The GDPR uses terminology that many people find confusing. It also defines a number of roles and responsibilities and introduces some new roles. These are explained below:
Name, address, date of birth, doctor’s name and address etc.
Special Category Data
Includes sensitive information such as medical history, medical and dental records, ethnic origin, race, political opinions, religion, trade union membership, genetics, biometrics, health, sex and sexual orientation. It also includes criminal record checks.
Includes collecting the information about an individual, using it, storing it, securing it etc. GDPR applies to all businesses and organisations and to all personal data held about individuals.
Personal Privacy Rights
Under GDPR, all individuals who have personal data held about them have the following personal privacy rights:
- Right to subject access
- Right to have inaccuracies deleted
- Right to have information erased
- Right to object to direct marketing
- Right to restrict the processing of their information, including automated decision-making
- Right to data portability
Automated Decision Making
This includes all decisions made without human intervention e.g. email reminders to book an appointment or text or email reminders of appointments, direct marketing i.e. all decisions that are taken automatically.
The ability to take personal data elsewhere e.g. to healthcare provider or employer.
Legal Basis for Processing Data
There are six legal bases for processing personal data. You must be able to justify, articulate and document the legal basis on which you collect and process all personal data that you hold.
Data Protection Impact Assessment
A data protection impact assessment is the process of systematically considering the impact on privacy any project or initiative could have on the privacy of individuals.
Data Protection by Design and Default
Data protection by design and default means that everything you do or plan to do such as new projects and initiatives are always planned and executed with privacy in mind. Everything should be always ‘designed’ with privacy in mind and that is your ‘default’ position.
Data Protection Officer
A person designated or appointed to ensure the business complies with GDPR.