Almost two thirds of Brits now using contactless payments as the number of payments doubles in one year
What You Need to Know: General Data Protection Regulation
WHAT IS GDPR?
It stands for General Data Protection Regulation and is the new framework for data protection law in Europe. It replaces current data protection laws in the European Union, including the existing UK Data Protection Act (DPA) 1998 and 2003 Amendment.
The GDPR will apply in the UK from 25th May 2018.
DOES IT APPLY TO ME?
The Information Commissioner’s Office states:
‘The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.’
WHAT INFORMATION DOES GDPR APPLY TO?
Both personal data and sensitive personal data are covered by the GDPR. The ICO website gives a definition of the two here.
WHAT DOES IT MEAN FOR ME AS AN INDIVIDUAL?
The GDPR will give greater control to individuals over their personal data by setting out additional and more clearly defined rights for individuals whose personal data is collected and processed by organisations and businesses.
WHAT DOES IT MEAN FOR MY BUSINESS?
In short, the General Data Protection Regulation increases the obligations and responsibilities for organisations and businesses in how they collect, use and protect personal data. The new law requires organisations and businesses to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.
WHAT ABOUT BREXIT?
The Information Commissioner’s Office states on its website that the government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
The new UK Data Protection Bill, published 14th September 2016, which will work alongside GDPR, must pass through the House of Commons and the House of Lords before it becomes law.
The ICO says:
“The GDPR has direct effect across all EU member states and has already been passed. This means organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the DP Bill is the details of these. It is therefore important the GDPR and the Bill are read side by side.”