What is it? And why should I know about it?
The General Data Protection Regulation (GDPR) are a new set of European Union regulations designed to protect the personal data of EU citizens.
In the UK, the new regulations will replace the Data Protection Act 1998; effectively updating data protection arrangements formed before the rapid expansion of digital technology.
GDPR has far reaching implications for all organisations handling personal data. And organisations have two years to become compliant with the regulations; ending 25th May 2018.
GDPR will apply to all ‘public bodies and authorities’; the definition of which is likely to be that used for the Freedom of Information purposes. This includes local authorities, universities, publicly funded museums, state schools and NHS trusts.
GDPR allows any European protection authority (like the Information Commissioner’s Office -ICO in the UK) to take action against organisations, regardless of where they are based. And enforcement is backed by fines of up to €20m or 4% of group annual global turnover.
From this, you can see that you should start preparing now. For example, Nottingham City Council has established an Information Assurance Board (IAB) to oversee preparations for ensuring compliance with the regulations by the deadline.
Data Protection Principles
Under GDPR the key data protection principles remain basically the same. However, the organisational energy required to adhere to these principles will be significantly increased. Lawful data processing will become harder and individuals will have more rights over their data and more ways of challenging its processing. GDPR introduces a new principle of ‘accountability’.
Personal data must be:
- Processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”)
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the “purpose limitation principle”)
- Adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimisation principle”)
- Accurate and where necessary kept up to date (the “accuracy principle”)
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the “storage limitation principle”)
- Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organisational measures (the “integrity and confidentiality principle”).
The Data Controller is responsible for compliance with the above principles (the “accountability principle”) and must be able to demonstrate compliance.
Find out more
Do you want to know more about the EU GDPR?
Would you like to know how:
- The GDPR widens the definition of personal data
- GDPR narrows the grounds for using consent to process personal information
- Enhanced rights for individuals under GDPR, such as
- Subject access rights
- Right to rectify
- Right to erasure (‘right to be forgotten’)
- Right to restriction of processing
- Right to object
- Right to data portability
- The right not to be subject to automated decision taking
- GDPR extends liability to data processors
- Public authorities must appoint a Data Protection Officer
- GDPR introduces mandatory Privacy Impact Assessments (PIAs)
- GDPR establishes common data breach notification
- To find further information?
If so, then please sign up for our free newsletter. In return, you will receive a 12-page article “General Data Protection Regulations – Something to think about” detailing all of the above, and their implications for your organisation.
We hope the above has been useful for you, and we hope you will enjoy our article.