Just as many of us were getting used to and comfortable with the Data Protection Act 1998 (DPA), the regime is about to change. If you or your business handles personal or sensitive personal data, then you will need to be aware of the main changes on the way. This article highlights the key headings of the General Data Protection Regulation (GDPR) to help you get to grips with the new legal regime in the EU. I want to explain how the GDPR has similarities with the current UK Data Protection Act 1998 (DPA), and how it differs. I am writing for those who have day-to-day responsibility for data protection, it does not matter if you are in HR or in accounts or Customer relations – these regulations are on the way. I know that many will say “we are leaving the EU, what has this to do with us”. Well, I think, and many agree, that the UK legislative authorities will want to follow EU requirements so that we can continue to transfer data (and trade) across mainland Europe. Indeed, the government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
The ICO (the UK’s independent body established to uphold information rights) is working to help information users and handlers to be ready for the new regulations. This article is heavily sourced from the ICO and the EU’s Article 29 Working Party. The Working Party includes representatives of the data protection authorities from each EU member state, and the ICO is the UK’s representative – for the next 17 months in any event.
The GDPR comes into force in this country from 25 May 2018.
The ICO is the first to acknowledge that there may still be questions about how the GDPR would apply post-Brexit, but it states: “This should not distract from the important task of compliance with the GDPR.”
Does the GDPR apply to you?
As with the DPA, the GDPR applies to ‘controllers’ and ‘processors’. Broadly, the definitions follow the DPA – a Controller makes the decisions as to why and how personal data is dealt with - processed - and then Processor carries out those instructions. So, in short: If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.
If you are a processor, the GDPR will place new and greater specific legal obligations on you:
You will be required to maintain records of personal data and processing activities
You will have significantly more legal liability if you are responsible for a breach.
(source ICO guidance)
Also, controllers have greater liability under the GDPR. You are not relieved of your obligations if a processor is involved; the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
(source ICO guidance).
In short you will need to audit your contracts with processors to make sure that they are compliant with the GDPR. Processing within and outside the EU is covered by the GDPR. This is not so surprising. The GDPR also applies to you or organisations outside the EU if you or those organisations offer services or goods to people in the EU, but it does not apply to you if the processing is purely for personal/household activities.
What type of information is covered by GDPR?
The GDPR, like the DPA, covers personal data. BUT, the definition of personal data in the GDPR is even more complex information, such as an online identifier. For example, an IP address is potentially covered. The GDPR has a much wider definition and “a wide range of personal identifiers to constitute personal data”, and is designed to meet developments in cyber and the mechanisms used by organisations to gather data about individuals.
The day-to-day business, such as keeping personnel details, lists of customers, their contact details etc, the change to the definition, ought to have little additional impact on you. A good working assumption is that if you hold information within the scope of the DPA, it will also be covered by the GDPR.
“The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.”
Sensitive personal data
In the same way as the DPA, the GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9). But in effect the categories are more or less similar/pretty much the same as those in the DPA. Naturally, there are some small changes. One of the small differences, for example, is genetic data, and biometric data, if it is processed to uniquely identify an individual.
If you have any questions regarding General Data Protection Regulation contact: