GDPR - The EU General Data Protection Regulation
What you need to know for your business.
Time left until the GDPR comes into force...
What is GDPR?
The General Data Protection Regulation (Regulation (EU) 2016/679) is a European Parliament regulation which aims to unify data protection rules across the whole of EU, it also controls the export of personal data from the EU. It was issued on 27 April 2016, and becomes enforceable from 25th May 2018. GDPR covers personally identifiable data about any “living person” in the EU (or stored by an EU-based business), and it is designed to provide rights and protects for that person – the “data subject“.
Does it affect me?
You don’t have to be within the EU for GDPR to apply. If you are processing personal data relating to any living person within the European Union, you must comply with the regulations in the way that you handle that data. Complying with the requirements of GDPR is not optional and people can not waive their rights to protection under GDPR.
What are the Penalties for Failing to Comply?
The penalties are much more significant than with previous data protection and privacy legislation. Organisations found in breach can be fined up to 4% of their annual global turnover or €20 million, whichever is greater. This makes it even more important that you understand the GDPR and how it affects your business.
Brexit and the GDPR
UK organisations handling personal data will need to comply with the GDPR, regardless of Brexit. The GDPR comes into force before the UK leaves the European Union and the government and the Information Commissioner have confirmed that the regulation will apply, and that the UK will continue to follow a compatible regime.
There are six data protection principles which form the basis for the processing of personal data, they can be found in Article 5(1) GDPR:
- Lawfulness, fairness and transparency. Data processing should be lawful, fair and transparent. Transparency implies communication about the processing of personal data must be easily accessible and understandable, and that you ensure the data subject (the person who’s data you are processing) receives information on the identity of the data controllers (who are managing the data) and the purposes that data is being processing for.
- Purpose limitation. Data collection should only be for specified, explicit and legitimate purposes, further processing incompatible with the stated purpose is not allowed, although this is subject to some of the other provisions of GDPR (for example because of public interest or legal obligations).
- Data minimisation. Data used must be required and relevant, and limited to what is necessary for the specified purpose.
- Accuracy. Data must be accurate, and kept up to date. Inaccurate data should be erased, or rectified without delay.
- Storage limitation. Data must not be kept in a form that makes it possible to identify data subjects for longer than is necessary. Data can be stored for longer periods, subject to specific conditions and adequate technical and organisational safeguards to protect the data subject.
- Integrity and confidentiality. Technical and organisational measures should be in place to ensure protection from unauthorised or unlawful processing, and protection from any data loss or damage.
The final overriding principle, sometimes called the seventh principle, is the accountability of the data controller, stated in Article 5(2) GDPR, to demonstrate compliance with the principles. Unlike previous legislation, if you make use of personal data, you need to demonstrate that you do so in a way that is compliant with the regulations.
You must have a valid, lawful basis in order to process personal data. Within GDPR there are six bases for lawful processing outlined. Specifically they are that you have one of the following:
1. Consent, which freely given by the data subject. You will need to record evidence of this consent.
2. Performance of a contract with the data subject, where you need the data to perform that contract.
3. Legal obligation of the controller. A law requires you to collect or process the data.
4. Vital interests of the data subject or another (natural) person. For example, access to medical information in an emergency.
5. Public interest, or official authority. The covers uses such as journalism and specific forms of research.
6. Legitimate interest, subject to the rights of the data subject. Your right to process the data must be balanced with the data subject’s rights and freedoms.
For further guidance the ICO has published some helpful material. Different basis for processing confer different rights for the data subjects, for example the right to object, and the right to withdraw consent. You should choose your basis for processing before you start collecting and using data, and other than in exceptional circumstances, you should not change the basis you are using.
Every country has a data protection body responsible for the protection of its citizens’ personal data. Some key authorities are listed below:
United Kingdom: The Information Commissioner’s Office
Ireland: Data Protection Commissioner
Netherlands: Autoriteit Persoonsgegevens
Relevant Non-EU Data protection bodies:
New Zealand: Office of the Privacy Commissioner of New Zealand
Checklists from the UK’s Information Commissioners office, to assess your compliance with the Data Protection Act and find out what you need to do, including guidance on getting ready for GDPR
UK Information Commissioner’s Office guidance on provisions for accountability and governance, including “he accountability principle” and guidance on records of processing activities.
- GDPR action list generator
- compliance timeline plan
- GDPR audit questionnaire
- GDPR systems audit and mapping
- GDPR risk assessment
- GDPR staff training tool and training log
- GDPR records processing tool
- GDPR supplier and vendor assessments
- DSAR handling tool
- breach notification handling tool
- policy handling for GDPR
- staff offboarding questionnaire