Following on from “The Basics” we have highlighted below the key differences to the data protection regulations that will come into effect with GDPR next May 2018.
- GDPR Enforcement – there will be a Supervisory Authority (SA) which will monitor and enforce the GDPR in the UK. Similar SAs will be responsible for monitoring and reporting in other EU countries.
- GDPR applies to all – this means that any company that works with information relating to EU citizens will have to comply with the requirements of the GDPR, making it the first global data protection law.
- GDPR widens the definition of personal data – any data that can be used to identify an individual is personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information.
- GDPR tightens the rules for obtaining valid consent to using personal information – organisations need to ensure they use simple language when asking for consent to collect personal data, they need to be clear about how they will use the information, and they need to understand that silence or inactivity no longer constitutes consent. Consent of personal data must be freely given, specific, informed and unambiguous. Consent is not freely given if a person is unable to freely refuse consent without detriment.
- GDPR makes the appointment of a DPO mandatory for certain organisations – public authorities processing personal information are required to appoint a data protection officer (DPO), as well as other entities, when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”. The GDPR does away with the criterion of number of employees and focuses instead on what organisations do with personal information.
- GDPR introduces mandatory Privacy Impact Assessments (PIAs) – inclusion of mandatory privacy impact assessments (PIAs) in the GDPR is mainly due to the influence of the UK’s Information Commissioner’s Office, which has worked a lot with PIAs in the past. The GDPR requires data controllers to conduct PIAs where privacy breach risks are high to minimise risks to data subjects.
- GDPR introduces a common data breach notification requirement – Data controllers must notify the Data Protection Authorities as quickly as possible, where applicable within 72 hours, of the data breach discovery.
- GDPR introduces the right to be forgotten – this change is one of the most useful changes for the average person managing their data protection risks. A person will be able to require their data to be deleted when there is no legitimate reason for an organisation to retain it. Following this, the organisation must also take appropriate steps to inform any third party that might have any links or copies of the data and request them to delete it. One of these is the data minimisation principle that requires organisations not to hold data for any longer than absolutely necessary, and not to change the use of the data from the purpose for which it was originally collected, while – at the same time – they must delete any data at the request of the data subject.
- GDPR expands liability beyond data controllers – previously only data controllers were considered responsible for data processing activities, but the GDPR extends liability to all that touch personal data.
- GDPR requires privacy by design – GDPR requires that privacy is included in systems and processes by design. Software, systems and processes must consider compliance with the principles of data protection. Proper erasure of information, for example, is not something often seen in software. But in the future, all software will be required to be capable of completely erasing data, which will be a challenge.
- GDPR penalties – GDPR penalties for any breach are set to be much higher for non-compliance. Previously set at 1% of annual turnover, they could now reach up to 4% of global turnover.
GDPR introduces the concept of a one-stop shop as the legislation will be applicable in all EU states without the need of implementing national legislation. Having a single set of rules will benefit businesses as they will not need to comply with multiple authorities, streamlining the process and saving an estimate of €2.3 billion a year.
Below is a summary table version comparing current Data Protection Act Legislation to the new proposals for GDPR.
|Key Principles||DPA (Current)||GDPR (25th May 2018)|
|1. Enforcement||Enforced by the Information Commissioner’s Office (ICO)||A Supervisory Authority (SA) will monitor and enforce the GDPR in the UK. Similar SAs will be responsible for monitoring and reporting in other EU countries|
|2. Reach||Applies only in the UK||Applies to the whole of the EU and any company (globally) that holds data belonging to EU citizens|
|3. Penalties||Failure to comply with the DPA can result in fines of up to £500,000 or 1% of annual turnover||Penalties for non-compliance of GDPR regulations are expected to reach $20m or 4% of global turnover – a significant increase|
|4. Right to be Forgotten||There is currently no legal requirement for companies to remove the data they hold on an individual||Individuals can exercise their ‘right to be forgotten’ which involves permanently deleting all personal data from company systems|
|5. Data Protection Officers (DPO)||There is currently no obligation for a company to employ a dedicated DPO||You should assume that you need a DPO unless you can demonstrate that you don’t|
|7. Reporting a data breach||Under the current regulations, there is no legal obligation for a data controller to report a breach to the ICO or to individuals whose information has been lost or stolen||Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly. Organisations are also obliged to report a data breach to the relevant supervisory authority (ICO) within 72 hours of becoming aware of it|
|8. Personal Data||Personal data and sensitive personal data||Any data that can be used to identify an individual is personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information|
|9. Privacy Impact Assessment (PIA)||Privacy Impact Assessment (PIA) are not a legal requirement under DPA but has always been ‘championed’ by the ICO||PIA’s will be mandatory and must be carried out when there is a high risk to the freedoms of the individual. A PIA helps an organisation to ensure they meet an individual’s expectation of privacy|
|10. Expanding Liability||Responsibility rests with the Data Controller||Liability extended to all those that touch personal data within an organisation|
|11. Privacy by Design||There is no requirement for an organisation to remove all data they hold on an individual||GDPR requires that privacy is included in systems and processes by design. Software, systems and processes must consider compliance with the principles of data protection. An individual will have the right to erasures – which includes all data being permanently deleted|
You may also find the following article useful https://www.atg-it.co.uk/gdpr/dpa-vs-gdpr/