Data protection – introduction to GDPR
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will make significant changes to data protection legislation in the UK. Some of the principal changes that will be seen when GDPR is enacted are discussed below.
Who will be affected by GDPR?
GDPR is relevant to data ‘controllers’ and ‘processors’ and these definitions are much the same as under the terms of the current Data Protection Act (DPA). That is, the controller will be the body responsible for how and why personal data is processed, and the processor will act on behalf of the controller. Data processors have the legal responsibility for maintaining records of personal data and all processing activities and data breaches will incur far more significant liability than under the DPA. Controllers also face significant obligations, including responsibilities to ensure processors comply with GDPR. Any organisation conducting business in the EU will be covered under GDPR, alongside organisations operating outside the EU but offering goods or services to EU citizens.
What information is covered by GDPR?
In much the same way as the DPA, GDPR is applicable to personal data. The GDPR definition of personal data is far more detailed than the DPA, however; even online identifiers such as IP addresses are classed as personal data. This more expansive definition of personal identifiers is more reflective of changing technology and the manner in which organisations collect information about consumers.
Most business organisations already maintaining HR records, customer lists and contact details will find the new definition makes very little difference, and if you already hold information that falls under the terms of the DPA you should assume it will remain within the scope of GDPR.
GDPR is applicable to automated personal data and manual filing systems, so this is a wider definition than that of the DPA. Where personal data has been coded or given pseudonyms it is also likely to fall within the remit of GDPR, although this will depend on how difficult it is to attribute the codes to individuals.
Data protection principles under GDPR are very similar to those in the DPA, although there are some differences and a new requirement for accountability. Compliance with the accountability requirement will mean that businesses have to show how they met the principles of the legislation, which is likely to entail substantial documentation. Privacy impact statements may well be a requirement for many businesses, as GDPR places a good deal of responsibility upon businesses to carry out governance measures.
Businesses may also be required to appoint a data protection officer and there is a duty to report significant data breaches to the relevant authorities, and possibly also to individuals concerned. Restrictions will also be in place to control the transfer of personal data outside the EU.
The following business principles will be in place:
Lawful processing – organisations will need to illustrate a lawful basis for the processing of personal data.
Individual consents – consents from individuals for businesses to process or hold their personal data need to be unambiguous and freely given. It will not be possible to rely upon pre-ticked boxes or inactivity to infer consent, as individuals need to positively opt in.
Children’s data – where children’s data is collected new provisions are in place to add protections, particularly where online services are concerned.
Where data is held on private individuals GDPR has strengthened the data protection rights all individuals will have, including:
The right to be informed
This will normally be supplied by way of a privacy notice and is far more detailed than requirements under DPA.
Rights of access
Under GDPR individuals will have rights to obtain confirmations their data is being processed and will be able to access this data.
Right to erasure or to be forgotten
Individuals have rights to request the deletion of personal data if there is no compelling reason for it to be processed.
Rights to amend errors
Individuals will have rights to amend data that is incorrect and businesses have one month to comply with any requests.
Rights to restrict processing
This is similar to the rights of suppression of personal data offered under DPA, so businesses can retain sufficient information about the individual to ensure this restriction is met in the future.
Right to object
Individuals have the right to object to the processing of their data, however, this is not always upheld if it is being processed for legitimate and lawful reasons. When objections are received to data being held for direct marketing purposes, all processing must cease if an objection is received.
Rights to data portability
This allows individuals to obtain their data and re-use it across different services.
Rights relative to automated decision-making and profiling
This is a safeguard against any potentially damaging decisions which could be made as a result of data automation and is similar to existing rights under DPA.
To find out more about how GDPR will affect your business, or to benefit from our pre-designed policy templates and guides on GDPR, get in touch with us today.