be respected by all public and private sector organisations and individuals in possession and/or control of such data.
What is the difference between EU GDPR and UK GDPR, and CCPA and CPRA?
The rights for the protection of personal data vary significantly from one jurisdiction to another.
We are often asked about these similar but different regulations and statutes regarding Personal Data Protection. So, we decided to put this short introduction together and tell you where to go for further authoritative information.
EU GDPR (EU and EEA)
The General Data Protection Regulation (EU GDPR) is the world’s strictest privacy and security law. It applies throughout the EU and EEA area.
Though it was drafted and passed by the European Union (EU), it imposes obligations onto organisations anywhere globally, so long as they target or collect data related to people in the EU.
The regulation was put into effect on May 25, 2018, and levies harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
With the GDPR, Europe is signalling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services, and breaches are a daily occurrence.
The regulation is significant, far-reaching, and relatively light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).
The six most common applications of GDPR are:
- EU PARENT COMPANY: If your parent company is registered in an EU member state, GDPR compliance may be coordinated at that level. If so, you may be able to rely on parent company procedures.
- PERSONAL DATA STORED LOCALLY: Local data that parent company processes may not capture will likely be held. Examples might include HR/payroll and mobile phone contacts.
- LOCAL SUPPLIERS: You should formally advise local suppliers of your potential need to audit their processes for GDPR compliance, mainly where local suppliers are a vital part of the supply chain.
- STAFF TRAINING: Training is required for everyone in the company, doesn’t matter the position, from the goods received clerk to the board of directors. Embedding GDPR principles in the company culture will be critical in achieving compliance. Therefore, while training is necessary, top management support is also vital.
- OFF-SITE STORAGE: When evaluating the results of a data audit, you should consider the status of archive documents held off-site. It should be a consideration to document the control of such information when it is retrieved from the archive and re-introduced into the main body of company documentation.
- TRADING WITH NON-EU COMPANIES: If you are trading with entities in a 3rd country that does not have an adequate data protection regime, personal data transfer may only occur via a legal transfer mechanism.
UK GDPR (United Kingdom)
The United Kingdom General Data Protection Regulation (UK-GDPR) is the UK’s data privacy law that governs the processing of personal data from individuals inside the UK.
The UK-GDPR was drafted due to the UK leaving the EU, which resulted in the EU’s GDPR not applying domestically to the UK any longer.
There are very few substantial differences between the UK-GDPR and its EU equivalent.
Essentially, the UK has lifted the entire structure of the EU GDPR and put it into UK law. However, the UK-GDPR changes critical areas of the law concerning national security, intelligence services and immigration.
As with EU GDPR, any company or organisation that processes personal data from individuals inside the UK must comply with the UK-GDPR – even if the organisation isn’t located within the UK.
In June 2021, the European Commission (EC) adopted two UK data adequacy decisions. These decisions mean data flows between the EU and the UK can continue, and no additional safeguards are required.
The UK plans to introduce new legislation regarding data protection before the end of 2023 and to abandon UK-GDPR. Likely consequences will include loss of the EU data adequacy decision benefits and further disruption of UK trade with the EU.
CCPA (California)
Personal Data Protection needs to be better developed in the USA. The most stringent relevant law is the California Consumer Privacy Act (CCPA, January 2020), a state statute intended to enhance privacy rights and consumer protection for residents of California. The law created an array of consumer privacy rights and business obligations regarding collecting and selling personal information.
The Act intends to provide California residents with the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request a business to delete any personal information about a consumer collected from that consumer.
- Not be discriminated against for exercising their privacy rights.
The difference between GDPR and CCPA is that the CCPA protects “consumers” who are natural persons and who must be California residents to be covered, whilst the GDPR protects “data subjects,” who are natural persons and do not specify residency or citizenship requirements.
Variants of CCPA have been adopted by other States of the USA, where the individual states decide on data protection matters. A Federal solution is far more beneficial to American owners and users of personal data.
CPRA (California)
The California Privacy Rights Act (CPRA), Proposition 24, is a ballot measure California voters approved on November 3, 2020. It significantly amends and expands the CCPA, sometimes called CCPA 2.0. Most of the provisions of CPRA won’t become operative until Jan. 1, 2023.
The CPRA creates two additional rights:
- the right to correct inaccurate personal information; and
- the right to limit the use and disclosure of sensitive personal information.
How does personal data protection work elsewhere in the world?
By 2023, 65% of the world’s population will have its personal data covered under current privacy regulations, according to Gartner, the global research organization.
As increasing social and economic activities occur online, the importance of privacy and data protection is increasingly recognized. Of equal concern is the collection, use and sharing of personal information with third parties without notice or consent of consumers.
Many data protection law initiatives continue to be passed and adopted. 2022 will see more regions in Europe, the Middle East, the United States, and the Asia Pacific introducing or amending data privacy and protection laws.
137 out of 194 countries had put in place legislation to secure the protection of data and privacy.
