A summary guide to changes to data protection rules
Set for enforcement in May 2018, The General Data Protection Regulation (GDPR) is one of the most wide-ranging pieces of legislation passed by the EU in recent memory. It is being introduced to standardise data protection law across the single market and give people, in a growing digital economy, greater control over how their personal information is used.
All organisations that process personal data and operate within, or sell goods to, the EU are impacted by the GDPR. The definition of processing is designed to cover practically every type of data usage and includes collection, storage, retrieval, alteration, storage and destruction.
The GDPR applies to both data ‘controllers’ and ‘processors’. Data controllers determine the purpose and manner in which data is processed. Data processors are any third party undertaking data processing on behalf of a controller.
How does Brexit affect the GDPR in the UK?
The GDPR will be enforced in the UK from 25th May 2018 and apply until at least March 2019 – when the UK is expected to leave the single market. Upon Britain exiting the EU, The Great Repeal Bill is expected to copy the requirements of the GDPR into UK law.
The UK government is yet to firmly announce its long-term intentions to supersede the GDPR. In June 2017, the Queens speech made reference to new data protection legislation designed to ensure that the UK retains its position as a ‘world-class regime protecting personal data’.
To achieve an ‘adequacy decision’ needed to ensure that EU organisations are able to transfer personal information to the UK after Brexit, any new UK data protection legislation will need to be on a similar level to the GDPR.
What is personal data?
Article 4 of the GDPR defines personal data as ‘any information relating to an identified or identifiable natural person’. For most organisations, this means implementing appropriate measures to protect information relating to employees, customers and partners.
The GDPR expands the definition of personal data beyond the current Data Protection Act (1998) to also include information that could be used to indirectly identify individuals, such as ID numbers, location data and online identifiers including IP addresses and web cookies. Other examples of personal data protected by the GDPR include:
Customer contact details
CCTV and call recordings
How does the GDPR differ from the current Data Protection Act (DPA) 1998?
An expanded definition of personal information to include online identifiers such as IP addresses.
An increased level of fines for organisations that fail to comply and/or suffer a personal data breach.
Data Protection Officers
The need for some organisations, such as public authorities, and those that process large amounts or special categories of data, to appoint a Data Protection Officer.
A tightening of the consent rules governing the collection and use of personal information.
Right to be forgotten
The right for individuals to be forgotten, by requesting erasure from records.
Privacy by design
Promotion of privacy by design - ensuring data protection is taken into account at every stage of a product development process.
The six key principles of the GDPR
Article 5 of the GDPR lists the main principles all organisations should comply with. These outline how personal data should be processed, collected and retained.
Personal data shall be:
Processed lawfully, fairly and in a transparent manner
Collected for specified, explicit and legitimate purposes
Adequate, relevant and limited to what is necessary
Accurate and, where necessary, kept up to date
Retained only for as long as necessary
Processed in an appropriate manner to maintain security
The importance of ensuring the security of personal data
In order to ensure ongoing data security, principle six of the GDPR states that personal data should be processed in an appropriate manner.
Protecting personal data against unauthorised processing, accidental loss and destruction forms an integral part of measures all organisations should take.