General Data Protection Regulation (GDPR): A Summary

(Regulation (EU) 2016/679)

Untitled-1

What is it?

GDPR replaces the European Data Protection Directive 95/46/EC and takes effect across the EU on 25 May 2018.

The purpose of GDPR is to harmonise data privacy laws across the EU, to protect personal data privacy for all citizens of the EU, and to ensure that all organisations take an appropriate approach towards data privacy.

Key definitions:

  • Personal data: any information relating to an identified or identifiable person.
  • Processing (of data): Any operation performed on personal data, such as collection, recording, storage, alteration, use, transmission or erasure.
  • Controller: Person or organisation which determines the purposes and means of the processing of personal data.
  • Processor: Person or organisation which processes personal data on behalf of the controller (but not the controller’s employee).
  • Data Protection Officer: an individual who must be appointed if the processing is carried out by a public authority or body or processing operations require monitoring of data subjects on a large scale.

Application of GDPR:

GDPR applies to every company which processes personal data of subjects residing in the EU, regardless of the company’s location.

Non-EU businesses processing the data of EU citizens will have to appoint a representative in the EU.

Where personal data is transferred from EU to recipients outside the EU, the level of protection of persons in EU should not be undermined. All transfers must be carried out in full compliance with the regulation.

Penalties for breach of regulation:

Breach of GDPR can result in a fine of up to 4% of annual global turnover or €20million (whichever is greater).

Key points:

The main principles of GDPR are:

  • All personal data will be processed fairly, transparently and lawfully (on a valid legal basis);
  • Personal data will be collected only for specific, explicit, legitimate purposes, and its use limited to those purposes;
  • Only the minimum, relevant data will be collected and processed;
  • All personal data will be accurate and kept up to date;
  • Personal data will not be held for any longer than necessary;
  • All personal data will be collected and processed in a manner that ensures appropriate levels of security.

In order to process personal data lawfully, the controller or processor must demonstrate that at least one legal basis (from six) is met:

  • Consent: individual has given explicit consent to process their data for one or more specific purpose.
  • Contract: the processing is necessary for a contract you have with the individual;
  • Legal obligation: processing is necessary for you to comply with the law;
  • Vital interests: processing is necessary to protect an individual’s life;
  • Public task: processing is necessary to perform a task in the public interest;
  • Legitimate interests: processing is necessary for your legitimate interests or those of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

The first legal basis is “consent”: the data subject has given explicit consent to the processing of his or her personal data for one or more specific processes. Consent information must be given in concise, easy to understand, clear language.

All data subjects have the right to withdraw consent at any time and the “right to be forgotten”, ie to have his or her personal data erased and no longer processed.

In an employer / employee relationship, where there is a clear imbalance of power, consent may not be a reliable basis on which to process employee data: it is likely that another legal basis must be chosen. The most likely lawful basis to be used by employers to process employee data is “legitimate interests”.

The data subject must be provided with the following information: the identity and contact details of the controller, the purposes of the data processing and the recipients of the personal data.

All data subjects have the right to be told whether or not their personal data is being processed, and to be given access to the data and other information regarding its processing.

Other rights that data subjects have are: the right to rectification; to restrict processing; to data portability; to object; and not to be subject to automated decision-making.

Appropriate technical and organisational measures must be taken to ensure the protection of the rights and freedoms of data subjects – this means that procedures for data collection, processing and storage must be carefully designed to protect the security and privacy of the data.

A breach of personal data must be notified to the supervisory authority (in the UK this is the Information Commissioner’s Office, or ICO) within 72 hours of the breach, unless it can be demonstrated that the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subjects. The controller must also communicate a data breach to the data subject to allow him or her to take the necessary precautions.

Processing of “special category” data is prohibited, unless certain criteria apply. Special category data includes: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health concerning a person's sex life or sexual orientation.

An evaluation of risk must be carried out to determine whether data processing activities may give rise to discrimination, identity theft or fraud. Data security risk must also be assessed, considering accidental destruction, loss or unauthorised disclosure of or access to data.

If there is a high risk to individuals’ rights or freedoms, or to data security, a data protection impact assessment must be carried out and appropriate measures put in place to mitigate that risk. These may be codes of conduct, certifications or guidelines, or encryption and pseudonymisation. The regulation advises that it is advisable to issue guidelines on any processing operations even if there is not a high risk.

What does my company need to do?

  • Designate someone to take responsibility for data protection compliance. Consider whether you need to formally designate a DPO.
  • Update your company Data Protection Policy to encompass the GDPR.
  • Review your current privacy notices and make any necessary changes.
  • Decide on what basis you will process personal data. Make an assessment and document it. If your legal basis is not “consent”, ensure that your assessment includes whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
  • Create or update data processing procedures: consider why and how you carry out data processing and ensure that your methods of processing maintain compliance with GDPR.
  • Ensure that employment contracts and, if applicable, sub-contractor terms and conditions are compliant and make reference to the collection and processing of personal data.
  • Ensure that all data collection methods your company currently uses are updated with appropriate information and means of consent if applicable (for example tick boxes on paper forms).
  • If your company processes a large amount of personal data in various different ways and for a number of purposes, a data protection impact assessment will enable you to mitigate against breach of regulation.

What about Brexit?

Controllers and processors outside the EU (eg in post-Brexit UK) who process personal data as part of their undertakings in selling goods or services to EU countries will need to comply with GDPR. If all company activities are limited to the UK, the post-Brexit position is currently less clear, but the UK Government is likely to implement equivalent legislation.

 

This factsheet is designed as an overview of GDPR. Please call us for further information or see the ICO website here.

The full text of the Regulation can be found at http://eur-lex.europa.eu