What You Need to Know: General Data Protection Regulation
WHAT IS GDPR?
It stands for General Data Protection Regulation and is the new framework for data protection law in Europe. It replaces current data protection laws in the European Union. The UK Data Protection Act 2018 is the UK’s implementation of the GDPR.
WHEN?
The GDPR commenced in the UK 25th May 2018.
DOES IT APPLY TO ME?
The Information Commissioner’s Office states:
‘The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – ie: the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you are also subject to the GDPR.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.’
WHAT INFORMATION DOES GDPR APPLY TO?
Both personal data and sensitive personal data are covered by the GDPR. The ICO website gives a definition of the two here.
WHAT DOES IT MEAN FOR ME AS AN INDIVIDUAL?
The GDPR gives greater control to individuals over their personal data by setting out additional and more clearly defined rights for individuals whose personal data is collected and processed by organisations and businesses.
WHAT DOES IT MEAN FOR MY BUSINESS?
In short, the General Data Protection Regulation increases the obligations and responsibilities for organisations and businesses in how they collect, use and protect personal data. The new law requires organisations and businesses to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.
WHAT ABOUT BREXIT?
The Information Commissioner’s Office states on its website that the government has confirmed that the UK’s decision to leave the EU has not affected the commencement of the GDPR.
The new UK Data Protection Act 2018 (DPA) is the UK’s implementation of the GDPR and commenced in line with the GDPR on 25thMay 2018.
For more information on the Data Protection Act 2018 follow the guidance here;
https://www.gov.uk/data-protection
For up to date information on a no Brexit deal follow the guidance here:
https://ico.org.uk/for-organisations/data-protection-and-brexit/