What is GDPR? Who does it apply to? What obligations does it impose and what are the consequences of a breach of the rules?
This is a freeview 'At a glance' guide to the General Data Protection Regulation (GDPR).
At a glance
On 25 May 2018 the General Data Protection Regulation (GDPR) came into effect.
- GDPR will apply to every European organisation that handles the information of private individuals plus non-EU organisations offering goods and services to EU individuals.
- The EU GDPR does not apply post-Brexit, however the rules have been enacted into UK law. The UK GDPR applies from 1 January 2021.
- GDPR gives the Information Commissioners Office (ICO) the power to impose high fines: violation of the regulations could result in fines of the higher of €20,000,000 or 4% of global turnover depending on the type of breach.
- A violation can be caused by the act of a third party, i.e by the organisation being hacked. There will be no exemption or relief where the breach is the result of a cyber-attack.
- The GDPR provide additional rights to individuals and increased restrictions to how and when organisations can process personal data.
We have produced a Sample template for a Statement on GDPR Compliance.
- From 31 December 2020, the EU GDPR ceased to apply in the UK.
- The EU GDPR’s requirements have been enacted into UK law ‘the UK GDPR’ with effect from 1 January 2021.
- The UK is now a 'third country' under the EU GDPR. The European Commission has the power to decide whether a third country has an adequate level of data protection. On 28 June 2021, the European Commission adopted an adequacy decision for the UK under the GDPR.
- The key definitions and terminology in the UK GDPR are the same as those in the EU GDPR except in a few areas where the UK GDPR differs. Businesses and organisations who receive data from EEA contacts should review their GDPR documentation to check whether any amendments are required to meet the requirements of the new UK GDPR. See Overview tab for more details.
In April 2019 the ICO issued enforcement notices to HMRC for breaches by the use of voice authentication (Voice ID) for customer verification on some of their helplines. HMRC are required to delete some five million taxpayer records where taxpayers were not given the chance to give or withhold their consent for their data to be held, or given sufficient details about how their data would be processed.
In January 2018 the European Commission published guidance on the new rules, together with an online tool for small and medium-sized enterprises.
From 31 December 2020, the end of the Brexit transitional period, the EU GDPR ceases to apply in the UK, except where organisations provide goods and services to EU residents. Instead, the EU GDPR’s requirements have been enacted into UK law by the Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019, and, with effect from 1 January 2021, a new UK-specific data protection regime ‘the UK GDPR’ applies.
The ICO have said that data collected before 31 December 2020 about people who were located outside the UK at that date remains subject to the EU GDPR as it stood on 31 December 2020. This is now known as ‘frozen GDPR’.
The UK is now a 'third country' under the EU GDPR. The European Commission has the power to decide whether a third country has an adequate level of data protection. The effect of an adequacy decision is that personal data can be sent from an EEA state to a third country without any further safeguards being necessary.
On 28 June 2021, the European Commission adopted two adequacy decisions for the UK: one under the GDRP and one under the Law Enforcement Directive. This means that personal data can flow freely between the UK and EU with equivalent protection in both jurisdictions.
The adequacy decisions are limited in length to four years. After that period, the adequacy decisions may be renewed, where the UK ensures an adequate level of data protection.
The key definitions and terminology in the UK GDPR are the same as those in the EU GDPR. However, there are some areas where the UK GDPR differs. Transfer restrictions for EEA to UK data transfers were delayed to 30 June 2021 whilst an adequacy decision was being sought. Businesses and organisations that receive data from EEA contacts should review their GDPR documentation to check whether any amendments are required to meet the requirements of the new UK GDPR.
New Powers and obligations: 2018
The Information Commissioners Office regulates data protection and information rights in the UK. Under the GDPR from May 2018 they have increased enforcement powers in respect of:
- Failure to conduct a data protection conduct assessment.
- Data Protection Orders (DPOs).
- Failures in respect of documentation.
There are new obligations for businesses in respect of consent and the reporting of data breaches:
- Consent must be specific, informed, freely given and unambiguous.
- Businesses must prove they have consent in order to be able to rely on it. (see below for more details)
- Protections must be in place for transferring data to certain countries such as Japan and India.
- Businesses must be accountable by demonstrating that they comply with the principles.
- If the organisation has more than 250 employees, it must maintain additional internal records of processing activities. Details of the information required can be found here.
- If the organisation has less than 250 employees it is required to maintain records of activities related to higher-risk processing, such as:
- Processing personal data that could result in a risk to the rights and freedoms of individuals.
- Processing of special categories of data or criminal convictions and offences.
- Certain businesses must appoint a data protection officer, for example, if they carry out large-scale systematic monitoring of individuals (such as online behaviour tracking) or carry out large-scale processing of special categories of data (see below).
- The GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate compliance.
Penalties and fines
There are two levels of fine. The maximum fines are:
From 1 January 2021:
- The standard maximum is the higher of £8,700,000 or 2% of global turnover.
- The 'higher' maximum is the higher of £17,500,000 or 4% of global turnover for certain violations.
