What it is, what you need to do about it.

The what? The General Data Protection Regulation, a piece of EU legislation that comes into effect in all member states on 25 May 2018. It will replace the Data Protection Act 1998 (“the DPA”) in the UK
Is it different to the existing legislation? The requirements of the GDPR are similar to those of the DPA. However, there are some key new requirements, and greater enforcement powers and penalties for non-compliance.
Who does it apply to? Any person or organisation who processes personal data. There are differing requirements for those who decide how personal data is to be processed (‘Data Controllers’) and those who process data on behalf of a Data Controller (‘Data Processors’). It does not apply to personal or household processing of data and there are other specific exemptions.
What is personal data? Any information relating to a person who can be directly or indirectly identified from that information.
So what’s it all about? The GDPR is a fairly complex piece of legislation and it is beyond the scope of this update to outline the requirements in full (see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ for an in-depth guide), but to give a brief summary of some of the main requirements:

  1. Personal data must be processed in accordance with 6 key principles:
    1. Fairness, lawfulness and transparency
    2. data is only to be collected for specified, explicit, legitimate purposes and not processed in a manner incompatible to those purposes
    3. data must be at adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed;
    4. data must be accurate and, where necessary, kept up to date
    5. data must not be kept any longer than necessary for the purpose for which it is processed;
    6. security and confidentiality
  2. Data controllers must be able to demonstrate compliance with the above principles. This includes putting in place data protection “by design and default” and implementing appropriate security measures.
  3. Some data processors have additional requirements including:
    1. Appointment of data protection officer (if processing includes regular and systematic monitoring of data subjects on a large scale)
    2. Maintaining certain records as to data processing activities (if 250 or more employees)
    3. conducting a data protection impact assessment (“DPIA”) before carrying out certain data processing activities (including automatic evaluation/profiling, processing of data relating to criminal convictions or systematic monitoring of a public area (including CCTV)
  4. there are additional restrictions on processing “sensitive personal data”, which includes data relating to racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic and biometric data, sex life and sexual orientation.
What about the rights of data subjects? Data subjects (that is, the persons to whom the data relates) have a number of rights, including:

  1. right to withdraw consent to the data being processed;
  2. right to access the data and to be provided with certain information about processing of that data;
  3. right to rectification
  4. right to erasure of the data (“the right to be forgotten”)
  5. right to restriction of processing
  6. right to data portability

Data processors should ensure they have a suitable procedure in place for dealing with any data subject access requests.

What if we don’t comply? The consequences of non-compliance can be very serious and the GDPR provides for maximum fines of EUR 20 million or 4% of total worldwide annual turnover, whichever is higher.
What do we need to do? The fact that data processers are required to demonstrate compliance and the possible consequences of failure to comply means that the requirements of the GDPR simply cannot be ignored.

What action will be required will vary from company to company, but as a minimum, businesses that process personal data should carry out the following steps well in advance of the GDPR coming into force on 25 May 2018:

  1. Identify personal data that is processed by the organisation, the basis for processing that data, the security measures that are in place and data retention;
  2. Review existing:
    1. policies,
    2. procedures,
    3. privacy notices,
    4. consent forms,
    5. contracts with data processers/data controllers;
  3. To the extent necessary, amend current or put in place new documentation and procedures to ensure compliance with the GDPR;
  4. ensure there is a suitable procedure in place for dealing with  data subject access requests;
  5. Consider whether any of the following measures are required:
    1. Data protection officer
    2. Records of data protection activities
    3. DPIA;
  6. Ensure that any changes or new processes are communicated to the wider organisation and appropriate training is put in place.
Sounds a bit complicated Potentially, yes. But we can help. We are pleased to offer a range of services to help you achieve compliance, from conducting a full review overhaul of your data protection procedures and documentation, to offering ad hoc advice or preparation of documents, including procedures, policies, information notices, consent forms and contracts with data processors.

If you would to discuss how we can help you, please contact Alistair Wells on aw@woodfords.co.uk or 020 7731 0750.