Please find below a handy guide and frequently asked questions relating to the General Data Protection Regulations.
What is changing?
The General Data Protection Regulation (the Regulation) will become law in all EU Member States on 25th May 2018. As the Regulation is directly effective, there is no requirement for each individual Member State to pass its own legislation to bring the provisions within it into its own domestic law. It is currently unknown what the effect of the UK’s decision to leave the EU will ultimately have on the UK’s stance on data protection.
What does it apply to?
Personal data is similar to that provided for under the Data Protection Act 1998 (the DPA). This is information relating to an identified or identifiable natural person. However, this is now extended to include provisions which take into account advances in technology; therefore online identifiers, such as an IP address, are also included. 'Special categories of personal data' or sensitive data, such as sexual orientation and religious beliefs, continue to be covered by the Regulation, however, this type of data is extended to include genetic and biometric data where it is possible to identify an individual as a result of that data being processed.
Who will it affect?
The provisions of the Regulation apply to businesses that are located in the EU, and those which are solely located outside the EU and process personal data of EU residents and sell goods to them.
Will I need to register with the Information Commissioner?
The Regulation removes the obligation for data controllers to register (notify) with a regulator (in the UK this is the Information Commissioners Office). Controllers are, however, obliged to undertake periodic assessments of the data that they process and the impact upon the protection of the data that they are processing (these assessments are called Data Protection Impact Assessments). This obligation will be pertinent to those industries where big data (i.e. large amounts of data) is prevalent, such as social media providers or those which use data to determine trends or behaviours. In these circumstances, there will be an obligation to notify a regulator where an assessment indicates that the processing would result in a high risk in the absence of measures taken by a data controller to mitigate the risk.
What consent must be given to process personal data?
Consent must be provided by a data subject for the processing of his/her personal data. This consent must be provided by an affirmative action and be unambiguous. As such, inactivity or pre-ticked boxes will no longer constitute consent to the processing of data. Organisations will be required to demonstrate that data subjects have consented to the processing of their data.
Organisations will be required to keep a record of how and when consent was provided and, generally, stop processing data in the event that consent is removed.
An additional layer of protection has been provided for children (generally those under the age of 16, although this age can be reduced to not less than 13 should a Member State determine that this is acceptable). In these circumstances, consent is required from the person who has parental responsibility for the child whose data is to be processed.
Organisations will be required to show how they adhere to the Regulation's principles by, for example, demonstrating what procedures are in place to protect the data that they hold. Many organisations will currently have in place adequate measures; however, it is likely that others will be required to examine and address their current practices to ensure compliance with the Regulation.
What rights does a data subject have?
Below is a summary of some of the rights that a data subject has:
As under the DPA, there is a right of access to the data stored by a processor and confirmation of the processing of it. The Regulation removes the requirement for the payment of a fee (currently this is £10) except in circumstances where a request is manifestly unfounded or excessive, or where information has previously been disclosed. Most requests should be completed within 30 days of the initial request being made.
If any information held is incorrect, the data subject is entitled to request that it is rectified. Where information has been disclosed to third parties, the disclosing party is obliged to ensure that this information is rectified also.
Where there is no compelling reason for personal data to be held, a subject has the right to request that any data be deleted. Further, the data subject may request that any processing of data ceases. This request must be complied with unless there are compelling and legitimate grounds for processing of that personal data.
Will I need to appoint a data protection officer (DPO)?
If you are a public authority or carry out large scale processing of special categories of data or the systematic processing of large amounts of data for monitoring purposes, then it is likely that you will be required to appoint a DPO.
Larger organisations may find that it is prudent for them to appoint a DPO to ensure compliance with the Regulation.
Do I have to report all personal data breaches?
Any breach of security which leads to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data is likely to be a breach of the Regulation.
Not all breaches are reportable; an organisation will need to determine whether there has been, or there is likely to be, a significant detrimental effect upon individuals.
What to do now?
Organisations should begin to consider what policies and procedures they currently have in place, and whether these will be adequate to meet the obligations imposed upon them under the regime created by the Regulation. Where appropriate, any supply contracts should be considered to ensure that adequate rights are in place, for example relating to reporting of security breaches.
Get in Touch
With Lupton Fawcett on your side, you're taking control. Contact us today.
Please complete this form to make an enquiry and we will get back to you as soon as we can.
Remember you can still call us on 0333 323 5292 or email us at email@example.com