To 31 December 2020:
- The higher of €10,000,000 or 2% of global turnover.
- The higher of €20,000,000 or 4% of global turnover for certain violations.
Prior to GDPR, fines were limited to £500,000.
- Fines will be considered on a case-by-case basis
- The level of fine issued will take a number of criteria into consideration, such as the intent, how many individuals are affected and any previous breaches.
The standard level of fine (£8,700,000 or 2% of global turnover) will be considered for breaches relating to:
- Records of processing activities.
- Cooperation with the supervising authority.
- Security of data processing.
- Notification of a personal data breach to the supervisory authority.
- Notification of a personal data breach to the data subject.
- Data Protection Impact Assessment.
- Designation, position or tasks of the Data Protection Officer.
The higher level of fine, (£17,500,000 or 4% of global turnover) will be considered for breaches relating to:
- Rights of the data subject (see Comparison of Individual Rights tab).
- The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data (see below).
- Transfer of personal data to a recipient in a third country or an international organisation.
Who does the GDPR apply to?
The GDPR applies to ‘controllers' and ‘processors’. The controller says how and why personal data is processed and the processor acts on the controller’s behalf.
- If you were previously subject to the Data Protection Act (DPA), it is likely that you will also be subject to the GDPR.
- The GDPR places specific legal obligations on processors; for example, they are required to maintain records of personal data and processing activities.
- A processor has significantly more legal liability if responsible for a breach. These obligations for processors are a new requirement under the GDPR.
- Controllers are not relieved of their obligations where a processor is involved; the GDPR places further obligations to ensure contracts with processors comply with the GDPR, for example where data processing is outsourced.
- The GDPR does not apply to certain activities including processing for national security purposes, and processing carried out by individuals purely for personal/household activities.
What information does the GDPR apply to?
Like the DPA, the GDPR applies to ‘personal data’ but the definition is clearer:
- Information such as an online identifier, e.g. an IP address, can be personal data as can cookies in some businesses.
- The definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
- If you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
- The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition.
- Personal data that has been pseudonymised or anonymised can fall within the scope of the GDPR depending on how difficult it is to match the name used to a particular individual.
Sensitive personal data
- The GDPR refers to sensitive personal data as 'special categories of personal data'.
- The special categories specifically include genetic data, and biometric data where it is processed to uniquely identify an individual.
- Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
How does the GDPR work?
For processing to be lawful under the GDPR, it is necessary to identify a lawful basis for it and to document that basis before the personal data is processed. These are often referred to as the conditions for processing and include:
- Consent of the subject (see below).
- Where it is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.
For example, processing credit card details in respect of payments for online purchases of goods or services or taking personal details to respond to an enquiry about services offered.
- Where it is necessary to comply with a legal obligation under EU laws or the laws of a member state. This could be problematic where the legal obligation relates to the laws of a non-EU member state such as a US court order. It must apply to the data controller and must be legally binding/mandatory; a request for information does not create a legal obligation.
- Where it is necessary to protect the vital interests of a data subject or another person (such as their child).
- Where it is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject, especially where the subject of the data is a child. Parental permission is required for children (defined as those under the age of 16); this can be difficult to prove.
- This becomes more of an issue under the GDPR because the lawful basis for processing has an effect on individuals’ rights. See Comparison of individual rights tab.
- For example, if you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted, than if you rely on other basis'.
- Where it is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller; processing carried out on this basis may be subject to objections from data subjects.
- A member state can introduce additional lawful bases where necessary for the performance of a task carried out in the public interest and for limited purposes connected with national law.
At least one lawful basis must apply.
For consent to be a lawful basis for processing data the consent must be:
- Freely given, specific, informed and unambiguous.
- There must be a positive opt-in; consent cannot be inferred from silence, pre-completed boxes or doing nothing.
- It must be separate from other terms and conditions, with simple ways provided for people to withdraw it. Public authorities and employers will need to take particular care to ensure that consent is freely given.
- It must be verifiable.
- Organisations are not required to replace or refresh existing consents under the DPA in preparation for the GDPR but if relied upon it must meet the GDPR standards as listed above.
What constitutes a personal data breach?
A personal data breach means:
- A breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
- A breach is more than just losing personal data.
- For example, the inappropriate accessing of a patient’s health record within a hospital.
What breaches must be notified to the relevant supervisory authority?
The relevant supervisory authority (ICO in the UK) must be notified of a breach:
- Where it is likely to result in a risk to the rights and freedoms of individuals.
- Where if unaddressed such a breach is likely to have a significant detrimental effect on the subject, such as resulting discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
- This has to be assessed on a case-by-case basis.
- For example, notification to the relevant supervisory authority will be required about a loss of an individual client’s personal details where the breach leaves them open to identity theft, whereas the loss of a staff telephone list would not require notification.
When do individuals have to be notified of a breach?
Individuals must be notified:
- Where a breach is likely to result in a high risk to their rights and freedoms.
- The threshold for notifying individuals is, therefore, higher than for notifying the relevant supervisory authority.
