You may already be familiar with the Data Protection Act (DPA), a piece of UK legislation designed to protect personal data held electronically. From the 25th May 2018, the DPA will be superseded by the General Data Protection Regulation, an EU wide regulation. But just in case you’re thinking this may not apply post-Brexit, the UK government has also confirmed that the new regulation will not be affected by the UK’s decision to leave the EU and it will likely include fines up to 4% of global revenue or 20m Euros for data breaches, whichever is higher.
Who does the GDPR apply to?
The GDPR applies to ‘controllers’ (the controller says how and why personal data is processed) and ‘processors’ (the processor acts on the controller’s behalf for the data). If the DPA currently applies to you, it is highly likely that you will also be subject to the GDPR.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. Under GDPR, you will also have significantly more legal liability if you are responsible for a breach. However, if you are a controller, you are not relieved of your obligations where a processor is involved; in fact the GDPR places further new obligations on you to ensure your contracts with processors comply with the GDPR.
The geographical application of GDPR varies and whilst it applies to processing carried out by organisations operating within the EU, it also applies to organisations outside the EU that offer goods or services to individuals in the EU. The GDPR does not apply to certain activities such as data processing for national security purposes and processing carried out by individuals purely for personal or household activities.
What information does the GDPR apply to?
Like the DPA, the GDPR applies to ‘personal data’, however, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier like an IP address can be classed as personal data. The more expansive definition provides for a wider range of personal identifiers that constitute personal data, reflecting changes in technology and the way organisations collect information about people.
In practice, keeping HR records, customer lists, or contact details will mean there is little practical change compared to compliance under the DPA. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria; again this is wider than the DPA’s definition and could include manual records containing personal data.
Personal data that has been pseudonymised or key-coded can also fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a specific individual.
Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data”. Such categories are broadly the same as those in the DPA, but there are some minor changes and differences as the following examples highlight:
• Genetic and biometric data where processed to uniquely identify an individual.
• Personal data relating to criminal convictions and offences are not included, but extra safeguards apply to its processing
Data protection principles
Under the GDPR, the data protection principles set out the main responsibilities for organisations. The principles are similar to those in the DPA, with added detail at certain points and a new accountability requirement. However, there are no principles relating to individuals’ rights or overseas transfers of personal data; instead these are specifically addressed in separate articles.
The most significant additional principle relates to accountability. The GDPR requires you to show how you comply with the principles; for example, by documenting the decisions you take about a processing activity. Article 5 of the GDPR in particular, addresses the management of data and requires that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) also requires that
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
For more information about GDPR please contact Camilla Dinesen via email at firstname.lastname@example.org or by telephone on +44 (0)20 7017 2340