fbpx

The General Data Protection Regulations – explained

10 Oct 2019 | Under advice | Posted by | 0 Comments

The General Data Protection Regulations – explained

What is the GDPR?

GDPR stands for General Data Protection Regulations. They are a framework of new and enhanced regulations that apply across all EU member states with the aim to protect personal data for transactions within the EU. Many of the new requirements are similar to the core concepts of the Data Protection Act 1998, but there are still significant changes that all organisations are required to have made to ensure full compliance.

Why does the GDPR exist?

It was decided that the existing Data Protection laws were outdated, especially with the speed at which the internet has transformed online business. It was considered that the public concern over privacy was not protected as stringently as it should be.

When did the GDPR regulations come into force?

The new regulations apply to all organisations that deal with or use personal data across all 28 EU member states from 25th May 2018 onwards. All organisations within EU member states must also be able to show compliance from this date.

What types of privacy data does GDPR protect?

  • Basic ID information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID (Radio Frequency Identification) tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual Orientation

Who will be responsible for ensuring compliance?

The GDPR regulations define several roles for individuals who are responsible for ensuring compliance;

  1. data controller,
  2. data processor and
  3. data protection officer (DPO).

The Controller and Processor are required to appoint a DPO under the GDPR regulations to oversee the organisation’s data security strategy and GDPR compliance.

What impact do the GDPR regulation changes have?

As you will see from above, the types of data that are protected by the GDPR are vast. There are also other ways in which data now has to be protected, which in turn, has a significant impact on organisations and their relationships with third party contacts.

  • Other privacy factors must also be taken into consideration, such as the location of your client or contact, the consents provided, the amount of information given in privacy notices, transferring data outside of the EU and enhanced security measures.
  • Location

Under these regulations, the location of your client or business contact determines whether or not the enhanced GDPR apply. This means that some non-EU organisations and businesses will also have to ensure that they comply with these regulations in certain circumstances.

 

  • Consents

In terms of consents, organisations need to ensure that consents received from clients and contacts must be freely given, specific, informed and unambiguous. Consent must also be given on an opt-in basis and all contacts must have the option to withdraw their consent in part or completely.

  • In addition to the consent options, contacts have the right to be forgotten, the right to have their details amended and the right to not be contacted by other third parties, by way of automated decision making or profiling.

 

  • Privacy notices

It is imperative that privacy notices for clients and contacts are clear and concise as the GDPR increases the amount of information that have to be included. Additional information that must be included in privacy notices includes the expanded rights given to contacts.

 

  • Transferring data

The GDPR enforces stricter safeguarding measures for the transfer of data outside of the EU. Under these new regulations, this transfer of personal information will only be possible if certain criteria have been met. This means that codes of conduct and certification processes have to be approved in order to ensure compliance.

 

  • Enhanced security measures

Also, all organisations have to ensure that all personal data held is kept securely at all times. This may mean that additional measures are taken to ensure this, such as encryption measures. All security breaches must be reported to the regulator and in serious cases, to the individual or contact to which the information relates.

What happens if my organisation is not in compliance?

Under the GDPR, the maximum fines that can be issued for non-compliance are significantly increased. The maximum level of these fines will total €20 million or 4% of total worldwide annual turnover (whichever is greater). In addition to these fines, there is also the significant risk of damage to an organisation’s reputation.

What do I need to do?

  • You need to recognise where your organisation is affected or non-compliant and create a GDPR plan to ensure that these areas of your business are protected; these regulations are not something to be ignored or glossed over.
  • All organisations need to be aware of the implications of these regulations.
  • All organisations need to take action to fulfil their obligations and avoid penalties for non-compliance.
  • This also includes training existing and new staff as well as updating systems, policies and other data protection materials.

How can I achieve compliance with the enhanced duties?

We can help you to:

  1. Identify policies and systems that need to be updated. With our expert advice, we can support your organisation to review current systems and identify policies and processes that require updating.
  2. Provide specific guidance on what your organisation needs to do in order to comply, with a focus on the sector you work in.
  3. We will then continue to provide support and ongoing updates regarding compliance.
  4. Assist with reviewing and drafting Terms of Business, Terms and Conditions, Privacy Statements, Data Security processes, Codes of Conduct, Corporate rules, Data audits, Data protection policies, Data processing agreements as well as undertaking periodic compliance checks to ensure that you continue to meet the GDPR requirements.

All legal structures of your organisation need to be up to date and reviewed regularly to ensure that they are compliant with these regulations. If you require assistance to review and update your procedures and policies, please contact Lizzie Bradley or Gill Wooldridge on 01905 900919.

Contact Us

Worcester Office

Our Approach

Our Team

Careers

Complaints

Our Policies

Privacy Policy

Website Terms of Use

Acceptable Use Policy

Cookie Policy

Newsroom

News

Articles

Factsheets

© Copyright 2016 ABC Worcester Limited | All rights reserved | Cookies | Terms | Privacy | Acceptable Use  | Formal Complaints Procedure
Registered in England and Wales No. 08736272. Registered office: Severn House, Warndon Business Park, Prescott Drive, Worcester, WR4 9NE. VAT No. 175 1425 15
We are authorised and regulated by the Solicitors Regulatory Authority with No. 626524