(Regulation (EU) 2016/679)
GDPR replaces the European Data Protection Directive 95/46/EC and takes effect across the EU on 25 May 2018.
The purpose of GDPR is to harmonise data privacy laws across the EU, to protect personal data privacy for all citizens of the EU, and to ensure that all organisations take an appropriate approach towards data privacy.
GDPR applies to every company which processes personal data of subjects residing in the EU, regardless of the company’s location.
Non-EU businesses processing the data of EU citizens will have to appoint a representative in the EU.
Where personal data is transferred from EU to recipients outside the EU, the level of protection of persons in EU should not be undermined. All transfers must be carried out in full compliance with the regulation.
Breach of GDPR can result in a fine of up to 4% of annual global turnover or €20million (whichever is greater).
The main principles of GDPR are:
In order to process personal data lawfully, the controller or processor must demonstrate that at least one legal basis (from six) is met:
The first legal basis is “consent”: the data subject has given explicit consent to the processing of his or her personal data for one or more specific processes. Consent information must be given in concise, easy to understand, clear language.
All data subjects have the right to withdraw consent at any time and the “right to be forgotten”, ie to have his or her personal data erased and no longer processed.
In an employer / employee relationship, where there is a clear imbalance of power, consent may not be a reliable basis on which to process employee data: it is likely that another legal basis must be chosen. The most likely lawful basis to be used by employers to process employee data is “legitimate interests”.
The data subject must be provided with the following information: the identity and contact details of the controller, the purposes of the data processing and the recipients of the personal data.
All data subjects have the right to be told whether or not their personal data is being processed, and to be given access to the data and other information regarding its processing.
Other rights that data subjects have are: the right to rectification; to restrict processing; to data portability; to object; and not to be subject to automated decision-making.
Appropriate technical and organisational measures must be taken to ensure the protection of the rights and freedoms of data subjects – this means that procedures for data collection, processing and storage must be carefully designed to protect the security and privacy of the data.
A breach of personal data must be notified to the supervisory authority (in the UK this is the Information Commissioner’s Office, or ICO) within 72 hours of the breach, unless it can be demonstrated that the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subjects. The controller must also communicate a data breach to the data subject to allow him or her to take the necessary precautions.
Processing of “special category” data is prohibited, unless certain criteria apply. Special category data includes: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health concerning a person's sex life or sexual orientation.
An evaluation of risk must be carried out to determine whether data processing activities may give rise to discrimination, identity theft or fraud. Data security risk must also be assessed, considering accidental destruction, loss or unauthorised disclosure of or access to data.
If there is a high risk to individuals’ rights or freedoms, or to data security, a data protection impact assessment must be carried out and appropriate measures put in place to mitigate that risk. These may be codes of conduct, certifications or guidelines, or encryption and pseudonymisation. The regulation advises that it is advisable to issue guidelines on any processing operations even if there is not a high risk.
Controllers and processors outside the EU (eg in post-Brexit UK) who process personal data as part of their undertakings in selling goods or services to EU countries will need to comply with GDPR. If all company activities are limited to the UK, the post-Brexit position is currently less clear, but the UK Government is likely to implement equivalent legislation.
This factsheet is designed as an overview of GDPR. Please call us for further information or see the ICO website here.
The full text of the Regulation can be found at http://eur-lex.europa.eu