General Data Protection Regulation info
The General Data Protection Regulation will bring a significant change in data protection law. We hope that you will find this General Data Protection Regulation info helpful. If you can’t find the info that you are looking for, please contact us.
What is the GDPR?
GDPR stands for the General Data Protection Regulation and is the new European Union Regulation set to re
place the Data Protection Directive (DPD) and The UK Data Protection Act 1998. After many years of debate, it was approved by the EU Parliament on April 14th 2016 and involves the protection of personal data and the rights of individuals. Its aim is to ease the flow of personal data across the 28 EU member states.
When will the GDPR come into effect?
The Regulation will come into effect on the 25th May 2018 and will bring significant changes to data protection law. Any company deemed non-compliant will face hefty fines.
What effect, if any, does Brexit have on the GDPR?
The UK government has confirmed that the GDPR will come into effect on May 25th, 2018, and that Brexit will have no effect.
Who does the GDPR apply to?
Any organisation which processes and holds the personal data of data subjects residing in the EU must comply with the GDPR. This applies to every organisation, regardless of whether or not they themselves reside in one of the 28 EU member states.
What responsibilities will companies have under this new regulation?
Rules for obtaining valid consent to use personal information will become much tougher when the GDPR comes into force. Therefore, companies must ensure that consent is clear, affirmative, and in plain language. Companies must also make it easy for data subjects to withdraw consent if they wish to do so.
According to the Information Commissioner’s Office (ICO), organisations are expected to:
“….. put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances. Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.”
What kind of information does the GDPR apply to?
Much like the Data Protection Act 1998, GDPR applies to personal data. The Data Protection Act 1998 defines personal data as; “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
However, although this definition will mostly remain unchanged, it will be slightly more detailed in that it will make clear that online identifiers, such as an IP address, will also be classed as personal data.
Sensitive personal data – The GDPR refers to sensitive personal data as “special categories of personal data which uniqely identify a person.” This will include genetic data and biometric data.
The GDPR applies to all customer, client and staff data.
Are there any specific rules businesses should be following in order to ensure compliance?
The GDPR states that personal data must be:
- Processed lawfully, fairly and in a transparent manner
- Collected only for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date
- Held only for the absolute time necessary and no longer
- Processed in a manner that ensures appropriate security of the personal data
All of your policies and processes must reflect these principles. We can draft all of your policies and processes and train you and your staff.
What will the penalites be for failing to comply with the GDPR?
The GDPR have introduced a tiered approach to fines, meaning that the severity of the breach will determine the fine imposed. An organisation must self-report breaches to the ICO within 72 hours of the breach.
The maximum fine a company can face is 4% of their annual global turnover, or €20 million, whichever is the highest.
Less serious violations, such as having improper records, or failing to notify of any breaches, can be fined a maximum of 2% of their annual global turnover, or €10 million.
Do all organisations now have to appoint a Data Protection Officer (DPO)?
It is not necessarily compulsory for all organisations to appoint a DPO as this will be dependent upon a number of factors. According to the ICO, a company should appoint a DPO if they:
- are a public authority (with the exception of courts acting in their judicial capacity)
- carry out large scale systematic monitoring of individuals, such as, online behaviour tracking; or
- carry out large scale processing of special categories of data (eg. health) or data relating to ciminal convictions and offences
The EU’s Working Party 29 has stated that a DPO must be an expert in data protection law and must not be senior management, Head of IT, Head of HR or any post that has anything to do with the processing of data. The DPO must be objective and report to board level.
Typically organisation that will require a DPO include health care providers (doctors, dentists, chiropractors, physiotherapists etc) insurance companies, private security companies, marketing companies, charities etc.
Any organisation is able to appoint a DPO if they wish to do so. However, even if a company chooses not to appoint a DPO because the above doesn’t apply to them, they must still ensure that they have sufficient staff and skills in place to be able to carry out their obligations under the GDPR.
We can act as your DPO for as little as one hour a month.
What rights will individuals have under the GDPR?
There are eight fundamental rights of individuals under GDPR. Your organisation’s data protection governance will need to encompass these rights. The rights are:
- The right to be informed – Organisations must be completely transparent in how they are using personal data.
- The right of access – Individuals will have the right to know exactly what information is held about them and how it is processed.
- The right of rectification – Individuals will be entitled to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure – Also known as ‘the right to be forgotten’, this refers to an individual’s right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.
- The right to restrict processing – Refers to an individual’s right to block or supress processing of their personal data.
- The right to data portability – This allows individuals to retain and reuse their personal data for their own purpose.
- The right to object – In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
- Rights of automated decision making and profiling – The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.
The GDPR talks about a data processor and a data controller. What is the difference?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. Both will be liable if the processor has a data breach. Controllers will not be permitted to contract with processors who are not GDPR compliant, come next May. This means that any organisation that holds a contract with a public authority (councils, NHS etc) will not be able to do so unless they are fully GDPR compliant.
How does ‘consent’ change under the GDPR?
The conditions for consent have been strengthened, as companies will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
What about Data Subjects under the age of 16?
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.
What does my organisation need to be compliant with the GDPR?
Accountability is of primary importance under the GDPR. You must be able to provide evidence that your organisation is compliant so a range of policies and processes are required, along with IT security.
Can I do the data protection governance (policies and processes) myself?
Yes you can but you should have an expert knowledge of data protection law and General Data Protection Regulation information. We can do a data protection audit, write all of your policies and train your staff. We can also act as your DPO for as little as one hour a month. Leaving your data protection to us will allow you to concentrate on your business.