GDPR - General Data Protection Regulation

What is it?

  • The General Data Protection Regulation (GDPR) is the new legal framework in the EU. It explains the similarities with the existing UK Data Protection Act 1998 (DPA), and describes some of the new and different requirements.
  • If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.

Who does it refer to?

  • It is for those who have day-to-day responsibility for data protection. The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf.
  • Processors: If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach.
  • Controllers: If you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
  • The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

What does it mean for my business?

  • The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
  • There are individual rights that need to be adhered to, both in terms of process actions and within certain defined times.
  • Depending on your company category and/or type of data processing, you must appoint a Data Protection Officer.

What are the penalties?

  • If you infringe the requirements of the code of practice, you may be suspended or excluded and the supervisory authority will be informed. You also risk being subject to a fine of up to 20 million Euros or 4 per cent of your global turnover – whichever is higher!

When does it affect me?

  • The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

Summary made from the ICO: