On 25 May 2018, the General Data Protection Regulation (GDPR) - designed to protect European Union citizens' data - became law. It replaced the preceding EU privacy directive, which was legislated in the UK through the Data Protection Act 1998.
The new regulation enhances some of the established data protection principles, strengthens the rights of individuals, and places greater requirements on businesses and organisations that process personal data.
GDPR changes May 2018
Key GDPR changes include:
- Broader definition of personal data - 'personal data' now includes any potential identifier - not just the person's name, address and email address, but also other factors such as identification number, location data, IP address, etc.
- Higher bar for lawful processing - processing must fall within one or more of the six permitted legal justifications. See more on legal basis for processing of personal data.
- More rights for individuals - including the right to be informed, to access, rectify and erase data, to restrict processing, to data portability, to object to processing and, finally, the right not to be subject to automated decision making and profiling. See data subject rights under the GDPR and dealing with subject access request.
- Requirement to notify data breaches - you will have to report a breach to the Information Commissioner's Office (ICO) if it is likely to result in a high risk to the rights and freedoms of individuals. You will have to do this without undue delay, and where feasible, no later than 72 hours after you become aware of the breach. You may also need to tell the individuals affected. See reporting serious breaches of personal data.
- Liability for suppliers and processors - GDPR now directly regulates data processors, as well as controllers, who are required to comply with a number of specific obligations.
- Greater accountability and governance - GDPR requires organisations to demonstrate compliance with the data protection principles, eg by keeping a detailed record of processing operations, performing data privacy impact assessment, or implementing data protection by design.
- Requirement to appoint a Data Protection Officer - this only applies to public authorities and organisations that regularly and systematically process personal data, or sensitive personal data, on a large scale. See more on appointing a data protection officer.
- Sharing data outside Europe - GDPR introduces more stringent rules around data transfer, requiring data processors and controllers to carry out due diligence and put in place contractual or safeguarding measures. Read about the international transfers of personal data.
- Wider territorial scope - GDPR provisions apply not only to EU-based companies, but to all organisations that process personal data of EU citizens, regardless of where the organisation is located.
- Tougher sanctions - potential penalties for non-compliance increased significantly. The data protection regulator will have the powers to issue fines of up to 4 per cent of annual worldwide turnover or €20 million, whichever is greater. Read about GDPR penalties and enforcement.
Businesses that adopted a best practice approach to compliance with the DPA should not find it too difficult to adapt to the new requirements.
How to get GDPR compliant?
A typical first step towards compliance will be a data audit. This will allow you to understand and document the data that you hold or process as part of your business. You can use our GDPR data audit checklist to help guide you through the process.
Following the audit, you will be better informed and able to review and enhance your existing data protection practices, to make them compliant. Use our GDPR compliance checklist to work through the steps involved in complying with the new regulation.
This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.