The General Data Protection Regulations (GDPR) are the new regulations which govern data protection and privacy for all individuals with the European Union. The general aim of GDPR is to give control back to citizen and residents over their personal data and to reshape the way organisations within the EU approach date privacy.
The GDPR was passed on 27 April 2016 and comes into force on 25 May 2018. It will replace the 1995 Data Protection Directive, the directive that preceeded the Data Protection Act 1998 (DPA) in the UK.
Who does GDPR apply to?
The GDPR applies to all Companies, residing in the EU, who process personal data and/or sensitive personal data of EU citizens. This Regulation applies to all organisations who process personal data, ranging from commercial businesses to public authorities and charities.
What is Personal data?
This is any information relating to an identified or identifiable natural person. This can consist of data such as name, address, date of birth, photographs, email address etc.
What is Sensitive Personal data?
Sensitive Personal data is personal data consisting of information in respect of the individuals, racial or ethic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental conditions, sexual life etc. The GDPR has also now added genetic data and biometric data to data which is considered to be sensitive personal data.
What has changed?
In respect of data protection the GDPR very broadly replicates the DPA in how we process personal and sensitive personal data. However, the rules under the GDPR are more stringent and we must now ensure that:
1. Personal/sensitive personal data is processed lawfully, fairly and transparently
2. Data must be collected only for the purpose in which it is legitimately required
3. The data being processed must be adequate, relevant and limited to what is necessary to conduct a matter
4. Data must always be accurate and kept up to date
5. Data must only be stored for as long as is necessary
6. Data must be held securely, with integrity and be kept confidential
Perhaps one of the most significant changes GDPR has implemented is in respect of the rights afforded to individuals, especially in respect of the consent given for their personal data to be processed.
Essentially, consent must be freely given, specified, informed and unambiguous. Any request for consent to process personal data must be made in clear and plain language, so we can now say goodbye to pre-ticked boxes or taking silence and inactivity as consent for the processing of personal data. Unlike previously an individual may at anytime withdraw their consent to the processing of personal data, object to the use of personal data and have the right to ask that their personal data is erased (although this is balanced where the organisation can show it is necessary for the personal data to be retained, for example for legal purposes).
Individuals may also request that information held in respect of them is disclosed through a subject access request. At all times organisations that hold, or process personal data of individuals must be able to provide evidence of consent. If this cannot be done then hefty punishments may be implemented.
All organisations must ensure that they are clear and transparent as to how personal data will be processed, by who and why. Privacy notices must be provided in a concise and transparent way, must be easily accessible by the individual and again must be in clear and plain language.
Accountability, governance and safeguarding
All organisations must be able to after the 25 May 2018 demonstrate compliance with GDPR, failure to do so will have grave implications.
This is going to greatly affect all organisations as they are now required to build effective data protection practices and safeguards. This is going to mean that all new processes, systems, policies and procedures will have to account for the data protection rules under the GDPR.
In order to demonstrate compliance with GDPR organisations need to:
- Establish a governance structure with roles and responsibilities
- Keep detailed records of all data processing operations
- Document all new and pre-existing data protections policies and procedure
- Ensure that data protection impact assessment (risk-based assessments) are carried out for all high risk data processing operations
- Implement appropriate measures to secure personal data
- Provide staff training and increase their awareness in respect of data protection.
Data Security and Breach Reporting
All personal data held should be securely and protected against unauthorised processing, accidental loss, destruction or damage. Should a data breach occur it must be reported with 72 hours of the breach to the Data Protection Authority. Individuals who are affected should be informed immediately, especially where there is a high risk of identify theft or to their personal safety.
Failure to report a data breach may be detrimental and can result in a significant fine of up to ten million euros or two per cent of your turnover. This fine can be combined with corrective actions which must be carried out to ensure that data breaches of the same nature do not occur again.