Africa and Asia show different levels of adoption, with 61% and 57% of countries have adopted such legislation. The share in the least developed countries is only 48%.
How to become a Data Protection Officer
So far, there is no nationally or internationally recognized qualification that will make you an expert Data Protection Officer – DPO (regardless of any claims a training provider may make); however, it doesn’t hurt to have demonstrable experience in data protection which you can obtain through professional training and real-life practice.
A note on UK GDPR: At the time of writing, UK GDPR is essentially identical to EU GDPR. After Brexit, the UK government adopted EU-GDPR in its entirety as UK-GDPR with the substitution of the Information Commissioners Office (ICO) for EU National Data Protection Authorities. The intention of the British Government is to abandon all EU Regulations by the end of 2023.
While it is impossible to replace the approx. 2500 pieces of legislation involved before the deadline, the expectation is that, when it occurs, new UK data protection legislation will remain closely aligned with EU regulation in order to maintain the most valuable prize of retaining the adequacy decision for the UK, ensuring the continued free flow of personal data between the two blocs. In any case, UK-GDPR will remain applicable until mid-2025.
Required Knowledge
- Knowledge of Regulatory Requirements – Data protection regulations, such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States, have complex legal requirements. DPOs must have a strong understanding of these regulations, including their rights, obligations, and implications. You should be able to interpret and apply the law to their organization’s data processing activities.
- Knowledge of Data Privacy Principles and Practices – A DPO should be well-versed in data privacy principles and practices. These include understanding data collection, data subject rights, data portability, data storage, processing, and transfer. You must know how to perform data protection impact assessments (DPIAs) and understand the risks associated with various data processing activities.
- Understanding of How information Technologies Relate to Data Security – Certification to ISO 27001, the information security management system, will significantly help here. Indeed, compliance with GDPR requirements should already have been addressed in such a system. Otherwise, your own work in initiating a personal data protection system will provide the answers, and undoubtedly, documentation of the implementation and maintenance of the organization’s ITC systems will be available.
- Knowledge of the Organization and the Processing Operations Carried Out – Experience gained over time while working on the organization’s data privacy and protection system will help provide such understanding. Also, any analysis done and recorded when the current personal data protection system was planned and implemented should be studied. If none exists, your own work initiating a personal data protection system will provide the answers.
Required Skills
- Communication and Interpersonal Skills – Effective communication is essential for a DPO. You need to be able to convey complex legal and technical information to colleagues at all levels of the organization. Additionally, interpersonal skills are crucial when dealing with data subjects, supervisory authorities, and other stakeholders. (Note that the internal auditing of your systems against GDPR requirements, which involves interactions with staff at all levels, is an excellent way of promoting GDPR awareness generally)
- Problem-Solving and Analytical Abilities – DPOs should be adept problem solvers. You need to be able to assess data protection issues and find solutions that align with legal requirements and business goals. Strong analytical skills will help you identify potential risks and compliance gaps.
- Ethical and Professional Conduct – Integrity and ethical conduct are paramount for a DPO. You should be committed to upholding individuals’ privacy rights and act as impartial advisors within the organization.
With a combination of the above, together with continuous learning, you will have the necessary tools to navigate the complex and ever-changing landscape of data protection and be a crucial asset to your organization’s bid for data privacy and security.
What do your GDPR and DPO courses have to offer?
Our EU GDPR Implementer and DPO Course provides affordable, practical, and understandable guidance on complying with GDPR requirements.
Too often, courses on GDPR leave the learner with only one thought: help! While banks and large government bodies have complex situations regarding the personal data they hold and process, in the vast majority of cases, a structured and reasoned approach suited to the complexity of the organization’s data protection is required. This Course provides such instruction and guidance.
It is ideally suited…
- to new organizations implementing a personal data protection management system for the first time and
- to organizations seeking to improve GDPR compliance where the present arrangements (new products, new services, new processes, improved technology, etc.) no longer meet compliance requirements.
A significant benefit of choosing our courses is the comprehensive package of documentation and reprints that are included free of charge. This includes …
- EU GDPR Regulations 2016 (consolidated)
- EU Explanatory Note of Processing of Personal Data
- EU GDPR Compliance Audit Checklist
- EU GDPR Readiness – 32 key issues
- EU GDPR Terms and Definitions
- Infographic: GDPR Compliance Roadmap
- GDPR Gap Analysis Tool
- GDPR Personal Data Asset Register
- GDPR Risk Assessment and Treatment Tool
- Infographic: Path to GDPR Compliance
- Procedures Template
- Relevant Skills for a DPO (Data Protection Officer)
- Sample Data Processing Agreement
- Sample GDPR Company Privacy Policy
- Sample GDPR Right to Erasure Form
- Sample Personal Data Breach Procedure (x 2)
- Data Protection Impact Assessment Template
The courses provide the extra data protection expertise you need, including step-by-step instructions on implementing GDPR and detailed tuition on the role of the Data Protection Officers – DPO.
Where can I see further information?
Follow these links to get detailed information and advice…