General Data Protection Regulation (GDPR)
The UK GDPR includes a number of data protection principles which set out the main responsibilities for organisations. These principles are similar to those in the DPA, but with some added detail. A key change is that the UK GDPR introduces a new principle of accountability. This requires organisations to actively show how they comply with data protection principles, for example by:
- Having effective policies and procedures in place
- Providing comprehensive, clear and transparent privacy policies (see below)
- Appointing a data protection officer (DPO) where appropriate.
- Implementing technical and organisational measures to show that they have considered and integrated data protection into their processing activities (referred to as data protection by design and default)
- Carrying out data protection impact assessments (also known as privacy impact assessments) in certain high risk circumstance
Other important new measures and changes introduced by the UK GDPR include:
Lawful bases for processing personal data
Under the UK GDPR, organisations have to identify and document their lawful basis for processing data. The lawful bases are similar to those previously referred to under the DPA as conditions for processing, and include consent of the data subject and where processing is necessary for performance of a contract. Identifying lawful basis has increased focus under the UK GDPR when compared to the DPA: the basis has to be included in the organisation’s privacy notice (i.e. the information given to an individual when the organisation is collecting their data), and can affect the rights which individuals have.
The UK GDPR tightens the rules around consent given by data subjects:
- Consent must be specific, informed, unambiguous and given freely.
- There must be a positive opt-in – consent cannot be inferred from silence, inactivity or preticked boxes
- All requests for consent must be separate from other terms and conditions It must be as easy for individuals to withdraw consent as it is to provide it.
Individuals generally have more rights (see below) where an organisation relies on consent as a lawful basis. Existing consents will only be acceptable under the UK GDPR if they meet these new, stricter requirements.
Transfer of data
The UK GDPR imposes a prohibition on the transfer of personal data outside of the UK, other than to European Economic Area (EEA) countries or those that meet the UK "adequacy decision" requirements. These additional countries are Andorra, Argentina, Canada (partial), Faroe Islands, Gibraltar, Guernsey, Iceland, Isle of Man, Israel, Japan, Jersey, Liechtenstein, New Zealand, Norway, Switzerland and Uruguay. Transfers to other countries may also be made where derogations apply, such as with the individual’s informed consent to the transfer or that it is necessary for the performance of a contract. However the derogations should only be used in exceptional circumstances (e.g. for one off transfers) unless adequate Standard Contractual Clauses are in place with the relevant organisation.
Organisations must notify the Information Commissioner’s Office (ICO) within 72 hours of any personal data breach which is likely to result in a risk to the rights and freedoms of individuals. Individuals also need to be informed directly and without undue delay if there is likely to be a high risk to their rights and freedoms as the result of a breach.
Representation for Data Subjects in the EU
Companies without an entity, branch, or other establishment in EU are required to appoint an EU representative according to Art. 27 of GDPR where services are provided to EU based individuals. We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact within the EU. Prighter gives our clients an easy way to exercise their privacy-related rights (e.g. requests to access or erase personal data).
If you want to contact us via our representative Prighter or make use of your data subject rights, please visit our website page here: https://prighter.com/q/19768642487