BACKGROUND
The General Data Protection Regulation (GDPR) is an EU regulation that comes into force in May 2018.
EU regulations are legally binding on all member states and automatically come into force on the specified date. There is a difference between regulations and directives — directives set standards and requirements which member states are free to decide how to transpose into national laws.
Article 5 of the GDPR sets out the key requirements for organisations processing personal and sensitive data of EU residents. The GDPR is a minimum threshold and member states may introduce more specific provisions.
The GDPR replaces the Data Protection Directive 1995. It has been adopted by the UK and replaces the Data Protection Act 1998.
Unlike the previous Data Protection Directive 1995, the GDPR seeks to harmonise data protection rules across the EU to further protect data and make it simpler for organisations to do business across the EU.
GDPR also applies to organisations outside the EU if those organisations collect data of an EU resident.
APPLICATION OF GDPR
The Regulation applies to controllers and processors. Controllers determine the purposes and means of processing personal data, while processors are responsible for actually processing personal data. The contracts between controllers and processors must also comply with the regulation.
The GDPR places certain legal obligations on processors of personal data. A processor will be legally liable if they are responsible for a breach of the regulation.
Data must be collected for specified, explicit and legitimate purposes. The lawful basis for processing data must be identified and highlighted to those whose personal data are being collected. Consent of the data subject is important to ensure that data collection is lawful.
Data must be processed in a manner to ensure the security of the personal data. Individuals whose data have been collected have the right to: be informed; access the data; amend; erase; object to the collection and storage of such data.
Data should be accurate and kept up-to-date and where possible inaccurate data should be erased. Data should be kept for no longer than necessary, but may be stored longer for archiving and research purposes.
Any firm that breaches the GDPR may be fined 4% of its annual global turnover or 20 million Euros, whichever is greater.
EXCEPTIONS TO GDPR
- Data covered by the Law Enforcement Directive.
- Data processed for national security purposes.
- Data processed by individuals for personal use.
We offer training and advice on this subject. If you wish to learn more about whistleblowing then you can reach us at ask@penerley.com or call us on 0203 488 3078