GDPR: 12 key changes

Emma Gross explains the 12 key changes to data protection law you need to know.

The General Data Protection Regulation is new legislation governing the way organisations collect, process and protect the personal information of individuals. Here are the key changes that will apply from 25 May 2018 onwards. If you haven’t already done so, you may also benefit from reading our article on how to prepare for GDPR.

  1. Jurisdiction
    The Regulation will now apply to every organisation or individual who processes the data of EU citizens, whether they are ‘data controllers’ that decide how personal data is processed in order to deliver goods and services, or third party ‘data processors’ that process it on behalf of a data controller. This covers all organisations within the EU, and those outside it that offer goods or services within the EU.

  2. Penalties
    The fine for breaching GDPR is significantly harsher. In the UK, it rises from a maximum of £500,000 per breach to a maximum of €20 million or 4% of annual worldwide turnover.

  3. Data breaches
    Any theft, loss or misuse of personal information where it is likely to result in a risk to the rights and freedoms of individuals must be reported to the relevant Supervisory Authority within 72 hours.

  4. Consent
    Personal information can only be used if consent has been freely and unambiguously given by the individual. ‘Generic’ consent, or acquiescence (reluctant acceptance without protest) will no longer be acceptable. Parental consent is required for children below the age of 13.

  5. Right to be forgotten
    Individuals have the right to ask an organisation to erase any data they hold about them. That organisation has the responsibility to inform any data processors they use.

  6. Subject access requests
    Individuals also have the right to ask for details about any information that is held about them, and how it is processed. This request must now be fulfilled within one month instead of 40 days, and this service cannot be charged for.

  7. Data protection policy
    Organisations with over 250 employees must now provide an easily understandable data protection policy that is accessible to customers, and practical for employees to put into practice. The policy should include information such as the details of the appointed data protection officer, the legal basis for processing, retention periods, the right to complain, whether the provision of data is obligatory or voluntary, and the consequences of not providing data.

  8. Data processor documentation
    Data processors now have to maintain full documentation of all processing they undertake for data controllers, and must also nominate a data protection officer.

  9. Genetic data
    Genetic data has been added as a type of sensitive personal data, and health data now includes anything related to the provision of health services, such as prescriptions and hospital appointment letters.

  10. Privacy impact assessments
    A privacy impact assessment must now be carried out for all high-risk data processing, such as sensitive personal data, public CCTV, and data relating to children, who are defined as anyone under the age of 18.

  11. Regulator
    There will now be one EU data regulator, which prevents the need to deal with separate regulators in each member state.

  12. Consistency
    A special organisation is to be set up by the European Commission to ensure consistency in the application of GDPR. 

Visit our dedicated GDPR page to read the latest insight and commentary about the General Data Protection Regulation.

Read our latest views & insight about the GDPR
Stained glass window
Views & Insights
ICO publishes final version of guidance on consent

Head of employment at SA Law St Albans, Chris Cook, discusses the ICO's guidance on consent

Read More
Stained glass window
Views & Insights
Employers feel unprepared for GDPR deadline

Partner Keely Rushmore comments in People Management on the GDPR and how companies weren't ready for the changes

Read More
Divorce and family law red chair
Views & Insights
EU data is slowing the divorce process

Head of family law at SA Law, Marilyn Bell examines how the GDPR could potentially add more complications to the divorce process

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR affects your mergers & acquisitions too

Acquiring or merging with another organisation means expanding the personal data you hold, whether related to employees, customers, suppliers or other…

Read More
Stained glass window
Views & Insights
GDPR for HR

Solicitor Emma Gross explains why HR professionals should revisit their data protection practices ahead of the GDPR

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR and Information Security: Are your employees trained to protect data?

With just a short while before the General Data Protection Regulation (GDPR) is implemented into UK law, there are many good reasons to check whether…

Read More
SA Law Red arrow neon light image
Views & Insights
What is the difference between ‘data controller’ and ‘data processor’?

It seems fair to say that most organisations are aware that they are subject to obligations under data protection laws and the extent to which they are…

Read More
SA Law Red arrow neon light image
Views & Insights
Charity worker fined for unlawfully obtaining personal data from his employer

Recent case highlights importance of obeying data laws after charity worker fined for misusing personal data.

Read More
GDPR Numbers Image
Views & Insights
GDPR: What should I be doing?

Following a successful run of GDPR compliance events, SA Law's Data & Privacy team share how you can start preparing for the GDPR.

Read More
Green and Red Lights
Views & Insights
GDPR: 12 key changes

Emma Gross explains the 12 key changes to data protection law you need to know.

Read More
Stained glass window
Views & Insights
Information Commissioner demystifies GDPR consent

Head of Employment & Data Chris Cook gives clarity on consent within the GDPR.

Read More
Stained glass window
Views & Insights
How to prepare for the GDPR

The GDPR comes into force on 25th May 2018, but organisations are recommended to start preparing for the changes as soon as possible to avoid non-compliance…

Read More
Views & Insights
ICO issues guidance on preparing for the EU General Data Protection Regulations (GDPR)

As many organisations will be aware, the existing EU data protection provisions are due to be reformed by the GDPR which is expected to receive formal…

Read More
Views & Insights
What every business needs to know about The General Data Protection Regulation

Legislative bodies in Europe have agreed radical reforms to European Union data protection guidelines but it will take time, money and careful planning…

Read More
Stained glass window
Views & Insights
ICO prosecutes company employees for unlawfully accessing client data

A former employee of Lex Autolease Ltd has been prosecuted and fined under section 55 of the Data Protection Act 1998.

Read More
Stained glass window
Views & Insights
ICO issues record £400,000 monetary penalty notice for TalkTalk data breach

The Information Commissioner has issued a record £400,000 monetary penalty notice to TalkTalk Telecom Group plc for failing to keep personal data secure.

Read More
Stained glass window
Views & Insights
Government introducing personal liability for directors for nuisance call fines

Amendments to the Privacy and Electronic Communications Regulations 2003, announced and to be introduced in spring 2017.

Read More
Stained glass window
Views & Insights
Government officially confirms adoption of the GDPR

On appearing before the Culture, Media and Sports Select Committee on 24 October 2016, the Secretary of State Karen Bradley MP, confirmed that the UK…

Read More
Stained glass window
Views & Insights
Departing employee convicted of taking client records before joining rival firm

Employees risk both criminal prosecution and civil action for unlawful use of information belonging to employers.

Read More
Intellectual Property, fonts
GDPR Assist
GDPR Definitions & Who's Who

Helping you get up to speed with everything GDPR

Read More
GDPR Numbers Image
Views & Insights
Fill in the details

Head of Employment and Data Chris Cook examines the importance of staff training when it comes to payroll and the looming GDPR.

Read More
SA Law commuters on London Bridge
Views & Insights
Data Protection Bill under challenge

Gemma Jones, Head of Immigration, explains the immigration exemptions within the upcoming GDPR

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR and Information Security: Are your employees trained to protect data?

With just a short while before the General Data Protection Regulation (GDPR) is implemented into UK law, there are many good reasons to check whether…

Read More
Banner image red car light moving
Views & Insights
Draft Data Protection (Charges and Information) Regulations 2018 and guide published

The draft regulations are of course, subject to Parliamentary approval but, given that there is limited time until the GDPR, they are unlikely to change.

Read More

CONTACT EMMA

If you would like more information or advice relating to this article or a Employment law matter, please do not hesitate to contact Emma Gross on 01727 798049.

© SA LAW 2018

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.