General Data Protection Regulations (GDPR) – effective today 25 May 2018
May 25, 2018
GENERAL DATA PROTECTION REGULATION (GDPR) – INTRODUCTION
AFG LAW Director Rahil Khan provides an overview of the new GDPR laws.
General Data Protection Regulation is described by the EU as the most important change in Data Privacy Regulation in 20 years.
It will come into effect on 25th May 2018.
Brexit will have no impact on the implementation of GDPR.
GDPR applies to “controllers” and “processors”
A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller.
GDPR applies to processing carried out by organisations operating within the EU plus to organisation outside the EU that offer goods or services to individuals in the EU.
WHAT DOES GDPR APPLY TO?
PERSONAL DATA – MEANING ANY INFORMATION RELATING TO AN IDENTIFIABLE PERSON WHO CAN BE DIRECTLY OR INDIRECTLY IDENTIFIED BY REFERENCE TO AN IDENTIFIER
This is a wide-ranging definition including name, identification number, location data or online identifier, reflecting changes in technology and collection of information.
Personal data that has been pseudonymised e.g. key coded depending on how difficult it is to attribute the pseudonym to a particular individual.
SENSITIVE PERSONAL DATA
GDPR refers to sensitive personal data as special category of personal data as set out in Article 9.
Under the GDPR the Data Protection Principle set out the main responsibility for organisations.
Article 5 requires that personal data shall be: –
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes, further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes which they are processed;
- accurate and where necessary kept up to date, every reasonable step must be taken to ensure the personal data are accurate having regard to the purposes for which they are processed, are raised or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, personal data may be stored for a longer period insofar as the personal data will be processed solely for archiving purposes in the public interest, scientifically or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals and;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
LAWFULNESS OF PROCESSING (USE OF DATA)
GDPR requires that you process all personal data lawfully, fairly and in a transparent manner.
GDPR requires a legal basis before data can be processed.
The legal bases for processing are set out in Article 6. At least one of the following must apply whenever you process personal data.
- Consent; the individual has given clear consent for you to process their personal data for a specific purpose;
- Contract; the processing is necessary for a Contract you have with the individual, or because they have asked you to take specific steps before entering into a Contract;
- Legal Obligation; the processing is necessary for you to comply with the law (not including contractual obligation;
- Vital Interest; the processing is necessary to protect someone’s life;
- Public Task; the processing is necessary for you to perform a task in the public interest or for your official function and the task of function has a clear basis in law;
- Legitimate Interests; the processing is necessary for your legitimate interest of a third party unless there is a good reason to protect the individual’s person date which overrides those legitimate interest.
Children need particular protection when collecting and processing their personal data as they may be less aware of the risks involved.
Children must be protected from the outset. Privacy Notices must be written clearly so children are able to understand what will happen to their personal data. GDPR requires children must be aged at least 16 to be able to consent to the provision of information society services (online) and parental consent is required for children any younger subject to a minimum of 13 years.
DATA PROTECTION OFFICERS
GDPR provide the Data Protection Officer (DPO) must be appointed for: –
- Public authorities;
- Organisations whose all activities require regular and systematic monitoring on a large scale;
- Organisation whose core activity involves processing special categories of data and personal data relating to criminal convictions and offences on a large scale
The DPO’s minimum tasks are defined in Article 39;
To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other Data Protection Laws.
To monitor compliance with the GDPR and other Data Protection Laws including managing internal Data Protection Activities, advise on Data Protection Impact Assessments; train staff and conduct internal audits.
To be the first point of contact for supervisory authorities and to individuals whose data is processed.
GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority.
Our relevant supervisory authority is the Information Commissioner’s Office.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes breaches that are the result of an accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
NOTIFICATION – ARTICLE 33
You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it.
Where notification is not made within 72 hours it shall be accompanied by reasons for the delay.
When reporting a breach GDPR says you must provide: –
- A description of the nature of the personal data breach including, where possible the categories and approximate number of individuals concerned and the categories an approximate number of personal data records concerned.
- The name and contact details of the Data Protection Officer or other contact point where more information can be obtained.
- A description of the likely consequences of the personal data breach.
- A description of the measures taken, or propose to be taken to deal with the personal data breach, including where appropriate the measures taken to mitigate any possible adverse effects.
It may not be possible to fully investigate a breach within 72 hours.
Article 33(4) allows the provision of the information in phases without undue further delay.
If a breach is likely to result in a high risk to the rights and freedoms of individuals GDPR says you must inform those concerned directly and without undue delay.
To notify the ICO of a personal data breach, guidance is available.
Failure to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2% of your global turnover. The fine can be combined with the ICO’s other corrective powers under Article 58.
However, the ICO may issue fines of up to 20 million Euros or 4% of global turnover for significant infringements as set out in Article 83(5).
GDPR will be fully effective on 25th May 2018. Hopefully there is full compliance by all organisations.
However, breach and non-compliance will result in the ICO pursuing enforcement action. Please note there have been a recent 40% increase in recruitment at the ICO.
If any issues arise please allow us to assist by providing informed advice plus negotiation and representation with the ICO to ensure the best possible outcome.
Please contact Rahil Khan: –
Address: 20, Mawdsley Street, Bolton, BL1 1LE