The General Data Protection Regulation (“GDPR”) will come into
force and apply to all EU member states from 25 May 2018. The UK’s decision to
leave the EU will not affect the commencement of the GDPR. It contains
eighty-eight pages, 99 articles and 173 related recitals and is therefore no
small piece of legislation.
Overall, the
principles under the GDPR are similar to those under the current Data
Protection Act. However, there are new elements and significant enhancements;
particularly in relation to accountability. The GDPR puts the onus on
organisations to show how it complies with the data protection principles and
there is a greater emphasis on documenting specific activities.
Other key
changes to be aware of include:
- Wider scope of application – certain definitions
under the GDPR have been broadened, for example, the definition of
“personal data”.
- Higher penalties – the GDPR introduces
tougher sanctions, including administrative fines for non-compliance of up
to €20,000,000 or 4% of the organisation’s global turnover (whichever is
the greater).
- Data breach notifications – the GDPR will put a
duty on all organisations to report certain types of data breach to the
relevant supervisory authority, and in some cases to the individual affected.
- More significant rights for
individuals –
the GDPR creates new rights for individuals and also strengthens some of
the existing rights under the Data Protection Act.
- Children’s personal data – the GDPR contains
new provisions enhancing the protection of children’s personal data;
previously, under the Data Protection Act, there has not been any special
protection for children.
Further information
on how to prepare for the GDPR is set out in our Thirteen Point Guide below.
GDPR Guide –
Thirteen steps to take now
Preliminary steps
1. Awareness
Ensure that the key people in your organisation know that the law is changing and that they understand the impact that it will have on the organisation; reviewing the organisation’s policies early will give you a head start. The ICO’s overview of the GDPR can be found here.
Ensure that the key people in your organisation know that the law is changing and that they understand the impact that it will have on the organisation; reviewing the organisation’s policies early will give you a head start. The ICO’s overview of the GDPR can be found here.
2. Information you
hold
Carry out an audit to determine what personal data you hold, where it came from and who you share it with. Going forward, under the GDPR, you will need to maintain records of processing activities setting out the legal basis for the processing, so getting your records in order before the GDPR comes into effect will help set a precedent.
Carry out an audit to determine what personal data you hold, where it came from and who you share it with. Going forward, under the GDPR, you will need to maintain records of processing activities setting out the legal basis for the processing, so getting your records in order before the GDPR comes into effect will help set a precedent.
3. Communicating
privacy information
Existing data policy and privacy notices/policies will not be compliant with the GDPR, so the necessary amendments will need to be made to them in time for the implementation of the GDPR. The GDPR requires information to be provided in concise, easy to understand and clear language. See Article 15.
Existing data policy and privacy notices/policies will not be compliant with the GDPR, so the necessary amendments will need to be made to them in time for the implementation of the GDPR. The GDPR requires information to be provided in concise, easy to understand and clear language. See Article 15.
4. Data Protection
by Design and Data Protection Impact Assessments
Under the GDPR, privacy by design is a requirement and in certain circumstances privacy impact assessments will be mandatory. A privacy impact assessment will be required where data processing is likely to result in high risk to individuals, for example, where new technology is being used or sensitive personal data is involved. See Article 25.
Under the GDPR, privacy by design is a requirement and in certain circumstances privacy impact assessments will be mandatory. A privacy impact assessment will be required where data processing is likely to result in high risk to individuals, for example, where new technology is being used or sensitive personal data is involved. See Article 25.
5. Data Protection
Officers
Ensure that you designate someone to take responsibility of data protection within your organisation. If required, you will need to formally designate a Data Protection Officer, for example, if you are a public authority. See Article 4.
Ensure that you designate someone to take responsibility of data protection within your organisation. If required, you will need to formally designate a Data Protection Officer, for example, if you are a public authority. See Article 4.
Rights
6. Individuals’
rights
Under the GDPR there are enhanced rights for individuals; you should ensure that your procedures and policies cover all of the rights that individuals have, including the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability,the right to object and rights in relation to automated decision making and profiling.
Under the GDPR there are enhanced rights for individuals; you should ensure that your procedures and policies cover all of the rights that individuals have, including the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability,the right to object and rights in relation to automated decision making and profiling.
7. Subject access
requests
Ensure that procedures are updated to take into account the new rules on requests; in most cases you will not be able to charge for a request and will only have one month to comply with requests. See Articles 12 and 15.
Ensure that procedures are updated to take into account the new rules on requests; in most cases you will not be able to charge for a request and will only have one month to comply with requests. See Articles 12 and 15.
8. Lawful basis for
processing personal data
Under the GDPR you will need to be able to explain the legal basis for your processing activity. This will need to be documented and your privacy notice will need to be updated to explain this. See Article 6.
Under the GDPR you will need to be able to explain the legal basis for your processing activity. This will need to be documented and your privacy notice will need to be updated to explain this. See Article 6.
Consent
9. Consent
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be a positive opt-in and consent must be separate from other terms and conditions. See Article 7.
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be a positive opt-in and consent must be separate from other terms and conditions. See Article 7.
10. Children
The GDPR puts in place special protection for children, requiring a parent or guardian’s consent for any data processing activity in the context of commercial internet services such as social networking. This will be relevant if you offer information society services to children. The age that a child can give their own consent to processing is sixteen, although this may be lowered to thirteen in the UK. See Article 8.
The GDPR puts in place special protection for children, requiring a parent or guardian’s consent for any data processing activity in the context of commercial internet services such as social networking. This will be relevant if you offer information society services to children. The age that a child can give their own consent to processing is sixteen, although this may be lowered to thirteen in the UK. See Article 8.
Notifications
11. Data breaches
In circumstances in which a data breach is likely to result in a risk to the rights and freedoms of individuals, you will need to notify the ICO and also the individual if the breach is likely to have significant detrimental effect on the individual, for example, if the breach may result in discrimination or financial loss. See Articles 33 and 34.
In circumstances in which a data breach is likely to result in a risk to the rights and freedoms of individuals, you will need to notify the ICO and also the individual if the breach is likely to have significant detrimental effect on the individual, for example, if the breach may result in discrimination or financial loss. See Articles 33 and 34.
International
12. Transfers
within the EU
Where you have establishments in more than one EU member state, you should determine who your lead data protection supervisory authority is.
Where you have establishments in more than one EU member state, you should determine who your lead data protection supervisory authority is.
13. Transfers
outside the EU
Under the GDPR, the transfer of personal data outside of the EU is prohibited unless certain conditions are met. The conditions include transfers made with consent, transfers necessary for important reasons of public interest and transfers necessary for the performance of a contract, for example. See Chapter 5.
Under the GDPR, the transfer of personal data outside of the EU is prohibited unless certain conditions are met. The conditions include transfers made with consent, transfers necessary for important reasons of public interest and transfers necessary for the performance of a contract, for example. See Chapter 5.
Previously published as the Thirteen Point Guide to the General Data Protection Regulation (GDPR) on Stone King LLP's website on 3 August 2017
Disclaimer: This
article may not be reproduced without the prior written permission of the
author, Stone King LLP. This article reflects current law and practice. It is intended to be
general in nature, and does not purport in any way to be comprehensive or a
substitute for legal advice in individual circumstances.
Comments
Post a Comment