Get ready for the GDPR

In a previous blog last year, we gave readers a whistle-stop tour of the General Data Protection Regulation (GDPR). In this blog, we provide an update as the deadline approaches and the Brexit dust settles.

What is the GDPR?

The GDPR replaces the Data Protection Directive 95/46/EC and is designed to strengthen and unify data protection laws for individuals across the European Union (EU) and simplify the regulatory environment for business.

Unlike the Data Protection Directive 95/46/EC which was implemented inconsistently across Europe and not legally binding, the GDPR does not require national governments enact any legislation and is compulsory. It will replace all data protection legislation in EU member states such as the Data Protection Act 1998 (DPA) in the UK.

When will it come into effect?

The GDPR was adopted by the European Parliament in May 2016. Following a 2-year transition period, it will apply in the UK from 25 May 2018. As previously suggested here, the government has confirmed that the decision to leave the EU will not affect the commencement of the GDPR.

We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.

The Secretary of State Karen Bradley MP, Culture, Media and Sports Select Committee, Monday 24 October 2016

What are the key changes from the Data Protection Directive 95/46/EC and the DPA?

Extended scope / jurisdiction

The GDPR applies to organisations located within the EU. Organisations located outside of the EU but who provide goods or services to EU residents will also need to comply. This is a significant change from the Data Protection Directive 95/46/EC which had a much narrower focus on the territory of a member state. The extended scope is the consequence of Member States lobbying the EU for change after legal uncertainty in their countries.

Increased scrutiny on data processors

Unlike the Data Protection Directive 95/46/EC which imposed responsibility for compliance solely on the data controller, the GDPR will also hold data processors accountable.

The Information Commissioner's Office (ICO) defines the “data controller” as a person (business) who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.

A “data processor” means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. A data processor could be an external supplier such as cloud storage provider or marketing agency.

Penalties

The new regulation introduces severe penalties for breaches of the GDPR with legislators able to impose fines of up to 4% of an organisation’s global annual turnover, or €20 million in order to ensure compliance.

Individuals’ consent

The GDPR will require organisations to have a legitimate reason for processing personal data. Consent can be given by a written, electronic or oral statement. This could include the data subject ticking a box when visiting a website or choosing technical settings for social network accounts. Importantly, pre-ticked boxes or inactivity will no longer equal consent.

The European Commission state that personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an eMail address, bank details, posts on social networking websites, medical information, or a computer’s IP address.

Put simply, personal data can only be gathered for a legitimate purpose. When the legitimate reason for the data gathering has expired, it needs to be deleted. Furthermore, the data must be protected from misuse i.e. it must not be used for purposes other than originally intended or be transferred to third parties.

Data subjects’ rights

The list of rights that an individual can exercise has been widened by the GDPR with the right to have personal data processed for restricted purposes and ability to transfer data to another organisation (data portability) introduced.

The GDPR provides the following rights for individuals:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling

Individuals will have the right to access their personal data and have it rectified if it is inaccurate or incomplete as well as obtain confirmation it is being processed.

A few notable exceptions aside, individuals will be able to request that their personal data is erased by the organisation and no longer processed (the aptly named ‘right to be forgotten’).

Breach notification

The regulation requires that organisations notify the ICO of a personal data breach within 72 hours, unless the breach is unlikely to result in a risk for the rights and freedoms of individuals.

As part of the process, individuals should be notified without undue delay to allow them to take the necessary precautions (eg change usernames/passwords/bank details) if the data breach is likely to result in a high risk to their personal security.

Data protection officer

The regulation introduces a statutory role of Data Protection Officer (DPO) who will be responsible for ensuring compliance with the GDPR.

How will it affect my day-to-day processes?

With less than 12 months until the GDPR is enforceable in the UK, if you use TeleForm or Process Director to capture personal information from paper or electronic forms, now is the time to review your data collection methods.

In our fictional scenario, a clinical trials organisation may ask trial participants to complete a questionnaire to assess their suitability to take part.

This questionnaire might contain a name, phone number, eMail address and medical information. This information will identify an individual and their personal data is protected by the GDPR.

In this scenario, our clinical trials organisation will need to review their current arrangements against the new and strengthened rights for individuals in respect of their personal data.

Next month, we will outline the practical steps you can take ahead of the May 2018 deadline.

If you want to know more about the GDPR, please contact us.