The General Data Protection Regulation (GDPR) becomes law in the UK on 25 May 2018 and will be unaffected by our decision to leave the EU. The regulation strengthens the rights of individuals to control the way in which their personal
information is used and increases obligations on businesses to ensure that any personal data they collect is dealt with in a fair and transparent way. If you have not already familiarised yourself with the provisions of the GDPR, and audited your business to ensure compliance, you need to do this now before the new requirements come into force.
In the first of a two-part series of articles looking at GDPR, we are providing an overview of the key requirements. In the second article, we will explain the steps you should take to prepare for them.
Individuals will have the right to:
Some of these rights are similar to those already enjoyed at the moment under the Data Protection Act, but some are very different, including the enhanced right to erase information, known as the ‘right to be forgotten’:
‘The right to be forgotten exists where there is no compelling reason for personal information about an individual continuing to be held and used, for example where it is no longer needed for the purpose for which it was collected or where use of the information was only permissible because of the individual’s consent and this has since been withdrawn. However, it is not an absolute right which means that where, for instance, there is a legal obligation to continue to use the information or where the information is needed for the bringing or defending of a legal claim, a request for erasure can be refused.’
Where someone asks for erasure and you determine that this should be respected, you will need to ensure that this occurs. You will also have to notify any third-party you have shared the information with so that they can take steps to erase it as well.
Businesses will have to:
Again, some of these obligations already exist under the Data Protection Act, but there has been a widening and strengthening of the requirements. For example, if you are relying on the consent of an individual for the collection and use of their personal data, this consent needs to be express. You cannot rely on pre-ticked or opt-out boxes, or on silence or inactivity. You also need to ensure that where consent is given, you make it easy for that consent to be withdrawn.
The definition of personal data has been broadened to include online identifiers, such as an IP address, and pseudonymised data – that is data that has been altered to try to make it less obvious who it relates to – but from which it is still possible to determine who the individual is. For example, if you use a system which identifies individuals by a reference number that uses a combination of random letters and numbers rather than the individual’s name, this will be caught if it is possible to link the reference number back to the particular individual concerned.
Businesses will have to demonstrate compliance with the GDPR requirements or face the possibility of a fine of up to £20 million or four per cent of annual global turnover, whichever is higher.