04 April 2018
1. What is the GDPR?
- The GDPR is an EU regulation that replaces the Data Protection Act 1998
- It came into force on 25 May 2018
- The aim of the GDPR is to protect and empower all EU citizen’s data privacy and harmonize data privacy laws across Europe
Please note, the Data Protection Act 2018 has now received Royal Assent and its main provisions have commenced. This should be read side by side with the GDPR.
2. Who does the GDPR affect?
- Anyone that processes personal data within the EU
- Any organisations outside of the EU that offer goods or services to EU data subjects
- The GDPR will apply to all persons and organisations that control or process personal data
- The GDPR does not apply to the use of data for a purely personal or household activity
3. What’s new?
The following outlines some of the bigger changes that the GDPR brings. You can find more detailed information on the ICO website.
The maximum fine has increased from £500,000 to 4% of annual turnover or €20 Million, whichever is greater.
The standards for consent have been strengthened. There must be a specific ‘opt in’ that is not hidden amongst other information and T&C’s.
There must also be a clear process for individuals to withdraw consent.
Rights of the Individual
These have been strengthened with new rights in relationship to:
Right to Access
– the right of the individual to be given information about how their data is being processed and why. Organisations can no longer charge for subject access requests and the information must be provided within one month
Right to Erasure
– the right to have personal data deleted
– the right of the individual to have their data transferred to another data controller
The ICO must be informed of a data breach within 72 hours. If necessary, individuals whose data may be affected by the breach must be informed ‘without undue delay’.
Data Protection by design
This calls for data protection to be considered at the start of designing a new system. It has always been a concept of data protection; however, there is now a general legal obligation. In some cases, there is now a legal obligation to conduct Data Protection Impact Assessments (DPIA), also known as Privacy Impact Assessments (PIA).
Data Protection Officers
Public authorities will have to appoint a Data Protection Officer. Organisations whose core activities include large scale monitoring, or large scale processing of special category data, will also have to appoint a DPO.
Data Protection Principles
The DPA 1998 requires compliance to eight principles. This remains the same under the GDPR, but consolidates the principles to six. The six principles that underpin the GDPR are that data is:
- processed lawfully, fairly and transparently
- only collected and used for particular lawful purposes
- adequate, relevant and not used excessively for that purpose
- accurate and up to date
- stored no longer than necessary
- kept secure, and its integrity and confidentiality are protected
The principle of accountability has been elevated under the GDPR. It is now necessary to demonstrate compliance by:
- implementing appropriate technical and organisational measures
- maintaining relevant documents on processing activities
- meeting the principle of data protection by design and using data protection impact assessments, where appropriate
4. What does ‘personal data’ mean?
Personal data refers to any information that can identify a living individual - either on its own, or if it is combined with other information you hold, or if it is combined with other information that is likely to come into your possession.
5. What does ‘data subject’ mean?
The data subject is the individual that can be identified by the personal data.
6. What does ‘processing’ mean?
If you hold, record or obtain personal data on a computer system or in a structured paper filing system, you will normally be considered to be processing personal data.
7. What does ‘data controller’ mean?
A data controller decides how and why data is used
8. What does ‘data processor’ mean?
A data processor is any person that processes data on behalf of the data controller (other than an employee of the data controller)
9. What is the Society doing to prepare?
- The Society is continuing to protect the personal data of our members, staff and stakeholders
- We are currently reviewing all of the data we hold and ensuring it is GDPR compliant
- We have put processes in place to make sure data protection is a key consideration of any future projects
We will shortly be updating our privacy information.
10. Where can I find further guidance?
The Information Commissioners Office (ICO) are best placed to provide guidance with regards to the GDPR
If you are working in a small organisation, there is an ICO advice service
The ICO ran a workshop for small to medium sized organisations that look after health related personal data. You can find the recording and slides from this workshop on their website
The BPS Practice Guidelines includes some information on managing data and retention periods
If you are employed, you should follow your employer’s policies and guidance.