What is GDPR?
The General Data Protection Regulation (GDPR) is a new EU regulation that will become law in the UK on 25th May 2018.
Will it apply to your organisation?
Yes. It will apply to any organisation currently covered by the UK’s Data Protection Act. It will still be relevant after the UK leaves the EU as the UK government has agreed that it will be included in UK legislation.
What’s new compared to current legislation?
Broadly speaking the new regulation:
- Places an accountability on organisations to explain how they comply with the principles of the GDPR.
- Has a broader definition of personal data (e.g. to include a person’s genetic identity).
- Requires explicit consent to be obtained from the data subject to process their data. Silence or implicit consent will no longer be enough.
- Mandates Privacy Impact Assessments for high risk processing. There will be an expectation that processes and systems use the principle of privacy by design.
- Gives data subjects the right to be forgotten.
- Places additional responsibilities on data processors even when they are not the data controller. Equally data controllers will have additional responsibilities to ensure the security of personal data when they use third party organisations as data processors.
- Will require some organisations to appoint a Data Protection Officer.
- Requires parental consent for the processing of children’s data.
- Makes data breach notifications a requirement in some circumstances.
- Applies new rules to the transfer of data outside the EU.
- Puts in place new rules for data portability.
Do my liabilities increase with GDPR?
Under GDPR your organisation can be fined up to 4% of its annual global turnover, or £17m, whichever is greater.