The General Data Protection Regulation is an EU law on data protection and privacy. It was introduced to bring data protection standards up to date in an increasingly digital and data-driven age. Despite Brexit, all UK organisations must comply with the GDPR. In the UK, the Data Protection Act 2018 (DPA) is the UK’s interpretation of the GDPR.
What are GDPR breaches?
When it comes to GDPR failures and abuses, most people think about data breaches.
A data breach refers to any situation where data has been put at risk. For example, when criminals break into an organisation’s systems to steal information, or more commonly, because of simple human error and poor data protection processes.
But GDPR violations are not just about data breaches. A GDPR failure can happen when companies fail to uphold individual data rights in several other ways.
Types of GDPR violations
Common GDPR breaches include:
Not informing people that their personal data is being processed
Under GDPR, people have a right to be notified if their personal data is being used or stored. A failure to do this is a data protection breach.
Failing to tell people how their personal data is being processed when asked
People have the right to ask how their data is being processed. This is called making a data subject access request (DSAR/SAR). An individual can ask an organisation if it uses their data, how it is using it, what type/types of data it is using, how long the data will be kept, if it shares this data with any third parties, and more. A refusal to answer such a request within the legal timeframe is a GDPR breach.
Refusing to keep accurate records on a person
Individuals can challenge the accuracy of any personal data that an organisation holds about them and ask for it to be corrected, added to, or deleted. Organisations do not always have to agree to such requests (for example, a doctor does not have to change an individuals’ medical history if they believe a request is erroneous). But they must provide a legitimate reason if they do not so (and tell the data subject what that reason is).
Not limiting how data is used on request
Individuals can request restrictions on the way an organisation uses their personal data. In some circumstances, they can also object to an organisation using their data at all. For example, they have the right to stop an organisation from using their data for email marketing.
Making automated decisions that harm people or profiling individuals without their knowledge or consent
Under the GDPR, the processing of biometric data (such as images of a person’s face) and the use of automated decision-making, including profiling, are only allowed in very explicit circumstances. If an organisation uses technology that discriminates against individuals and automatically makes decisions that harm them, such technology would not be GDPR compliant.
Making a GDPR breach claim
At Keller Postman UK, we make sure our clients are compensated for any GDPR violations that impact their legal rights. For example, in addition to our various data breach group actions, we support clients who have experienced GDPR violations because of facial recognition software and algorithmic and automated decision-making processes. Find out more.