The General Data Protection Regulation (GDPR) came into force on 25 May 2018 adding some new elements and significant enhancements to the UK’s existing data protection regime.
The GDPR requires that all organisations that deal with individuals living in an EU member state to protect the personal information belonging to those individuals, and to have verified proof of such protection. Failure to comply with the regulation will result in significant fines.
The Data Protection Act (DPA) 2018 which came into force on 23 May 2018 was not superseded by the GDPR. The DPA 2018 implements the GDPR, whilst also adding provision for UK law to extend the GDPR to areas such as the security services and government bodies, which are not covered under the GDPR alone.
Here we look at the scope and some of the key principles of the GDPR.
The GDPR applies to both controllers and processors of data, as defined under the DPA. Controllers say how and why personal data is processed, and the processor acts on the controller's behalf to process the data. Your organisation may be a data processor, or a data controller, or both.
There are specific legal obligations on both controllers and processors:
Please see our related factsheet ‘Data Security - General Data Protection Regulation - Ensuring Compliance’ for more detailed information on the documentation requirements.
The GDPR has a number of principles relating to personal data. Whilst these are not dissimilar to those under the UK's DPA, there are some differences, together with a new accountability requirement. Personal data shall be:
Finally, the GDPR requires that the controller shall be responsible for, and be able to demonstrate, compliance with these principles.
Individuals have the right to know how their personal data is going to be processed. The GDPR promotes transparency over processing by way of a privacy notice encompassing (amongst other things) details of the controller, the source of the data, recipients of the data, data transfers made outside the EU, and the retention period of the data.
Individuals have the right to obtain confirmation that their data is being processed, access to their personal data, and other information, such as that provided in a privacy notice.
The maximum amount of time allowed to deal with a subject access request has been reduced from 40 to 30 days under the GDPR, and the right to charge a subject access fee has been removed, unless the request is unfounded, excessive or repetitive.
Individuals have the right to have inaccurate or incomplete personal data rectified. This must also include personal data which is shared or given to third parties.
Individuals have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Again, this must also include personal data that is shared or given to third parties.
It is important to note that there are extra requirements when the request relates to a child.
There are some exceptions to the right to erasure, such as where data is held to comply with a legal obligation.
Individuals have the right to restrict the processing of personal data. In these circumstances the personal data can be stored, but not processed.
Individuals have the right to obtain and reuse their personal data across different services. It allows them to move, copy or transfer personal data. Personal data must be provided in a structured machine-readable format (such as.csv).
Individuals have the right to object to the processing of personal data. Processing must stop immediately unless there are 'compelling' legitimate grounds for the processing, or if processing is for the establishment, exercise or defence of legal claims.
Individuals have the right to ensure that safeguards are in place to protect against the risk of damaging decisions being taken without human intervention. This also extends to the safeguarding of personal data used for profiling purposes.
The GDPR contains the principle of accountability, which requires that appropriate governance measures are in place. Organisations therefore need to:
The new law places particular emphasis on the issue of consent, stating that an indication of consent must be specific, unambiguous and freely given. Positive consent cannot be assumed from inaction, such as failing to click an online 'unsubscribe' box, or from the use of pre-ticked boxes. Businesses also need to make sure that they capture the date, time, method and the actual wording used to gain consent, so it is important to ensure that your business has the means to record and document such information.
Consent can also be granted in cases where you can demonstrate legitimate interest. Legitimate interest can be granted without any explicit request for consent. For example when processing a sale that the individual has raised directly with you.
Legitimate interest will grant you the ability to process the individuals’ data but only within the bounds that they would expect. Therefore, it does not mean that you can utilise their data in other ways. For example, using the data collected and processed during a sale and then sending that data to a third party not related in any way to that sale is not allowed.
If you are to rely on legitimate interest you will take on the responsibility for ensuring that:
Breaches must be notified to the relevant supervisory authority where 'it is likely to result in a risk to the rights and freedoms of individuals'.
A notifiable breach must be reported within 72 hours.
The GDPR places restrictions on the transfer of data outside of the EU.
Your Name (required)
Your Email (required)
Please leave this field empty.