General Data Protection Act Update
As of May, 25th 2018 new legislation will come into force which overwrites the Data Protection Act, the new legislation is the General Data Protection Regulation (GDPR).
Despite the result of the 2016 referendum this new legislation is still required to be implemented in the UK. The Information Commissioner’s Office has released a preparation guide which supports organisations in the preparation for the GDPR.
The initial good news is that the ICO will abolish the annual fee registration fee. The GDPR follows on from the Data Protection Act (DPA), maintaining many of the main concepts and principles. ICO ‘If you are complying properly with the current law then most of your approach to compliance with remain valid under the GDPR’
The GDPR introduces eyewatering tiered fines for Data Controllers found to be falling short of the required standards set out in the GDPR, these new fines aim to punish and not just deter.
Tier 1 shortfalls lead to fines of up to 2% of annual turnover or 10 million euros, whichever is the greater
Tier 2 shortfalls lead to fines of up to 4% of annual turnover or 20 million euros, whichever is the greater
Individuals Rights under GDPR
Individuals have the right to be:
Automated Decision Making and Profiling
Differences between DPA and GDPR.
Below the ICO have highlighted some of the areas that contain differences:
Greater emphasis on the documentation that data controllers must keep to demonstrate their accountability.
Reviewing approaches to govern and manage data protection.
Providing individuals with more information about their personal data.
Individual’s rights about personal data.
Data Portability Right.
Subject access requests.
Breach Notification Duty.
Privacy Impact Assessments (PIAs).
Requirement for a Data Protection Officer (DPO).
Those the GDPR applies to
Controllers – those individuals who manage the how and why of personal data processed.
Processors – those individuals who act on the behalf of the controllers.
Organisation operating within the EU.
Organisations outside the EU trading goods and/or services within the EU.
The GDPR does not apply to processing of data in the following circumstances:
Law Enforcement Directive
The GDPR applies to Personal Data and Sensitive Personal Data; however Sensitive Personal Data is referred to as ‘Special Categories of Personal Data’.
Personal data under GDPR provides more details than the DPA’s definition and emphasises on information such as online identifier which can be classified as personal data.
GDPR also looks into personal data that is replaced by artificial identifiers or pseudonyms. GDPR only applies depending on the security and difficulty it is to assign the artificial identifiers or pseudonyms.
ICO ‘For most organisations, keeping HR records, customer’s lists, or contact details etc, the change to the definition should make little practical difference.’
Personal data now applies to both automated and manual systems where personal data is accessible based on certain criteria.
Special data now includes genetic and biometric data which can be used to identify an individual. Criminal conviction and offences are not covered in this.
The main responsibilities for organisations are set out by the data protection principles, and appear similar to the DPA.
The GDPR principles have greater detail than the DPA’s, including a new accountability requirement.
Organisations are required to show how they are complying with the GDPR’s principles.
Under GDPR personal data should be:
(a) processes lawfully, fairly and in a transparent manner in relation to individuals;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the persona data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’
What you need to do:
Make sure the entire team is aware of the GDPR and its implications on their day to day work
Conduct and information audit and document the personal information you hold, record where it came from and who can access it.
Reinforce practice policy relating to the rights of individuals in respect of the privacy of information held about them
Check practice procedures to ensure they cover individual’s rights about how information is stored and disposed of
Update your procedures and plan how you will handle requests within the revised time scales
Review your procedures for gaining consent to hold information
Review your procedures for detecting, reporting and investigating personal data breached
Read the ICO guidance about Privacy Impact Assessments and work out how to implement these in your practice
Glenys Bridges Practice Pathway
T: 07973 361 390