GDPR - The EU General Data Protection Regulation
What you need to know for your business.
What is GDPR?
The General Data Protection Regulation (Regulation (EU) 2016/679) is a European Parliament regulation which aims to unify data protection rules across the whole of EU, it also controls the export of personal data from the EU. It was issued on 27 April 2016, and becomes enforceable from 25th May 2018. GDPR covers personally identifiable data about any “living person” in the EU (or stored by an EU-based business), and it is designed to provide rights and protects for that person – the “data subject“.
Does it affect me?
You don’t have to be within the EU for GDPR to apply. If you are processing personal data relating to any living person within the European Union, you must comply with the regulations in the way that you handle that data. Complying with the requirements of GDPR is not optional and people can not waive their rights to protection under GDPR.
What are the Penalties for Failing to Comply?
The penalties are much more significant than with previous data protection and privacy legislation. Organisations found in breach can be fined up to 4% of their annual global turnover or €20 million, whichever is greater. This makes it even more important that you understand the GDPR and how it affects your business.
Brexit and the GDPR
UK organisations handling personal data will need to comply with the GDPR, regardless of Brexit. The GDPR comes into force before the UK leaves the European Union and the government and the Information Commissioner have confirmed that the regulation will apply, and that the UK will continue to follow a compatible regime.
There are six data protection principles which form the basis for the processing of personal data, they can be found in Article 5(1) GDPR:
- Lawfulness, fairness and transparency. Data processing should be lawful, fair and transparent. Transparency implies communication about the processing of personal data must be easily accessible and understandable, and that you ensure the data subject (the person who’s data you are processing) receives information on the identity of the data controllers (who are managing the data) and the purposes that data is being processing for.
- Purpose limitation. Data collection should only be for specified, explicit and legitimate purposes, further processing incompatible with the stated purpose is not allowed, although this is subject to some of the other provisions of GDPR (for example because of public interest or legal obligations).
- Data minimisation. Data used must be required and relevant, and limited to what is necessary for the specified purpose.
- Accuracy. Data must be accurate, and kept up to date. Inaccurate data should be erased, or rectified without delay.
- Storage limitation. Data must not be kept in a form that makes it possible to identify data subjects for longer than is necessary. Data can be stored for longer periods, subject to specific conditions and adequate technical and organisational safeguards to protect the data subject.
- Integrity and confidentiality. Technical and organisational measures should be in place to ensure protection from unauthorised or unlawful processing, and protection from any data loss or damage.
The final overriding principle, sometimes called the seventh principle, is the accountability of the data controller, stated in Article 5(2) GDPR, to demonstrate compliance with the principles. Unlike previous legislation, if you make use of personal data, you need to demonstrate that you do so in a way that is compliant with the regulations.
You must have a valid, lawful basis in order to process personal data. Within GDPR there are six bases for lawful processing outlined. Specifically they are that you have one of the following:
1. Consent, which freely given by the data subject. You will need to record evidence of this consent.
2. Performance of a contract with the data subject, where you need the data to perform that contract.
3. Legal obligation of the controller. A law requires you to collect or process the data.
4. Vital interests of the data subject or another (natural) person. For example, access to medical information in an emergency.
5. Public interest, or official authority. The covers uses such as journalism and specific forms of research.
6. Legitimate interest, subject to the rights of the data subject. Your right to process the data must be balanced with the data subject’s rights and freedoms.
For further guidance the ICO has published some helpful material. Different basis for processing confer different rights for the data subjects, for example the right to object, and the right to withdraw consent. You should choose your basis for processing before you start collecting and using data, and other than in exceptional circumstances, you should not change the basis you are using.
Every country has a data protection body responsible for the protection of its citizens’ personal data. Some key authorities are listed below:
United Kingdom: The Information Commissioner’s Office
Ireland: Data Protection Commissioner
Germany: Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
France: Commission Nationale de l’Informatique et des Libertés – CNIL
Spain: Agencia de Protección de Datos
Italy: Garante per la protezione dei dati personali
Belgium: Commission de la protection de la vie privée
Netherlands: Autoriteit Persoonsgegevens
Relevant Non-EU Data protection bodies:
Switzerland: Data Protection and Information Commissioner of Switzerland
Australia: Office of the Australian Information Commissioner – OAIC
Canada: Office of the Privacy Commissioner of Canada – OPC
New Zealand: Office of the Privacy Commissioner of New Zealand
GDPR Overview (ICO)
An overview of the General Data Protection Regulation from the UK Information Commissioner’s Office.
The Benefits of GDPR
A benefits analysis researched by London Economics, for the UK Department for Culture, Media & Sport.
Privacy Impact Assessment Guidance
Privacy Impact Assessment guidance and resources from the UK Information Commissioner’s Office.
Privacy by Design
The original approach to privacy by design, from the Information and Privacy Commissioner, Canada.
The US response to EU and Swiss data protection regulations, to enable data transfers under EU law (see the adequacy determination) and Swiss Law.
ICO self assessment toolkit
Checklists from the UK’s Information Commissioners office, to assess your compliance with the Data Protection Act and find out what you need to do, including guidance on getting ready for GDPR
Accountability and Governance
UK Information Commissioner’s Office guidance on provisions for accountability and governance, including “he accountability principle” and guidance on records of processing activities.
Documentation for GDPR
UK Information Commissioner’s Office guidance on how you should document your processes, and what records you should keep to demonstrate your compliance with GDPR.
Lawful Basis Guidance Tool
UK Information Commissioner’s Office interactive guidance tool for identifying the Lawful Basis for data processing under GDPR.
Other useful resources
- List of Data Protection Authorities (GDPR)
- ICO Guidance on Controller-Processor Contracts
- Listing of US Organisations under Privacy Shield
- POPI – South Africa’s data protection law
- GDPR action list generator
- compliance timeline plan
- GDPR audit questionnaire
- GDPR systems audit and mapping
- GDPR risk assessment
- GDPR staff training tool and training log
- GDPR records processing tool
- GDPR supplier and vendor assessments
- DSAR handling tool
- breach notification handling tool
- policy handling for GDPR
- staff offboarding questionnaire