The General Data Protection Regulation (GDPR) represents a major overhaul of data protection law, consolidating and replacing the UK’s Data Protection Act (DPA 1998) and EU data privacy laws.
The GDPR will introduce wide-ranging changes to how personal data is collected, handled and processed. It wi ll widen the definition of ‘personal data’ and grant people additional rights over how their data is used. Firms will be expected to have GDPR-compliant policies and procedures in place prior to the implementation date;
Despite the UK’s impending exit from the EU, the Government has confirmed that the GDPR will become part of UK law.
WHEN does it come into force?
The GDPR comes into effect in the UK from the 25th of May 2018.
WHAT are the key focus areas?
Widening of ‘Personal Data’ definition
|Definition under DPA||Definition under GDPR|
|Data which relates to a living individual who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.||Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.|
Sensitive personal data under GDPR will now be under ‘special categories of personal data’. GDPR suggests:
“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited – unless one of the Article 9 clauses applies”.
The categories are generally the same, however special categories of personal data now also include biometric data and genetic data (See Article 9 for the full list of special categories).
Principles regarding personal data
Under Article 5 of GDPR, personal data shall be:
Article 5(2) requires that:
Under GDPR the data controllers must ensure that whilst relying on legitimate basis for processing data, unless this basis is in conflict or overriding the interest of the data subject.
Data processors and Data controllers
Data processors and Data controllers have more responsibilities under GDPR.
Data controllers are natural or legal persons, a public authority or agency who determines how and what the data will be used for. Data processors, on the other hand are anyone who carry out the processing of data on behalf of the controllers.
Both Data processors and controllers are involved in the processing and storing of personal data, hence both processors and controllers are liable for any damage to data and breach of regulation. Data processors must make data controllers aware of any breaches.
Individual’s rights under GDPR include:
Please click here for more thorough explanation of what these rights mean.
Data Protection Impact Assessment and Data Protection Officer
Public authorities, firms, which undertake large scale systematic monitoring of individuals, firms which process large scale special categories data (or data related to criminal convictions) must appoint a Data Protection Officer (DPO)
Cross-border data sharing
As is currently the case, firms will be must not transfer personal data outside the EEA to a third country that does not have adequate data protection measures in place, unless certain conditions are met.
After Brexit has taken place, GDPR’s “long arm jurisdiction” will apply to UK firms the same way it applies to US firms. This regulation applies to firms, which provide EU consumers with goods and services, however do not have a physical presence there.
Businesses, which operate in more than one EU member state, will need to determine their lead National Data Protection Authority, as under GDPR’s “one-stop shop” they are allowed to deal with just one.
Processing employee data
Under GDPR, firms in all EU member states may have specific rules in place for the processing of employee-related-data; in other words, the Regulation will allow ‘gold-plating’ on a national level. Additionally, national laws may apply after GDPR implementation.
Data processors and controllers must keep accurate record of the activities related to processing of data, as follows:
As mentioned in the Article 5(2), this information should be available on request from regulatory authorities.
As, under GDPR, data processors are obliged to report any data breaches to data controllers, any security incidents or breaches, which can lead to destruction and high risk to the individuals, should be reported to ICO with 72 hours. (ICO main contact number is: 0303 123 1113, or to report online follow this link)
In the event of data breach leading to high risk to the individuals, especially data subjects, they should also be notified without undue delay.
Firms must have a data breach register.
Under the GDPR various sanctions can be imposed for breach of requirements – including fines of up to 2% (4%) of annual worldwide turnover or EUR 10,000,000 (EUR 20,000,000), whichever is highest, in respect of internal data keeping violations (violations related to breaches of data protection principles, consent and data subject’s rights).
WHAT do firms need to do to comply?
What can we do to help?
FinTech Compliance can assist your business with all aspects of GDPR implementation, ensuring you are fully ready and compliant well before the legislation comes into force. In particular, we can:
If you’d like to speak to us about any of the above, get in touch with us by calling +44 207 100 4058, or write to us using our website’s Contact Us page.