Skip to main content

Thirteen Point Guide to the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (“GDPR”) will come into force and apply to all EU member states from 25 May 2018. The UK’s decision to leave the EU will not affect the commencement of the GDPR. It contains eighty-eight pages, 99 articles and 173 related recitals and is therefore no small piece of legislation.
Overall, the principles under the GDPR are similar to those under the current Data Protection Act. However, there are new elements and significant enhancements; particularly in relation to accountability. The GDPR puts the onus on organisations to show how it complies with the data protection principles and there is a greater emphasis on documenting specific activities.
Other key changes to be aware of include:
  • Wider scope of application – certain definitions under the GDPR have been broadened, for example, the definition of “personal data”.
  • Higher penalties – the GDPR introduces tougher sanctions, including administrative fines for non-compliance of up to €20,000,000 or 4% of the organisation’s global turnover (whichever is the greater).
  • Data breach notifications – the GDPR will put a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individual affected.
  • More significant rights for individuals – the GDPR creates new rights for individuals and also strengthens some of the existing rights under the Data Protection Act.
  • Children’s personal data – the GDPR contains new provisions enhancing the protection of children’s personal data; previously, under the Data Protection Act, there has not been any special protection for children.
Further information on how to prepare for the GDPR is set out in our Thirteen Point Guide below.
GDPR Guide – Thirteen steps to take now
Preliminary steps
1. Awareness
Ensure that the key people in your organisation know that the law is changing and that they understand the impact that it will have on the organisation; reviewing the organisation’s policies early will give you a head start. The ICO’s overview of the GDPR can be found here.
2. Information you hold
Carry out an audit to determine what personal data you hold, where it came from and who you share it with. Going forward, under the GDPR, you will need to maintain records of processing activities setting out the legal basis for the processing, so getting your records in order before the GDPR comes into effect will help set a precedent.
3. Communicating privacy information
Existing data policy and privacy notices/policies will not be compliant with the GDPR, so the necessary amendments will need to be made to them in time for the implementation of the GDPR. The GDPR requires information to be provided in concise, easy to understand and clear language. See Article 15.
4. Data Protection by Design and Data Protection Impact Assessments
Under the GDPR, privacy by design is a requirement and in certain circumstances privacy impact assessments will be mandatory. A privacy impact assessment will be required where data processing is likely to result in high risk to individuals, for example, where new technology is being used or sensitive personal data is involved. See Article 25.
5. Data Protection Officers
Ensure that you designate someone to take responsibility of data protection within your organisation. If required, you will need to formally designate a Data Protection Officer, for example, if you are a public authority. See Article 4.
6. Individuals’ rights
Under the GDPR there are enhanced rights for individuals; you should ensure that your procedures and policies cover all of the rights that individuals have, including the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability,the right to object and rights in relation to automated decision making and profiling.
7. Subject access requests
Ensure that procedures are updated to take into account the new rules on requests; in most cases you will not be able to charge for a request and will only have one month to comply with requests. See Articles 12 and 15.
8. Lawful basis for processing personal data
Under the GDPR you will need to be able to explain the legal basis for your processing activity. This will need to be documented and your privacy notice will need to be updated to explain this. See Article 6.
9. Consent
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be a positive opt-in and consent must be separate from other terms and conditions. See Article 7.
10. Children
The GDPR puts in place special protection for children, requiring a parent or guardian’s consent for any data processing activity in the context of commercial internet services such as social networking. This will be relevant if you offer information society services to children. The age that a child can give their own consent to processing is sixteen, although this may be lowered to thirteen in the UK. See Article 8.
11. Data breaches
In circumstances in which a data breach is likely to result in a risk to the rights and freedoms of individuals, you will need to notify the ICO and also the individual if the breach is likely to have significant detrimental effect on the individual, for example, if the breach may result in discrimination or financial loss. See Articles 33 and 34.
12. Transfers within the EU
Where you have establishments in more than one EU member state, you should determine who your lead data protection supervisory authority is.
13. Transfers outside the EU
Under the GDPR, the transfer of personal data outside of the EU is prohibited unless certain conditions are met. The conditions include transfers made with consent, transfers necessary for important reasons of public interest and transfers necessary for the performance of a contract, for example. See Chapter 5.
Previously published as the Thirteen Point Guide to the General Data Protection Regulation (GDPR) on Stone King LLP's website on 3 August 2017

Disclaimer: This article may not be reproduced without the prior written permission of the author, Stone King LLP. This article reflects current law and practice. It is intended to be general in nature, and does not purport in any way to be comprehensive or a substitute for legal advice in individual circumstances.


Popular posts from this blog

Jail Sentences for Data Protection Offenders

The House of Commons' Home Affairs Select Committee are encouraging the Home Secretary to introduce jail sentences as a possible punishment for data protection offenders. This is to act as a stronger deterrent than the current, quite ineffective fines.  It is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data", under Section 55 of the Data Protection Act (DPA). But now, personal data has never been easier to access and the risks of information being leaked are an increasing concern. There are many new suppliers of information who are unlikely to understand or take notice of the rules to which they must comply. While the maximum fine for committing a section 55 offence is £5,000 when the case is heard in a Magistrates Court, and unlimited when

Ten Questions to Ask Your Cloud Provider

The use of cloud computing is on an exponential rise, as it offers users almost unlimited storage of data, reduces the need for organisations to have physical servers and allows easy access to information from anywhere in the world. As such, many UK based organisations are now turning to cloud computing to satisfy their data storage needs. But there is one issue which seeks to bring grey clouds over an otherwise silver lining and that is data security . By using the cloud instead of a physical storage device, organisations are obliged to hand over data to a third party cloud provider, some or all of which might be personal data within the meaning of the Data Protection Act. An organisation must therefore be sure, before it enters into a contract with a cloud provider, that its information will be kept securely and the provider’s handling of data will be compliant with the Act and any other applicable laws. Before you embark upon acquiring a business which uses cloud computing o