Friday May 25, 2018
GENERAL DATA PROTECTION REGULATION (GDPR) – INTRODUCTION
AFG LAW Director Rahil Khan provides an overview of the new GDPR laws.
General Data Protection Regulation is described by the EU as the most important change in Data Privacy Regulation in 20 years.
It will come into effect on 25th May 2018.
Brexit will have no impact on the implementation of GDPR.
GDPR applies to “controllers” and “processors”
A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller.
GDPR applies to processing carried out by organisations operating within the EU plus to organisation outside the EU that offer goods or services to individuals in the EU.
WHAT DOES GDPR APPLY TO?
PERSONAL DATA – MEANING ANY INFORMATION RELATING TO AN IDENTIFIABLE PERSON WHO CAN BE DIRECTLY OR INDIRECTLY IDENTIFIED BY REFERENCE TO AN IDENTIFIER
This is a wide-ranging definition including name, identification number, location data or online identifier, reflecting changes in technology and collection of information.
Personal data that has been pseudonymised e.g. key coded depending on how difficult it is to attribute the pseudonym to a particular individual.
SENSITIVE PERSONAL DATA
GDPR refers to sensitive personal data as special category of personal data as set out in Article 9.
SIX PRINCIPLES
Under the GDPR the Data Protection Principle set out the main responsibility for organisations.
Article 5 requires that personal data shall be: –
LAWFULNESS OF PROCESSING (USE OF DATA)
GDPR requires that you process all personal data lawfully, fairly and in a transparent manner.
GDPR requires a legal basis before data can be processed.
The legal bases for processing are set out in Article 6. At least one of the following must apply whenever you process personal data.
CHILDREN
Children need particular protection when collecting and processing their personal data as they may be less aware of the risks involved.
Children must be protected from the outset. Privacy Notices must be written clearly so children are able to understand what will happen to their personal data. GDPR requires children must be aged at least 16 to be able to consent to the provision of information society services (online) and parental consent is required for children any younger subject to a minimum of 13 years.
DATA PROTECTION OFFICERS
GDPR provide the Data Protection Officer (DPO) must be appointed for: –
The DPO’s minimum tasks are defined in Article 39;
To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other Data Protection Laws.
To monitor compliance with the GDPR and other Data Protection Laws including managing internal Data Protection Activities, advise on Data Protection Impact Assessments; train staff and conduct internal audits.
To be the first point of contact for supervisory authorities and to individuals whose data is processed.
BREACHES/NON-COMPLIANCE
GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority.
Our relevant supervisory authority is the Information Commissioner’s Office.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes breaches that are the result of an accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
NOTIFICATION – ARTICLE 33
You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it.
Where notification is not made within 72 hours it shall be accompanied by reasons for the delay.
When reporting a breach GDPR says you must provide: –
It may not be possible to fully investigate a breach within 72 hours.
Article 33(4) allows the provision of the information in phases without undue further delay.
If a breach is likely to result in a high risk to the rights and freedoms of individuals GDPR says you must inform those concerned directly and without undue delay.
To notify the ICO of a personal data breach, guidance is available.
Failure to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2% of your global turnover. The fine can be combined with the ICO’s other corrective powers under Article 58.
However, the ICO may issue fines of up to 20 million Euros or 4% of global turnover for significant infringements as set out in Article 83(5).
GDPR will be fully effective on 25th May 2018. Hopefully there is full compliance by all organisations.
However, breach and non-compliance will result in the ICO pursuing enforcement action. Please note there have been a recent 40% increase in recruitment at the ICO.
If any issues arise please allow us to assist by providing informed advice plus negotiation and representation with the ICO to ensure the best possible outcome.
Please contact Rahil Khan: –
Email: rahil.khan@afglaw.co.uk
Address: 20, Mawdsley Street, Bolton, BL1 1LE
We offer a full range of legal services for individuals and businesses alike.
Many of our services are provided UK-wide, with our physical offices located in Bolton and Bury.