Following BREXIT some may have thought we could avoid the upcoming EU General Data Protection Regulations (GDPR) but that is essentially not the case.
If we want to continue with a close as possible business relationship with our EU friends then we need to comply with their expectations on data protection.
The good news is that EU GDPR effectively builds on the requirements of our own Data Protection Act 1998 which we should already be complying with.
Furthermore, if organisations are also following best practice as advised by the ICO (Information Commissioner’s Office) (for example around Privacy Impact Assessments) then they are in a good position for the upcoming EU GDPR (which comes into force 2018).
It is worth refreshing on the key principles within the current Data Protection Act 1998 as they are fundamental to good data governance. Some key points on the 8 principles:
Principle 1: Personal Data must be processed fairly and lawfully (with certain condition(s) met, more onerous with regards sensitive data). Fair processing or privacy/ data protection notices are a key part of this principle (and are what one typically sees on the internet when one divulges their personal data for online shopping purposes). These should include the requester’s identity, purposes, etc. Consent should be informed and voluntary.
Principle 2: Personal data must be processed for lawful purposes, e.g. not for criminal activity!
Principle 3: Personal data obtained and kept must be adequate, relevant and not excessive. E.g. asking someone their shoe size when booking a hotel room would seem irrelevant :)
Principle 4: Personal Data must be accurate and where necessary up to date. Organisations must take reasonable steps on this e.g. sending out data verification requests to data subjects periodically.
Principle 5: Personal data must not be kept longer than necessary. Organisations must make a careful assessment on this.
Principle 6: The various rights of data subjects as prescribed by the Act must be complied with, e.g. the rights of data subjects to see the data held on them etc.
Principle 7: This is a very broad and important one: it is ensuring appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. From the technical side a whole range of measures need to be taken ranging from back-up & disaster recovery to strong access controls etc. Training is a key organisational measure.
This area also links in with the hot topic of cyber security considering how many data breaches have been due to hacking, so organisations need to take an appropriate risk based approach in this regard.
Principle 8: Finally, personal data is not transferred outside the EEA unless there is adequate protection for the rights and freedoms of data subjects – there is an EC safe list of countries but for those not on that list other sufficient measures need to be in place.
Building on this the EU GDPR makes some key stipulations including but not limited to:
• Larger territorial scope will apply to (i) data controllers and processors established in the EU that process personal data; and (ii) controllers and processors not based in the EU who target individuals who are in the EU
• GDPR introduces new explicit principle of accountability – controllers must ensure compliance
• GDPR introduces direct statutory obligations for processors including (i) appointment of a Data Protection Officer; and (ii) breach notification – duty to notify controller without undue delay
• Expanded definitions/ new concepts – a) Personal data – GDPR clarifies location data, genetic data, online identifiers and technology identifiers are personal data; b) Pseudonymous data – defined as data that does not allow identification of individuals without additional information and is kept separate; c) Anonymised data – not within scope of GDPR; d) Profiling – automated processing of personal data used to evaluate an individual’s ‘personal aspects’
• Minors – Consent must be obtained from parents when personal data is collected from minors below the age of 16
• Data Subject Rights – GDPR maintains existing rights (right to be informed, right to access and rectify data, right to object to the processing) and expands or introduces new rights: right to erasure (and right to be forgotten); right to restrict the processing of personal data; and right to the portability of data
• Privacy by Design/ Privacy by Default – GDPR introduces new concepts of ‘privacy by design’ and ‘privacy by default’
• Data Protection Impact Assessments – Controller must carry out a data protection impact assessment prior to processing data where the processing is likely to result in a high risk for the rights/ freedoms of individuals due to (i) the use of new technologies; and (ii) the nature, scope, context and purposes of processing
• Data Breach notification – GDPR introduces an obligation to notify personal data breaches: (i) to the supervisory authority within 72 hours; and (ii) to affected individuals without undue delay (where likely to result in a high risk to such individuals)
There is a lot of terminology when it comes to data protection law and the ICO have a very good glossary which can be found here:
You must sign in to rate content.