Should an individual ask for a copy of their record (a subject access request):
- In most cases, organisations will no longer be allowed to charge for providing it.
- They will have a month (previously 40 days) to provide it.
How and when should breaches be notified?
- A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it.
- The GDPR recognises that it will often be impossible to investigate a breach fully within that time period and allows the provision of information in phases.
- If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.
- The organisation should ensure that staff understand what constitutes a data breach and that this is more than a loss of personal data.
- Organisations should ensure that they have an internal breach reporting procedure in place to facilitate decision-making about whether they need to notify the relevant supervisory authority or the public.
What exemptions are permitted?
Member States can introduce exemptions from the GDPR’s transparency obligations and individual rights in certain situations; these are similar to the existing exemptions from rights and duties in the DPA.
These only apply:
- Where the essence of the individual’s fundamental rights and freedoms are respected.
- Where the exemption or restriction is a necessary and proportionate measure in a democratic society to safeguard:
- National or public security.
- The prevention, investigation, detection or prosecution of criminal offences.
- Other important public interests, such as economic or financial interests, including taxation matters, public health and security.
- The protection of judicial independence and proceedings.
- Breaches of ethics in regulated professions.
- The protection of the individual, or the rights and freedoms of others.
- The enforcement of civil law matters.
Can penalties be appealed or mitigated?
A violation can be caused by the act of a third party, i.e. by the organisation being hacked. There will be no automatic exemption or relief where the breach is the result of a cyber-attack. ICO will not treat a data controller as a victim of a cyber-attack; they will instead be treated as negligent and responsible.
However, the following will be taken into consideration for each individual case in deciding whether to impose a fine and the level of fine; in minor cases, a reprimand can be given instead.
- The nature and duration of the breach taking into account the number of data subjects affected and the level of damage suffered by them.
- Whether the breach is intentional or negligent.
- Whether any action has been taken to mitigate the damage suffered as a result of the breach and what this is.
- Any relevant previous breaches by the controller or processor and what has been done to remedy these including compliance with rules, obligations and bans set by the regulatory authority.
- Cooperation with the supervisory authority.
- Whether the controller or processor notified the breach to the supervisory authority.
- Adherence to approved codes of conduct or approved certification mechanisms.
- Any other mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the breach.
It is not clear from the regulations what, if any, course of appeal will be open to organisations receiving fines. It is assumed that the ability to appeal ICO decisions which was available prior to the introduction of GDPR will continue to be available.
There are fears that the level of fines under GDPR will lead to specifically targeted cyber-attacks and extortion with threats to send hacked data to ICO if organisations do not pay up.
Professional standards and GDPR
The CCAB draft money laundering standards published in August 2017 require that member businesses must have systems and controls capable of keeping appropriate records. Such systems will need to be reviewed and updated if necessary to meet GDPR requirements.
The Money Laundering Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 also cover data protection stating that personal information obtained in accordance with the regulations must be deleted after five years from the point that the business relationship ends unless statutory obligations or legal proceedings require it to be retained or the relevant individual consent to it being retained.
ICO produced a document titled ‘Preparing for General Data Protection Regulation: 12 steps to take now’ to help businesses prepare ahead of the May 2018 deadline. The 12 steps are:
- Information you hold.
- Communicating privacy information.
- Individuals rights.
- Subject access requests.
- Lawful basis for processing personal data.
- Data Breaches.
- Data Protection by Design and Data Protection Impact Assessments.
- Data Protection Officers.
Comparison of individual rights: GDPR v DPA
The rights of individuals under GDPR
The GDPR creates new rights for individuals and strengthens some rights already provided for within the DPA.
Rights under GDPR
Rights under DPA
The right to basic information
This right is the same under the DPA as for the GDPR
The right of access; controllers are obliged to provide data subjects with access to their own personal data
The DPA list of mandatory information which must be provided is much narrower than that for the GDPR.
The right to rectification; data subjects are entitled to require a controller to rectify any errors in their personal data
The position is the same as under the GDPR.
The right to erasure; data subjects have the right to erasure of personal data (the "right to be forgotten") if:
This ‘right to be forgotten’ is narrower under the DPA
The right to restrict processing; meaning that the data may only be held by the controller, and may only be used for limited purposes) if:
The DPA does not directly cover the right to restrict processing although it does provide for the right to request the blocking of data. This means that the controller must refrain from using the data during the period for which that right applies, even though the data have not yet been deleted.
The right to data portability
This is not included at all under the DPA and it may require investment in new systems and processes
The right to object
The DPA permits an organisation to continue processing the relevant data unless the data subject can show that the objection is justified. The GDPR reverses this burden; the organisation must demonstrate that it either has compelling grounds for continuing the processing, or that the processing is necessary in connection with its legal rights. If it cannot demonstrate this it must cease the processing activity.
Rights in relation to automated decision-making and profiling such as the right to object to processing for scientific, historical or statistical purposes
The GDPR gives individuals more specific rights than the DPA
Mr Scruff does GDPR
We like this alternative version of GDPR