In Monday’s Blog, we introduced you to the new General Data Protection Regulations rolling out across Europe from May 2018. Today, we’d like to take a little of your time to talk you through the changes from DPA to GDPR…
So how does GDPR differ from the Data Protection Act?
The backbone of GDPR does not differ greatly in its principles to the DPA, however there are some key differences that we feel it’s important to point out. In typical EU-fashion, the 99-point directive sets out firstly to determine who might be handling personal data. Section 1 of the directive identifies “data controllers” as “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed” – or the decision makers around personal information governed by the directive. It then also identifies “data processors” as “any person (other than an employee of the data controller) who processes the data on behalf of the data controller” which would include any external agency you work with to handle personal data your organisation holds.
The directive then goes on to give very clear definitions to the types of information you might hold. Firstly there is Personal Data, which broadly refers to any piece of information such as name, address an IP address which could be used to identify an individual. Then there is sensitive personal data, which as you can imagine is more sensitive and covers a range of areas such as sexual orientation, genetic data, political and religious views etc.
There are then the obligations of the organisation in how they must comply with GDPR. There will be increased accountability for any company who handles personal data and is subject to the Regulations, including the need for data protection policies and impact assessments and holding any relevant documentation detailing how data is processed. Any data breach, including “destruction, loss, alteration, unauthorised disclosure of, or access to” personal data held by an organisation must be reported to the ICO within 72 hours under GDPR in any case where it may be considered to have a detrimental impact upon those who it is about.
And for large organisations, defined by GDPR as those with 250 or more employees, there is also an obligation to prepare and hold documentation explaining why personal information is collected and processed, outlining the type of information held, how long it’s kept for and a description of the technical security measures in place to protect the data.
One other key feature of the Regulations is the need to employ a Data Protection Officer (DPO). This obligation now falls to any company that has “regular and systematic monitoring” of individuals on a large scale or who process large quantities of sensitive personal data. In certain situations, organisations will also require clearly obtained consent and a “positive opt-in” in order to hold and use personal data.
To satisfy one of the main objectives of GDPR, to increase the rights of the individual, there will be changes to the process by which anyone can request a copy of the information your company holds about them – from now on you will have thirty days to comply with the request, you cannot refuse and you can no longer charge them for the privilege.
And then there’s the change everyone is talking about: the fines. Under GDPR, serious breaches can result in the ICO fining an organisation up to 4% of their annual global turnover or 20 million euros – whichever is greater. We’ll just wait a moment for this to sink in.
Check back in with us for tomorrow’s blog to read more about who is affected and how we can help…