The UK GDPR and Data Protection Act 2018 is the current legislation relating to Data Protection and Information Governance
Guide to the UK General Data Protection Regulation (UK GDPR) | ICO
It is important that you make yourself familiar with the information on this page. Details of the steps we need to take can be found in the attached document DP Bill Part 3 - 12. Guidance on Data Protection legislation is also available on the Information Commissioner's Office Website.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
Who does the GDPR apply to?
The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. GDPR Recitals and Articles [pdf] 1MB (See Articles 3, 28-31 and Recitals 22-25, 81-82)
What information does the GDPR apply to?
Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier eg an IP address – can be personal data.
Sensitive personal data
The GDPR refers to sensitive personal data as 'special categories' of personal data. These categories are broadly the same as those in the DPA, but there are some minor changes, eg the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. GDPR Recitals and Articles [pdf] 1MB (See Articles 2, 4, 9, 10 and Recitals 1, 2, 26, 51)
Key areas to consider:
For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. Referred to as the “conditions for processing” under the DPA. GDPR Recitals and Articles [pdf] 1MB (See Articles 6-10 and Recitals 38, 40-50, 59)
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. GDPR Recitals and Articles [pdf] 1MB (See Articles 4(11), 6(1)(a), 7, 8, 9(2)(a) and Recitals 32, 38, 40, 42, 43, 51, 59, 171)
Children's Personal Data
The GDPR contains new provisions intended to enhance the protection of children’s personal data. The GDPR states that, if consent is your basis for processing the child’s personal data, a child under the age of 16 can’t give that consent themselves and instead consent is required from a person holding ‘parental responsibility’ – but note that it does permit member states to provide for a lower age in law, as long as it is not below 13. GDPR Recitals and Articles [pdf] 1MB (See Article 8 and Recitals 38, 58, 71).
- The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA.
- The GDPR provides the following rights for Individuals:
The right to be informed
The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data. GDPR Recitals and Articles [pdf] 1MB (See Articles 12(1), 12(5), 12(7), 13, 14 and Recitals 58-62)
The right of access (Subject Access Requests)
- The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing.
- A copy of the information must be provided free of charge. The removal of the £10 subject access fee is a significant change from the existing rules under the DPA.
- There will be less time in which to comply with a subject access request under the GDPR. Information must be provided without delay and at the latest within one month of receipt. GDPR Recitals and Articles [pdf] 1MB (See Articles 12, 15 and Recital 63)
The right to rectification
- Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
- If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate. GDPR Recitals and Articles [pdf] 1MB (See Articles 12, 16 and 19)
The right to erasure (the right to be forgotten)
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. GDPR Recitals and Articles [pdf] 1MB (See Articles 17, 19 and Recitals 65 and 66)
The right to restrict processing
Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future. GDPR Recitals and Articles [pdf] 1MB (See Articles 18, 19 and Recital 67)
The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. GDPR Recitals and Articles [pdf] 1MB (See Articles 12, 20 and Recital 68)
The right to object
Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics. GDPR Recitals and Articles [pdf] 1MB (See Articles 12, 21 and Recitals 69, 70)
Rights related to automated decision making and profiling
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA. Identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR. GDPR Recitals and Articles [pdf] 1MB (See Articles 4(4), 9, 222 and Recitals 71, 72)
Accountability and Governance
The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance. GDPR Recitals and Articles [pdf] 1MB (See Article 30, Recital 82)
Data Protection by Design and by Default
Under the GDPR, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities. GDPR Recitals and Articles [pdf] 1MB (See Article 25 and Recital 78)
Data Protection Impact Assessments
Data protection impact assessments (DPIAs) (also known as privacy impact assessments or PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. While not a legal requirement under the DPA, the ICO has promoted the use of DPIAs as an integral part of taking a privacy by design approach. See the ICO’s Conducting privacy impact assessments code of practice for good practice advice. GDPR Recitals and Articles [pdf] 1MB (See Articles 35, 36, 83 and Recitals 84, 89-96)
CCG Data Protection by Design and Data Protection Impact Assessment Guidance Note
Appointing a Data Protection Officer
Under the GDPR, you must appoint a data protection officer (DPO) if you:
- are a public authority (except for courts acting in their judicial capacity);
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences. GDPR Recitals and Articles [pdf] 1MB (See Articles 37-39, 83 and Recital 97)
Data Breach Notification
The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. GDPR Recitals and Articles [pdf] 1MB (See Articles 33, 34, 83 and Recitals 85, 87, 88)
Transfers of Data to Third Countries or International Organisations
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined. GDPR Recitals and Articles [pdf] 1MB (See Article 45 and Recitals 103-107, 169)
Helpline established by the UK Regulator for small businesses
The Information Commissioner's Office (ICO) has launched a dedicated advice line to help small organisations prepare for the new data protection laws. The ICO said 'people from small organisations should dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support'. As well as advice on preparing for the GDPR, callers can also ask questions about current data protection rules and other legislation regulated by the ICO.