GENERAL DATA PROTECTION REGULATION (GDPR)
– the most important change in data privacy regulation in 20 years –
What is GDPR?
The General Data Protection Regulation ( GDPR) it is a new data protection law in the European Union, which comes into place in May 2018.The strictest data protection regulation ever passed, the GDPR protects personal data of EU citizens and residents and is enforceable for any business around the world that collects or process EU resident data. The aim is to give individuals more control over their personal data and and reshape the way organizations approach data privacy.
UK organisations handling personal data will still need to comply with the General Data Protection Regulation (GDPR), regardless of Brexit as the GDPR will come into force before the UK leaves the EU. The UK is implementing a new Data Protection Bill which largely includes all the provisions of the GDPR and replaces the existing Data Protection Act.
The new UK Data Protection Bill
The Data Protection Bill was published on 14 September 2017. As well as aligning personal data legislation with the GDPR, it includes requirements for all other general data, law enforcement data and national security data.
the law sets out a number of exemptions from GDPR, which include added protections for journalists, scientific and historical researchers, and anti-doping agencies who handle people’s personal information
The key changes introduced by the Regulation
BROADER DEFINITION OF PERSONAL DATA – any information relating to a living individual who can be identified from that data (or that data & other information available to the holder).
WIDER TERRITORIAL SCOPE – Businesses providing products and services to EU customers or processing their personal data will still have to comply with the Regulation even if they dont have a physical presence in the EU. This will especially affect e-commerce companies and other cloud businesses.
CONSENT CONDITIONS– clear and affirmative consent to the processing of private data must be provided as well as parental consent for the processing of personal data of children.
APPOINTMENT OF S DATA PROTECTION OFFICER – for public authorities a data protection officer (DPO) must be appointed. A DPO will also be required where regular and systematic monitoring of data subjects on a large scale is involved.
MANDATORY DATA PROTECTION IMPACT ASSESSMENTS (DPIA) – companies will have to conduct privacy impact assessments before undertaking higher-risk data processing activities.
ACCOUNTABILITY –
BREACH NOTIFICATIONS – companies will have to report data breaches to their data protection authority within 72 hours of breach identification. Data subjects will also have to be notified but only if the data represent a risk to the rights and freedoms of the data subjects in question.
RIGHT TO BE FORGOTTEN – data subjects can request that their personal data be erased or stopped processing.
NEW RESTRICTIONS ON INTERNATIONAL DATA TRANSFERS -Transfer of personal data to a third country may be made only if an adequate level of protection and safeguards are ensured.
DaATA PROCESSORS SHARE RESPONSABILITY FOR PROTECTING PERSONAL DATA – Contractual arrangements will need to be updated as data processors will have direct legal obligations and responsibilities and can be held liable for data breaches.
NEW REQUIREMENTS FOR DATA PORTABILITY – allow data subjects to request a copy of personal data in a format electronically transmissible to another data controller.
PRIVACY BY DESIGN – systems and processes must consider compliance with the principles of data protection. Minimizing data collection and retention and asking for consent from data subjects are requirements of the new regulation.
ONE -STOP SHOP –
GDPR principles
Setting out the main responsibilities for organisations, GDPR principles are largely the same to those in the DPA, with added detail at certain points and a new accountability requirement.
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
Why comply with GDPR?
The General Data Protection Regulation (GDPR) very significantly increases the obligations and responsibilities for organisations and businesses in how they collect, use and protect personal data.
At the centre of the new law is the requirement for organisations and businesses to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.
Breaches of provisions of the regulation could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year.
Steps to take for GDPR compliance
Awareness
Make sure that decision makers and key people in your organisation consider the changes which may need to take place and how they will impact their responsibilities.
Information audit
Have a clear record of the customer information in your possession.Have clear procedures and policies regarding the handling and storage of personal data across your organisation.
Review privacy information
Review privacy statement and notice and update them in accordance with any changes which must be made for GDPR compliance..
Compliance with rights of individuals
Check your procedures to ensure they cover all enhanced individual rights afforded by the GDPR.
Subject access requests
Update your procedures and plan how you will handle requests within the new timescales and
provide any additional information.
Lawful basis
Identifying the lawful basis for the use of data will help you to promote and guarantee accountability
Consent
Review how you seek, record and manage consent and whether you need to make any changes.
Refresh existing consents now if they don’t meet the GDPR standard.
Children's data
Parental consent will be required for the processing of personal data of children under age 16.You will need systems in place to verify individuals’ ages and to obtain parental or guardian consent, if necessary.
Data breaches
Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Protection by design
Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Data Protection Officer
Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
International
Transfer of personal data to a third country may be made only if an adequate level of protection and safeguards are ensured.