General Data Protection Regulation (GDPR)
The GDPR includes a number of data protection principles which set out the main responsibilities for organisations. These principles are similar to those in the DPA, but with some added detail. A key change is that the GDPR introduces a new principle of accountability. This requires organisations to actively show how they comply with data protection principles, for example by:
- Having effective policies and procedures in place
- Providing comprehensive, clear and transparent privacy policies (see below)
- Appointing a data protection officer (DPO) where appropriate.
- Implementing technical and organisational measures to show that they have considered and integrated data protection into their processing activities (referred to as data protection by design and default)
- Carrying out data protection impact assessments (also known as privacy impact assessments) in certain high risk circumstance
Other important new measures and changes introduced by the GDPR include:
Lawful bases for processing personal data
Under the GDPR, organisations have to identify and document their lawful basis for processing data. The lawful bases are similar to those previously referred to under the DPA as conditions for processing, and include consent of the data subject and where processing is necessary for performance of a contract. Identifying lawful basis has increased focus under the GDPR when compared to the DPA: the basis has to be included in the organisation’s privacy notice (i.e. the information given to an individual when the organisation is collecting their data), and can affect the rights which individuals have.
The GDPR tightens the rules around consent given by data subjects:
- Consent must be specific, informed, unambiguous and given freely.
- There must be a positive opt-in – consent cannot be inferred from silence, inactivity or preticked boxes
- All requests for consent must be separate from other terms and conditions It must be as easy for individuals to withdraw consent as it is to provide it.
Individuals generally have more rights (see below) where an organisation relies on consent as a lawful basis. Existing consents will only be acceptable under the GDPR if they meet these new, stricter requirements.
Transfer of data
The GDPR imposes a prohibition on the transfer of personal data outside the European Economic Area. Transfers can only be made where certain conditions are met, including that the receiving organisation has provided adequate safeguards (such as standard contractual clauses). Transfers may also be made where derogations apply, such as with the individual’s informed consent to the transfer or that it is necessary for the performance of a contract. However the derogations should only be used in exceptional circumstances eg. for one off transfers. They should not be used as the basis for regular transfers of personal data outside the EU.
Organisations must notify the Information Commissioner’s Office (ICO) within 72 hours of any personal data breach which is likely to result in a risk to the rights and freedoms of individuals. Individuals also need to be informed directly and without undue delay if there is likely to be a high risk to their rights and freedoms as the result of a breach.