The Information Commissioner’s Office (ICO) is introducing updated regulations regarding data protection. This will be known as GDPR (General Data Protection Regulation). These changes are due to come fully into effect May 2018. But though that may seem a way off yet, there are some important changes that data controllers need to prepare for in advance.
<p>We thought, therefore, that a short series giving you some useful information on these changes over the next few months would be handy for you.</p>
<p>Today’s article is a brief summary of the proposed changes. We will be assessing some of the aspects highlighted below in more detail in subsequent articles. Please keep coming back for more information, or subscribe to our updates.</p>
<p><strong>GDPR – New and significant changes at a glance</strong></p>
<p>The key areas are:</p>
<ul>
<li><strong>Transparency and consent</strong> – This refers to the information that’s provided by someone, and the permissions a business needs from that individual to be able to use that data. Consent cannot be ambiguous or assumed via inaction.</li>
<li><strong>Children and consent</strong> – Verifiable parental consent will be needed for online services that require consent for processing a child’s personal information.</li>
<li><strong>Regulated data</strong> – Definitions of ‘Personal Data’ and ‘Sensitive Data’ have been enhanced.</li>
<li><strong>Pseudonymisation</strong> – A method of separating data from individuals’ names to prevent attribution to be used more.</li>
<li><strong>Personal data breach</strong> – aAnew law regarding security breaches and communication is to be introduced.</li>
<li><strong>Data protection by design and accountability</strong> – Significant enhancements have been made to how organisations must demonstrate their compliance with GDPR.</li>
<li><strong>Enhanced rights</strong> – Individuals will have significantly extended rights regarding how their data is used.</li>
<li><strong>Supervisory authorities and the EDPB</strong> – There will be a new lead authority for certain organisations with regard to regulation of data protection.</li>
</ul>
<p><strong>What about Brexit?</strong></p>
<p>It’s true that GDPR was initiated to bring the UK’s data protection regulations more in line with those of the EU. However, it’s important to note that despite the referendum regarding Britain leaving the EU, “The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.” ICO.org.uk (<a href="https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/introduction/">https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/introduction/</a>)</p>
<p><strong>To whom does GDPR apply?</strong></p>
<p>GDPR will apply to:</p>
<ul>
<li>The Data Controller – The person who controls how and why personal data is gathered and processed. That person will have an obligation to ensure their Processor(s) comply with GDPR.</li>
<li>The Data Processor – The person who acts on behalf of the Controller. That person will have specific obligations to meet, e.g. the maintenance of records of processing activities.</li>
</ul>
<p><strong>To what information does the GDPR apply?</strong></p>
<p>With regard to personal data, the definition is extended beyond the original definition contained within the Data Protection Act. There are then additional aspects for Data Controllers and Data Processors to be aware of.</p>
<ul>
<li>Sensitive personal data will be a special category within the scope of personal data, which will include things like biometric data.</li>
<li>As a rule of thumb, it’s best to assume that if you hold data that falls within the remit of the current DPA it will also fall within the remit of GDPR.</li>
<li>GDPR applies to both automated personal data and manual filing systems.</li>
<li>Personal data that has been pseudonymised may also fall under the scope of GDPR.</li>
</ul>
<p>We’re hoping that’s given you a useful introduction to the subject. Over the next few weeks we’ll be delving into some of these aspects in a little more detail. Please do keep coming back for more!</p>