General Data Protection Regulation (GDPR)

Karen Bradley MP, the Secretary of State for Culture, Media and Sport, recently confirmed that the UK will be implementing the General Data Protection Regulation (GDPR), in force from May 2018.

To help businesses prepare for the new regime - which introduces reporting/notification requirements for the first time in the UK and can see businesses fined up to 4% of the company's worldwide annual turnover for breaches - the Information Commissioner's Office (ICO) and the EU Article 29 Working Party (WP29) are beginning to publish guidance on how to interpret the GDPR.

In October 2016, the ICO published a new code of practice on privacy notices, titled 'Privacy notices, transparency and control' aimed at "all organisations that collect information about people, whether directly or indirectly" providing guidance on: gaining and recording consent; the content of a privacy notice, including how the privacy notice should be written and presented; how to communicate privacy information for individuals. It also provides guidance on complying with Articles 12, 13 and 14 (which relate to the provision of privacy information to data subjects).

The WP29 has also published its first set of guidance (including FAQs) on the GDPR focussing on the following:

  • Data portability (the right for data subjects to receive the personal data, which they have provided to a data controller, in a structured, commonly used and machinereadable format, and to transmit that data to another data controller without hindrance)
  • Data Protection Officers (when a DPO is required)
  • The identification of the lead supervisory authority (where the controller or processor is carrying out the cross-border processing of personal data). WP29 intends to produce guidance documents on:
  • Administrative fines
  • High risk processing and Data Protection Impact Assessments
  • Certification
  • Profiling
  • Consent
  • Transparency
  • Notification of personal data breaches
  • Tools for international transfers

Data Protection

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.