Print

At a Glance

On 25 May 2018 the General Data Protection Regulation (GDPR) came into effect.

we have produced a sample template for a Statement on GDPR Compliance.

Overview and examples

What's new?

In April 2019 the ICO issued enforcement notices to HMRC for breaches by the use of voice authentication (Voice ID) for customer verification on some of their helplines. HMRC are required to delete some £5m taxpayers records where taxpayers were not given the chance to give or withhold their consent for their data to be held, or given sufficient details about how their data would be processed. 

In January 2018 the European commission published guidance on the new rules, together with an online tool for small and medium sized enterprises.

New Powers and obligations

The Information Commissioners Office (ICO) regulates data protection and information rights in the UK. Under the GDPR from May 2018 they will have increased enforcement powers in respect of:

There will be new obligations for businesses in respect of consent and the reporting of data breaches:

Penalties and fines

There are two levels of fine. The maximum fines are:

Prior to GDPR fines were limited to £500,000.

The lower level of fine (€10,000,000 or 2% of global turnover) will be considered for breaches relating to:

The higher level of fine, (€20,000,000 or 4% of global turnover) will be considered for breaches relating to:

Who does the GDPR apply to?

The GDPR applies to ‘controllers’ and ‘processors’. The controller says how and why personal data is processed and the processor acts on the controller’s behalf.

What information does the GDPR apply to?

Personal data

Like the DPA, the GDPR applies to ‘personal data’ but the definition is clearer:

Sensitive personal data

How does the GDPR work?

For processing to be lawful under the GDPR, it is necessary to identify a lawful basis for it and to document that basis before the personal data is processed. These are often referred to as the “conditions for processing” and include:

For example, processing credit card details in respect of payments for online purchases of goods or services or taking personal details to respond to an enquiry about services offered.

At least one lawful basis must apply.

Consent

For consent to be a lawful basis for processing data the consent must be:

What constitutes a personal data breach?

A personal data breach means:

What breaches must be notified to the relevant supervisory authority?

The relevant supervisory authority (ICO in the UK) must be notified of a breach:

When do individuals have to be notified of a breach?

Individuals must be notified:

Should an individual ask for a copy of their record (a subject access request):

How and when should breaches be notified?

What exemptions are permitted?

Member States can introduce exemptions from the GDPR’s transparency obligations and individual rights in certain situations; these are similar to the existing exemptions from rights and duties in the DPA.

These only apply:

Can penalties be appealed or mitigated?

A violation can be caused by the act of a third party, i.e. by the organisation being hacked. There will be no automatic exemption or relief where the breach is the result of a cyber-attack. ICO will not treat a data controller as a victim of a cyber-attack; they will instead be treated as negligent and responsible.

However, the following will be taken into consideration for each individual case in deciding whether to impose a fine and the level of fine; in minor cases a reprimand can be given instead.

It is not clear from the regulations what, if any, course of appeal will be open to organisations receiving fines. It is assumed that the ability to appeal ICO decisions which was available prior to the introduction of GDPR will continue to be available.

There are fears that the level of fines under GDPR will lead to specifically targeted cyber-attacks and extortion with threats to send hacked data to ICO if organisations do not pay up.

Professional standards and GDPR

The CCAB draft money laundering standards published in August 2017 require that member businesses must have systems and controls capable of keeping appropriate records. Such systems will need to be reviewed and updated if necessary to meet GDPR requirements.

The Money Laundering Terrorist Financing and Transfer of Funds (information on the Payer) Regulations 2017 also cover data protection stating that personal information obtained in accordance with the regulations must be deleted after 5 years from the point that the business relationship ends unless statutory obligations, or legal proceedings require it to be retained or the relevant individual consent to it being retained.

What now?

ICO produced a document titled  ‘Preparing for General Data Protection Regulation: 12 steps to take now’ to help business prepare ahead of the May 2018 deadline. The 12 steps are:

  1. Awareness
  2. Information you hold
  3. Communicating privacy information
  4. Individuals rights
  5. Subject access requests
  6. Lawful basis for processing personal data
  7. Consent
  8. Children
  9. Data Breaches
  10. Data Protection by Design and Data Protection Impact Assessments
  11. Data Protection Officers
  12. International

Comparison of individual rights: GDPR v DPA

The rights of individuals under GDPR

The GDPR creates new rights for individuals and strengthens some rights already provided for within the DPA. 

 

Rights under GDPR 

Rights under DPA

The right to basic information

This right is the same under the DPA as for the GDPR

The right of access; controllers are obliged to provide data subjects with access to their own personal data

The DPA list of mandatory information which must be provided is much narrower than that for the GDPR.

The right to rectification; data subjects are entitled to require a controller to rectify any errors in their personal data

The position is the same as under the GDPR.

The right to erasure; data subjects have the right to erasure of personal data (the "right to be forgotten") if:

  • the data are no longer needed for their original purpose (and no new lawful purpose exists);
  • the lawful basis for the processing is the data subject's consent, the data subject withdraws that consent, and no other lawful ground exists;
  • the data subject objects, and the controller has no overriding grounds for continuing the processing;
  • the data have been processed unlawfully; or
  • erasure is necessary for compliance with EU law or the national law of the relevant Member State.

This ‘right to be forgotten’ is narrower under the DPA

The right to restrict processing; meaning that the data may only be held by the controller, and may only be used for limited purposes) if:

  • the accuracy of the data is contested (and only for as long as it takes to verify that accuracy);
  • the processing is unlawful and the data subject requests restriction (as opposed to asking for erasure);
  • the controller no longer needs the data for their original purpose, but the data are still required by the controller to establish, exercise or defend legal rights; or
  • if verification of overriding grounds is pending, in the context of an erasure request.

The DPA does not directly cover the right to restrict processing although it does provide for the right to request the blocking of data. This means that the controller must refrain from using the data during the period for which that right applies, even though the data have not yet been deleted.

The right to data portability

This is not included at all under the DPA and it may require investment in new systems and processes

The right to object

The DPA permits an organisation to continue processing the relevant data unless the data subject can show that the objection is justified. The GDPR reverses this burden; the organisation must demonstrate that it either has compelling grounds for continuing the processing, or that the processing is necessary in connection with its legal rights. If it cannot demonstrate this it must cease the processing activity.

Rights in relation to automated decision making and profiling such as the right to object to processing for scientific, historical or statistical purposes

The GDPR gives individuals more specific rights than the DPA

Small print and links

European Commission guidance

Updated CCAB Money Laundering guidance 

New Money Laundering Regulations

Preparing for General Data Protection Regulation: 12 steps to take now’

ICO: data protection reform 

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017  

 

Mr Scruff does GDPR

We like this alternative version of GDPR