May 17, 2017
Overview of the General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) will come into effect in the UK and EU-wide from 25 May 2018. This will replace the UK Data Protection Act 1998 (DPA) and Brexit will not affect its commencement, as has been confirmed by the Government.
Who does it apply to?
The Information Commissioner’s Office (ICO) explained that if you are a ‘controller’ or a ‘processor’ as defined under the DPA, then it is likely that you will also be subject to the GDPR.
It places legal obligations onto processors to maintain records of personal data and processing activities. Controllers also have to ensure that their contracts with processors comply with the new rules.
The following actions are excluded from the new regulations: processing for national security purposes, processing activities covered by the Law Enforcement Directive and processing carried out by individuals for personal/household activities.
What are the main changes?
The ICO issued a checklist with 12 steps businesses and organisations (such as charities) are advised to take in advance of the regulation’s commencement in May 2018. Below are some of the main changes that will take place.
Another major change is that individuals will have more rights regarding their data being handled by companies. Thanks to the GDPR, individuals will have the following rights: to access their own personal data; to have inaccuracies corrected; to have information erased under the ‘right to be forgotten’; to prevent direct marketing; to prevent automated decision-making and profiling and data portability.
Under the new regulation, businesses will have to use additional methods when communicating privacy information. This is known as the privacy notice. The GDPR requires the following information to be provided in easy and clear language: the legal basis for processing the data and the company’s data retention periods, as well as an explanation that individuals have the right to complain to the ICO.
Legal basis for processing personal data
Under the GDPR, some individual’s rights will be modified depending on the company or organisation’s legal basis for processing personal data. This means that businesses or organisations using consent as their legal basis will enable people to have a stronger right to have their data deleted. The legal basis will have to be expressed in the privacy notice and when answering a subject access request.
Subject access requests
Businesses and organisations will no longer be able to charge for complying with a user’s right to access their own personal data, also known as a subject access request. Additionally, they will have only a month to comply, in contrast to the current 40 days. Manifestly unfounded or excessive requests will be possible to be charged for or refused, but policies and procedures will still have to be in place to explain why a request is denied or charged.
Under the GDPR, all businesses and organisations will have the duty to notify the ICO about a personal data breach within a 72-hour timeframe. This applies only to breaches where “an individual is likely to suffer some form of damage, such as an identity theft or confidentiality breach”.
Organisations collecting information about children will have to ask the parent or guardian’s consent, which will have to be verifiable. The privacy notice will also have to be written in language understandable by children.
Privacy by Design
A privacy by design and data minimisation approach has always been an implicit requirement of the data protection principles. However, the GDPR will make this an express legal requirement in which inclusion of a data protection impact assessment will be needed from the outset of any new system design and/or technology being deployed, rather than an addition.
Where can I learn more?
At SmartDebit, we are keeping up-to-date with the ICO to be fully prepared for GDPR when it is implemented on 25 May 2018.