The General Data Protection Regulation is new legislation governing the way organisations collect, process and protect the personal information of individuals. Here are the key changes that will apply from 25 May 2018 onwards. If you haven’t already done so, you may also benefit from reading our article on how to prepare for GDPR.
The Regulation will now apply to every organisation or individual who processes the data of EU citizens, whether they are ‘data controllers’ that decide how personal data is processed in order to deliver goods and services, or third party ‘data processors’ that process it on behalf of a data controller. This covers all organisations within the EU, and those outside it that offer goods or services within the EU.
The fine for breaching GDPR is significantly harsher. In the UK, it rises from a maximum of £500,000 per breach to a maximum of €20 million or 4% of annual worldwide turnover.
- Data breaches
Any theft, loss or misuse of personal information where it is likely to result in a risk to the rights and freedoms of individuals must be reported to the relevant Supervisory Authority within 72 hours.
Personal information can only be used if consent has been freely and unambiguously given by the individual. ‘Generic’ consent, or acquiescence (reluctant acceptance without protest) will no longer be acceptable. Parental consent is required for children below the age of 13.
- Right to be forgotten
Individuals have the right to ask an organisation to erase any data they hold about them. That organisation has the responsibility to inform any data processors they use.
- Subject access requests
Individuals also have the right to ask for details about any information that is held about them, and how it is processed. This request must now be fulfilled within one month instead of 40 days, and this service cannot be charged for.
- Data protection policy
Organisations with over 250 employees must now provide an easily understandable data protection policy that is accessible to customers, and practical for employees to put into practice. The policy should include information such as the details of the appointed data protection officer, the legal basis for processing, retention periods, the right to complain, whether the provision of data is obligatory or voluntary, and the consequences of not providing data.
- Data processor documentation
Data processors now have to maintain full documentation of all processing they undertake for data controllers, and must also nominate a data protection officer.
- Genetic data
Genetic data has been added as a type of sensitive personal data, and health data now includes anything related to the provision of health services, such as prescriptions and hospital appointment letters.
- Privacy impact assessments
A privacy impact assessment must now be carried out for all high-risk data processing, such as sensitive personal data, public CCTV, and data relating to children, who are defined as anyone under the age of 18.
There will now be one EU data regulator, which prevents the need to deal with separate regulators in each member state.
A special organisation is to be set up by the European Commission to ensure consistency in the application of GDPR.