The General Data Protection Regulation, or ‘GDPR’, has been created to provide stronger protection of personal data than that contained in the EU Directive 95/46/EC. The Directive, dating from 1995, introduced a framework that is now inadequate given the enormous changes in digital information and the way in which we use technology.
The GDPR will be directly applicable to all EU Member States without need for national legislation; it comes into force in May 2018. As the UK will still be in the process of leaving the European Union, the GDPR will apply. So far, it is unclear what direction the UK will take in terms of a ‘hard’ or ‘soft’ exit. But the government has confirmed that the commencement of the GDPR will be unaffected.
There are a number of big changes that the GDPR introduces:
- It applies to data controllers and processors outside the EU who offer goods or services to EU citizens, or who monitor their data.
- Significant is the fact that data protection authorities can impose fines for infringements of up to 4% of a company’s annual worldwide turnover, or €20 million, whichever is higher.
- There are new obligations for data processors, increasing their legal liability for any breaches. Data processors must maintain a written record of processing activities carried out on behalf of each controller and where required, designate a data protection officer.
- The GDPR gives ‘personal data’ a wide definition, including online identifiers such as IP addresses and, in some circumstances, data that has been pseudonymised.
- The GDPR requires organisations to demonstrate how compliance with its principles is achieved.
- There are higher standards of consent. Under the GDPR consent must be given by a clear affirmative act. It must be specific, and informed. Importantly, it must be freely given and not conditional for the performance of a contract, if unnecessary to perform that contract. A record must be kept of how and when consent was given, and an individual has the right to withdraw consent at any time.
- There is higher protection for children. Where services are offered to a child, the privacy notice must be written in such a way that the child will understand. For children under 16, consent must be obtained from a parent or guardian.
- The principle of the ‘right to be forgotten’ has been included. Individuals have the right to request their data is erased in specific circumstances. There is also an obligation to take reasonable steps to inform third parties that the data subject has requested erasure of any links to, or copies of, the data.
- The right to data portability has been introduced. Individuals are able to obtain and reuse their personal data. The data must be provided in a structured format, and be free of charge. Individuals can also require a data controller to rectify inaccuracies in their personal data.
- Information requirements have been increased so that privacy statements must include name and contact details, state if the data is to be used for marketing purposes, and explain how it will be stored.
If you would like any further information or advice, I can be contacted at: firstname.lastname@example.org