GDPR has been introduced to protect the privacy of all EU
citizens. It has also been designed to modernise data protection, in a world where
cyber risks are increased.
If, as a business, you comply with the current Data
Protection Act, then you are already half way towards compliance for GDPR, but here
we aim to highlight the key areas of change.
GDPR without a doubt has extended jurisdiction. It
applies to all companies, no matter how small, who process personal data, and it
does not matter if the controller/processor is based in the EU or not. For
non-EU businesses, processing the data of EU citizens, a representative in the
EU will need to be appointed.
The biggest headline title accompanied with GDPR information
currently, is the cost of getting it wrong, and for very good reason! Breach of
GDPR regulations can mean fines of 4% of annual global turnover, or €20 million
(whichever is greater). These fines can be imposed on both Controllers and
Processors, meaning getting clued up on the new regulations is essential.
Under GDPR, there must always be a lawful reason for
processing data, which must be determined before the data is processed. There
are six lawful bases for processing:
(a) Consent: the individual has given clear
consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary
for a contract you have with the individual, or because they have asked you to
take specific steps before entering into a contract.
(c) Legal obligation: the processing is
necessary for you to comply with the law (not including contractual
(d) Vital interests: the processing is
necessary to protect someone’s life.
(e) Public task: the processing is
necessary for you to perform a task in the public interest or for your official
functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is
necessary for your legitimate interests or the legitimate interests of a third
party unless there is a good reason to protect the individual’s personal data
which overrides those legitimate interests. (This cannot apply if you are a
public authority processing data to perform your official tasks.)
The GDPR makes it a requirement that organisations
appoint a data protection officer (DPO) in some circumstances and contains
provisions about the tasks a DPO should carry out and the duties of the
employer in respect of the DPO. Under the GDPR, you must appoint a DPO if you:
a public authority (except for courts acting in their judicial capacity);
out large scale systematic monitoring of individuals (for example, online
behaviour tracking); or
out large scale processing of special categories of data or data relating to
criminal convictions and offences.
The DPO’s minimum tasks are defined in Article 39:
inform and advise the organisation and its employees about their obligations to
comply with the GDPR and other data protection laws.
monitor compliance with the GDPR and other data protection laws, including
managing internal data protection activities, advise on data protection impact
assessments; train staff and conduct internal audits.
be the first point of contact for supervisory authorities and for individuals
whose data is processed (employees, customers etc).
Be Forgotten (Data Erasure)
This new legislation entitles the data subject to request
that the data controller erases his/her personal data, cease further
dissemination of the data, and potentially have third parties halt processing
of the data. Article 17 of the GDPR highlights more on this subject, including
the conditions for erasure.
Under the Data Protection Act, consent is a very loosely
defined concept! (e.g. consent can be gathered via opt out options amongst hundreds
of other terms and conditions). Under GDPR consent must now be obtained in an
intelligible form and must be in clear language and distinguishable from other
terms. Finally, consent must be as easy to withdraw, as it is to give.
GDPR will make breach notification mandatory in all
member states, where a breach is “likely to result in a risk for the rights and
freedoms of individuals”. There is also a time limit of 72 hours after first becoming
aware of the breach. Processors will also be required to notify customers (the
With the rights of the data subject in mind, GDPR aims to
also provide means to obtain confirmation from a data controller as to whether
personal data about them is being processes, and if so, where and for what
reason. On request, controllers must also provide this data in an electronic
format, free of charge.
The right to data portability allows individuals to
obtain and reuse their personal data for their own purposes across different
services. It allows them to move, copy or transfer personal data easily from
one IT environment to another in a safe and secure way, without hindrance to
Privacy by Design has only become a legal requirement under
GDPR. Now, you have a general obligation to implement technical and
organisational measures to show that you have considered and integrated data
protection into your processing activities.