A “Directive” means that each country must make their own law similar to our Data Protection Act.
A “Regulation” is a European law in its own right which means the EU can enforce it regardless of the laws in the individual countries.
What is GDPR?
- It is a new EU regulation to strengthen and control the use of personal data for all individuals within the EU.
- In May 2018, GDPR replaced the current Data Protection directive. So, what is the difference between a directive and regulation?
- GDPR will increase privacy for individuals and authorities will have greater powers against businesses that breach Data Protection laws.
Does GDPR impact you?
- If you process, either as a controller or a processor, personal data of any data subjects who are in the EU, then you are bound by the GDPR laws.
- Read government guidance on the General Data Protection Regulation here.
What is Personal Data?
- Any information relating to an identified or identifiable living person:
- Full name, maiden name, mother’s maiden name or alias
- Date and place of birth, race, religion, weight, geographical indicators, employment, medical, education and financial information
- Address information, street, IP or email address
- Personal identification numbers: National Insurance, passport, driver’s license, patient ID, financial accounts, and credit numbers
- Vehicle registration number
- Telephone numbers including mobile, business and personal
- Personal characteristics, including photo (face or distinguishing features), fingerprints, biometric data (retina scan, etc.)
What are Special Categories?
- Processing is prohibited* of any personal data that reveals:
- Ethnic origin
- Political opinions
- Philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Data concerning sex life
- Sexual orientation
- Some exceptions apply
What is Processing?
- Any operation performed on personal data whether or not by automated means:
- Collection * Adaptation or alteration
- Recording * Use
- Organisation * Disclosure by transmission
- Structuring * Dissemination or otherwise making available
- Storage * Alignment or combination
- Retrieval * Erasure or destruction
What is a Controller?
- Natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data.
- Controllers determine:
- The legal basis for collecting data
- Which items of personal data to collect
- The content of the data
- The purpose or purposes the data are to be used for
- Which individuals to collect data about
- Whether to disclose the data, and if so, who to
- Whether subject access and other individuals’ rights apply
- How long to retain the data
What is a Processor?
- Natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Within the terms of the agreement with the data controller, and its contract, a data processor may decide:
- What IT systems or methods to use
- How to store
- The detail of the security surrounding the data
- The means used to transfer from one organisation to another
- The means used to retrieve personal data about certain individuals
- The method for ensuring a retention schedule is adhered to
- The means used to delete or dispose of the data
What are Data Subjects?
- An individual who is the subject of personal data:
- The individual whom particular personal data is about
- Is a living person who is in an EU Member State
- An individual who has died or who cannot be identified or distinguished from others is NOT a data subject.
- Fair & Lawful – Data is processed lawfully, fairly and in a transparent manner.
- Legitimate – It is collected for specified, explicit and legitimate purposes.
- Limited – It is adequate, relevant and limited to what is necessary.
- Accurate – It is accurate and, where necessary, kept up to date.
- Retention – It is retained only for as long as necessary.
- Security – It is processed in an appropriate manner to maintain security.
These Principles ensure that there is accountability at all times.
What is Lawful?
Processing will only be lawful if ONE of the following conditions is met:
- Data subject gives consent for one or more specific purposes
- Necessary to meet contractual obligations entered into by the data subject
- Necessary to comply with legal obligations of the controller
- Necessary to protect the vital interests of the data subject
- Necessary for tasks in the public interest or exercise of authority vested in the controller
Processing is for the purposes of legitimate interests pursued by the controller
What Are The Penalties?
- ICO (Information Commissioner’s Office) is the UK’s supervisory authority. Their role is to supervise and enforce the GDPR and have the power to conduct investigations and deal with complaints.
- ICO’s enforcement powers include administrative fines:
- €20m or 4% of global turnover, whichever is higher, in cases where the data subject’s rights have been infringed.
- €10m or 2% of global turnover, whichever is higher, in cases where data controllers or processors have not met the obligations of the regulation.
- Read the ICO Guide to the General Data Protection Regulation here.
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the Data Protection Act:
- Right to be informed – Concise, clear language, easily and accessible
- Right of access – Provided free of charge, within 1 month
- Right to rectification – If inaccurate or incomplete & must notify third parties
- Right to erasure – If processing is no longer necessary, consent has been withdrawn, they object to processing (and there is no legitimate interest for ongoing processing), it is unlawful, data has to be erased to comply with legal obligation
- Right to restriction – Accuracy of data is contested, or if there is an objection due to legitimate interests
- Right to data portability – This allows individuals to obtain and reuse their personal data for their own purposes, structured format, free of charge
- Right to object – If it is in the public interest or based on legitimate interests: If processing of personal data is for direct marketing; if data is used for profiling; by automated means; scientific or historical purposes
- Rights in relation to automated decision making and profiling – individuals are able to obtain human intervention; express their point of view; and obtain an explanation of the decision and challenge it
- Conditions for profiling, you must:
- Provide meaningful information about the logic involved, as well as the significance and the envisaged consequences.
- Use appropriate mathematical or statistical procedures for the profiling.
- Implement appropriate technical and organisational measures to enable inaccuracies to be corrected and reduce errors.
- Secure personal data in a way that is proportionate to the risk.
There are no restrictions on transferring data to any of the EU Member States (and others in the EEA):
Specific list of countries considered safe (on the basis of adequacy):
|Isle of Man||Israel||Japan||Jersey|
- Model contract clauses are contracts that include transfer arrangements to protect the rights and freedoms of the data subjects, used for transferring data outside the EEA.
- Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA.
- Applicants must demonstrate that their BCRs are in place and have adequate safeguards for protecting personal data throughout the organization.
- Appoint a lead Supervisory Authority.
- The Privacy Shield Framework was deemed adequate by the European Commission. Privacy Shield initially only deals with compliance to the EU Data Protection Directive – it has to be updated for GDPR
Policies and Procedures
It is worth reviewing the Policies and Procedures of your company to ensure that you comply with GDPR laws:
Data Protection Policy / Statement
- Amount of information has increased
- Needs to be clear, concise, for internal/external
Subject Access Requests
- Processes are in place for providing data
- Must be in a usable format and delivered within 1 month
- Re-evaluate – as tighter rules are now in place
- Must apply to all purposes of processing
Right To Be Forgotten
- Under certain circumstances
- Data must be erased if processing is no longer necessary
- Individuals can withdraw previous consent
- Process must be in place and parental if applicable
- Consider cloud storage
- Ensure process and contracts are in place
Data Protection Impact Assessments
- Conduct an assessment for new systems and projects
- Review on a regular basis
- Ensure that contracts in place for all third parties
- Mitigate your liability
Data Breach Process
- Understand your obligations
- Consider data breach register