What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) has been adopted and will become law in May 2018. It will replace all data protection legislation in European Union (EU) member states such as the Data Protection Act 1998 (DPA) in the UK.
The GDPR includes new and improved privacy rights for individuals within the EU, such as “the right to be forgotten”. The new obligations relate to the collection, use and transfer of consumers’ personal data.
According to the European Commission, "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
The regulation applies if the data controller or processor (organisation) or the data subject (person) is based in the EU. It also applies to organisations based outside the European Union if they process personal data of EU residents.
Key themes include:
Individual’s consent
The GDPR will require organisations to have a legitimate reason for processing personal data. Consent can be given by a written, electronic or oral statement. This could include the data subject ticking a box when visiting a website or choosing technical settings for social network accounts. Importantly, pre-ticked boxes or inactivity will no longer equal consent.
Data subjects’ rights
The list of rights that an individual can exercise has been widened by the GDPR with the right to have personal data processed for restricted purposes and ability to transfer data to another organisation (data portability) introduced.
A few notable exceptions aside, individuals will be able to request that their personal data is erased by the organisation and no longer processed (The aptly named ‘right to be forgotten’).
Security breaches
The regulation requires that organisations notify the ICO of a personal data breach within 72 hours, unless the breach is unlikely to result in a risk for the rights and freedoms of individuals.
As part of the process, individuals should be notified without undue delay to allow them to take the necessary precautions (eg change usernames/passwords/bank details) if the data breach is likely to result in a high risk to their personal security.
Fines
The new regulation introduces severe penalties for breaches of the GDPR with legislators able to impose fines of up to 4% of an organisation’s global annual turnover in order to ensure compliance.
Data protection officer
The regulation introduces a statutory role of Data Protection Officer (DPO) who will be responsible for ensuring compliance with the GDPR.
What happens next?
The European Union’s General Data Protection Regulation (GDPR) will become law in May 2018.
Although the UK decided to leave the EU on the 23rd of June 2016, it is almost certain these regulations will still need to be implemented within all UK organisations, as it is likely that the UK will still be a member of the EU by May 2018.
Even if or when Brexit happens, the current thinking is that we will adopt all current EU legislation into UK law, until such time as it becomes necessary to revise our own versions. As this, like most EU legislation, is good common sense legislation to protect consumers, that the UK itself was a contributor to, there is no reason to think we will significantly revise this, or other EU legislation, in the foreseeable future.
If the government decides the country needs access to the single market, the UK will require laws that provides consumers with comparable protection. This means that any laws will need to reflect the GDPR. In fact, organisations will have to conform to the GDPR if they hold any data on EU citizens, irrespective of their own EU membership status.
How does this effect my organisation?
If you use TeleForm or Process Director to capture personal information or patient data from paper or electronic forms, you will need to be aware of the new regulation.
In reality, it should not be a significant change for organisations, due to compliance with current EU law and the DPA in the UK.
However, with the clock ticking down to 2018, it is prudent for managers, IT teams and any other staff responsible for data protection in your organisation to review current procedures and assess the impact of the GDPR.