In May 2016, after four years of work, the European Union ("EU") published legislation which was the starting gun for the biggest shake-up of data protection in over 15 years: the General Data Protection Regulation (the "GDPR").

In a bid to harmonise data protection laws across the EU, the GDPR will come into force in every EU Member State on 25 May 2018 without the need for any additional domestic legislation.

The changes in data protection legislation recognise the increased sharing of personal data and the concerns of individuals whose personal data is being commodified and exploited by businesses. In a digital age, personal data is a valuable commodity to organisations but it is one which must be protected on the individuals' behalf.

The GDPR is designed to bring a sea change to current attitudes to data protection. It is bringing more power to the people; it is imposing controls on businesses and ensuring that people have the freedom to take control over the personal data that is held about them.

Introduction

I think it's clear that a lot people feel they've lost control of their own data. People feel that keeping control of their most important information used to be simple, but that over the years, their sense of power over their personal data has slipped its moorings.

Elizabeth Denham, Information Commissioner, (January 2017)

The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It's about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation

Elizabeth Denham, Information Commissioner, (January 2017)

Since May 2016, organisations have been working towards compliance with the GDPR, to ensure that the principles of the GDPR are embedded in their culture and day-to-day practices. With the clock ticking and the threat of fines for non-compliance from 25 May 2018, it is important that all organisations sit up and take notice of the changes coming into force.

When the UK does officially leave the EU, the GDPR will no longer be directly applicable into UK law, but the provisions of the GDPR will be embedded in UK law in the provisions of the new Data Protection Bill (which will replace the Data Protection Act 1998). Brexit cannot therefore be used as an excuse for non-compliance.

In brief, the changes consist of:

  • Wider geographical application;
  • Enhanced obligations for data controllers and data processors, which will impact on outsourcing and supply
  • contracts;
  • Enhanced rights for data subjects;
  • Affirmative and recordable consent for the collection and processing of individuals' data;
  • Stronger focus on the lawful pathways a controller or processor can rely on to collect and process data;
  • Onerous reporting obligations to report data breaches;
  • Privacy by design and privacy impact assessments;
  • Published and applied governance controls, policies and procedures;
  • Requirement to determine if a controller or processor have to put in place a mandatory Data Protection Officer;
  • and Greater enforcement power.

We take a look at each of these in turn, followed by setting out our recommendations for approaches that can be taken in relation to each.

Fast facts about the GDPR

Who is affected?

On 25 May 2018, the GDPR will automatically be transposed into the law of every EU member state. The GDPR will also expand the territory in which its obligations must be complied with and obligations will now also apply to data processors.

The GDPR will apply to all organisations "established" in the EU.

What is "establishment"?

An "established" organisation may be one which exercises "any real and effective activity – even a minimal one", through "stable arrangements" in the EU.

  • It can also apply to organisations without an "establishment" in the EU, depending on the location of the data subjects. In the case of non-EU established organisations, the GDPR will apply whenever the use of personal data by that organisation relates to:

    • The offering of goods or services to individuals in the EU, irrespective of whether a payment is required.
    • The monitoring of those individuals' behaviour in the EU.

Key terminology

Consent

any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data controller

a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data processor

a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller.
DPIA / PIA

Data protection impact assessments, also known as 'privacy impact assessments' or PIAs.
DPO

Data Protection Officer (you may also see reference to MDPOs, which are Mandatory Data Protection Officers).
Joint controllers

two or more controllers which jointly determine the purposes and means of processing.
Joint controllers must determine their respective responsibilities for compliance with obligations under the GDPR by means of an arrangement between them and make a summary of such arrangement available to the data subject.
Personal data

any information relating to an identified or identifiable natural person ("data subject") an identifiable person is one who can be identified (directly or indirectly) in particular by reference to an identifier, e.g. name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Personal data breach

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Processing

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling

any form of automated processing consisting of the use of personal data to evaluate certain personal aspects of a data subject, in particular to analyse or predict their performance at work, economic situation, health, personal preferences, reliability, behaviour, location or movements.
Pseudonymisation

the processing of personal data in such a way that the personal data can no longer be attributed to an individual without the use of additional information, e.g. a key that is stored separately.
SAR Subject Access Request

Special categories of data
('Sensitive Data')

personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a data subject, data concerning health or data concerning a data subject's sex life or sexual orientation.

Supervisory authority

an independent public authority which is established by a Member State to be responsible for monitoring the application of the GDPR, in order to protect the fundamental rights and freedoms of data subjects in relation to processing and to facilitate the free flow of personal data within the EU.

To view the full article, please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.