GDPR: What Do We Need To Know?
Advances in electronic data systems have come at the price of heightened risks for data security. There have been some widely publicised cases where personal data has not been sufficiently safeguarded. Talk Talk recently lost the data of 150,000 customers, including the sensitive financial information of 15,000 of them. An employee of Morrisons recently stole the personal data of 100,000 of Morrisons’ employees. There has been an alarming increase in cyber fraud, malware and ransomware.
Most countries have taken steps to safeguard personal data. The GDPR is a piece of direct legislation from the EU which is already part of English law and comes into effect on 25th May 2018.
Some provisions, including the definition of personal data, are much the same as in the 1998 Data Protection Act, but there are some new definitions and provisions.
What do we need to know as data subjects?
As individuals we are entitled to expect the six principles set out in Article 5 of the GDPR to be adhered to by anyone who processes our data. These provide that personal data shall be:
a) Processed lawfully, fairly and transparently
b) Collected for specified, explicit and legitimate purposes
c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
d) Accurate and, where necessary, kept up to date
e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed
f) Processed in a manner that ensures appropriate security of the data
As data subjects, we have the following rights (subject to certain conditions):
a) Right of access to personal data.
b) Right to rectification of incorrect or incomplete data.
c) Right to erasure (right to be forgotten).
d) Right to restriction of processing.
e) Right to data portability i.e. the right to receive the personal data which has been provided in a structured, commonly used and machine readable format, and transmit those data to another data controller.
f) Right to object to the processing of personal data.
What do we need to know as data processors?
Anyone who processes data, not just data controllers can be liable for a breach. In the Morrisons case mentioned above, the employee who stole the data was liable as well as Morrisons themselves.
As data processors we need to be aware of the principles mentioned above and also the bases on which we are permitted to process personal data. There are six lawful general bases of data processing, as well as some specific ones. These are:
a) Consent – this must be “opt-in” rather than “opt-out”.
c) Legal obligation
d) Vital interests of data subject or a third party.
e) Processing is necessary for the performance of a task carried out the public interest.
f) The processing is necessary for the purposes of legitimate interests pursued by the data controller or a third party.
As data processors/controllers we will need to consider the use of a Privacy Notice to individual data subjects, setting out the purpose for which their data will be processed and the legal basis on which this is done. It is advisable to have these in place by 25th May 2018.
Penalties under the GDPR are much heavier than under the Data Protection Act 1998. If there is a breach of data security, we must now report this to the ICO and the data subject within 72 hours.
For more information, the ICO website (https://ico.org.uk/) is strongly recommended. There are some very useful and readable guides and a simple ten step procedure.
Alternatively, please feel free to contact Alison Fielden at Alison Fielden & Co, The Gatehouse, Dollar Street, Cirencester, Glos, GL7 2AN on 01285 653261 or firstname.lastname@example.org.