The General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018. The requirements contained in the GDPR differ significantly from the Data Protection Act 1988 (DPA). It is likely that you will need to review and make changes to your data protection practice. You might also think about using introduction of the GDPR as an opportunity to improve the way in which you handle personal information. Your customers, employees and supervisory authorities - the Information Commissioner’s Office in the UK - will expect a lot more of you from 25 May 2018. Countdown
The GDPR is an EU regulation published on 27 April 2016 and it will apply in the United Kingdom from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
The GDPR applies across the EU, but different EU countries are expected to apply certain exemptions. Although the GDPR will bring greater harmonisation across the EU in the legal requirements relating to data protection, there are likely to be some differences in which the GDPR is interpreted and enforced in different EU countries.
If you carry out processing across the EU, you will be primarily regulated by the supervisory authority in the jurisdiction in which you have your main establishment.
Core rules remain the same
The GDPR retains the same core rules as the DPA and regulates the processing of personal data.
The term ‘personal data’ is defined in detail and makes it clear that information such as IP address and other online identifiers can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people. For most organisations, keeping HR records, customer lists or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition.
The concept of sensitive personal data has been retained and expanded to include genetic and biometric data.
Before processing personal data under the GDPR, you will need to identify and document a lawful basis - these are referred to as the ‘conditions for processing’ under the DPA. Obtaining consent from the individual concerned is one way to justify processing personal data, and there are others.
All processing must comply with six general principles. These principles are similar to those in the DPA, with added detail at certain points and a new accountability requirement.
If you are relying on consent as the lawful basis for processing, the GDPR requires some form of a positive opt-in – consent has to be verifiable and cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent.
As under the DPA, consent to process sensitive personal data must be explicit. Consent to transfer personal data outside the EU must now also be explicit.
Controllers and processors
In broad terms, a ‘controller’ decides how and why personal data is processed, and a ‘processor’ acts on the controller’s behalf.
The GDPR expands the list of provisions that a controller must include in its contract with any processor.
Some aspects of the GDPR are directly applicable to processors. This will be a major change for some organisations which have avoided direct regulation under the DPA by setting themselves up as processors.
A processor will be jointly and severally liable with the relevant controller for compensation claims by individuals.
Data subjects’ rights
The GDPR largely preserves the existing rights of individuals to access their own personal data, rectify inaccurate data and challenge automated decisions about them. The GDPR also retains the right to object to direct marketing.
There are also potentially significant new rights for individuals, including the ‘right to be forgotten’ and the right to data portability, which allows individuals to obtain and reuse their own personal data for their own purposes.
The GDPR increases the amount of information you need to include in your privacy notices. Those notices must also be concise and intelligible.
Consent from a child in relation to online services will only be valid if authorised by a parent. A child is someone under 16 years old, though EU countries can reduce this age to 13 years old.
There are other protections for children including providing them with a stronger ‘right to be forgotten’.
Under the GDPR, you must not only comply with the six general principles, but also be able to demonstrate you comply with them. You are expected to put into place comprehensive but proportionate governance measures. Practically, this is likely to mean more policies and procedures for your business.
If you are carrying out ‘high risk’ processing, you must carry out a privacy impact assessment and, in some cases, consult your supervisory authority. This could have significant timing implications for your project.
It may be possible to demonstrate compliance, and comply with other obligations in the GDPR, by signing up to a code of practice or becoming certified.
Data protection officer
You may be obliged to appoint a data protection officer. This depends on what processing you carry out.
The data protection officer must be involved in all data protection issues and cannot be dismissed or penalised for performing the role.
The data protection officer must report directly to the highest level of management within your organisation ie board level.
The GDPR primarily applies to businesses established in the EU.
The GDPR will also apply to businesses based outside the EU that offer goods and services to, or monitor individuals in, the EU.
Transfers outside the EU
The GDPR prohibits the transfer of personal data outside the EU, unless certain conditions are met. Those conditions are broadly the same as those under the DPA.
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
Controllers must report data breaches to their supervisory authority normally within 72 hours (unless the breach is unlikely to be a risk for individuals). You may also have to inform affected individuals.
Supervisory authorities will be able to issue fines of up to 4% of annual worldwide turnover or €20 million.
Supervisory authorities have a wide range of other powers. They can audit you, issue warnings, and issue a temporary and permanent ban on processing.
Individuals can sue you for compensation to recover both material damage and non-material damage, such as for distress.