GDPR slides (1).pptx
Document Details
Uploaded by LucrativeFantasy
Full Transcript
The GDPR What you need to know In association with Background to GDPR The current EU data protection legislation is the Data Protection Directive of 1995 The requirements of the EU Data Protection Directive are given legal effect in the UK by the Data Protection Act (1998) Despite robust su...
The GDPR What you need to know In association with Background to GDPR The current EU data protection legislation is the Data Protection Directive of 1995 The requirements of the EU Data Protection Directive are given legal effect in the UK by the Data Protection Act (1998) Despite robust supervision concerns remained that data protection regulation was inadequately harmonised across the EU In association with Background to GDPR To update legislation a General Data Protection Regulation (GDPR) came into force in May 2016 Member states must adopt its provisions by 25th May 2018 GDPR will apply in the UK from above date (regardless of any plans to leave the EU) Data Protection Directive 1995 will be repealed In association with Overview GDPR requires that personal data shall be: Purchased lawfully, fairly and in a transparent manner Collected for specified, explicit and legitimate purposes Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed Accurate and up to date Kept in a form which permits identification of data subjects for no longer than is necessary for reason for which the personal data is processed Processed in a manner that ensures appropriate security of personal data In association with Main changes New accountability requirement Data controllers must be able to demonstrate their compliance with data protection principles Including requirement to maintain a written record of their data protection activities This replaces the current system of notifications under the Data Protection Act whereby a data controller registers with the Information Commissioners Office when intending to process personal data In association with Main changes Extended territorial reach Although an EU Regulation, GDPR covers data controllers and data processors outside the EU where their processing activities relate to offering goods and services within the EU Requirement for a data protection officer ‘with expert knowledge of data protection law and practices’ to be appointed in certain circumstances, for example: Public authorities Where core activities of the data controller or data processor involve the ‘regular and systematic monitoring of data subjects on a large scale’ or where the organisation In association with conducts the large scale processing of ‘special categories of personal data’ Main changes Enhanced rights for data subjects Data subjects can elect to have data processed for restricted purposes only Right to data portability, to have data transferred to a new data controller The right to charge a fee in respect of a data subject access request has been removed except in specific circumstances (see below) A fee can still be charged where requests are excessive or repetitive Right to be ‘forgotten’, to have In association with personal data erased in certain circumstances Main changes New European Data Protection Board Consisting of European Data Protection Supervisor and senior representatives of national data protection authorities Role is to issue opinions and guidance to ensure the consistent application of GDPR Notification requirements Currently, no requirement to inform the Information Commissioners Office in the event of a breach GDPR changes this In the event of a breach, a data controller must notify their relevant Data Protection Authority ‘without undue delay’ (generally In association with taken to be 72 hours) Main changes Fines Currently the Information Commissioners Office can apply a monetary penalty notice of up to £500,000 for serious breaches of the Data Protection Act GDPR introduces a new system of fines for breaches of the GDPR For more severe breaches a fine of (the greater of) 4% of annual turnover or €20 million can be applied For less severe breaches a fine of (the greater of) 2% of annual turnover or €10 million can be applied In association with Main changes Consent As per current rules under the Data Protection Act, data controllers must have a specified reason for processing data Consent must be freely given (by the data subject) and be specific, informed and unambiguous Any request for consent must be: Separate from other (contractual) terms; and Be in clear and plain language In association with
