This quick guide is just a starting point to help you find out about GDPR.
For the latest information, see the Information Commissioner’s Office (ICO) website, which has lots of resources from basic tools to detailed guides. It's worth checking back regularly as GDPR information is still being updated.
GDPR is complex and you may wish to seek professional advice from a legal expert in data protection. They will be able to clarify the finer points of GDPR requirements and what it means for your organisation.
What is GDPR?
GDPR is a new data protection law which comes into full effect in 2018. It sets out the main principles of data protection and the responsibilities organisations have when handling personal data. It protects individuals’ personal information and improves their control over how it is collected, stored, shared and used.
What's GDPR about in everyday terms?
If a company has legitimately collected some personal information from or about you - such as your home address, medical history, religion or ethnic background - you'd want them to keep it secure and not misuse it or pass it on inappropriately.
GDPR is about protecting information so that those news stories about very sensitive personal records being lost or made available to others can't happen.
Does Brexit mean that GDPR won't apply in the UK?
No, GDPR still applies in the UK. The UK Government published the draft Data Protection Bill 2017, which included GDPR requirements, in September 2017. This Bill will proceed into law, so all UK companies must comply within the timeframe.
Why does the law need an update?
Since the DPA 1998 came into effect there have been significant advances in technology, social media and digital networks - Google, Facebook, Twitter, Snapchat and Instagram didn’t exist back then. GDPR will bring the law up to date to address new and emerging data threats, and will bring consistency throughout the EU and worldwide for organisations seeking to do business with EU citizens.
Do I really need to know about GDPR?
Yes, because it probably applies to you. No matter what their business is, every UK and EU company or service is likely to hold some personal data, so will need to be GDPR compliant by May 2018.
You need to be sure that your customers’ or staff's personal information is protected according to the legal requirements, as there are substantial new penalties for not complying with GDPR.
I’m self-employed and have a private practice at home. Does GDPR apply to me?
If you process personal data solely within your own personal life or for household activities, GDPR doesn’t apply. But if you undertake any commercial activities, even if you’re a sole trader working from home, it's highly likely that you will be subject to GDPR.
There are some exemptions for organisations with less than 250 employees - see Self-assessment on the ICO website for more information.
I've heard GDPR is complicated. Does it require a lot of hard work?
That depends. In its series of myth-busting blogs, the ICO claims that "GDPR is an evolution in data protection, not a burdensome revolution".
GDPR can be time-consuming, costly and complicated if you're not already managing your data effectively. If you already have a strategy, a system and audit your data in compliance with DPA 1998, you shouldn’t find the change to GDPR too hard. It could mean just minimal changes to your existing activities and a little more administration.
What are the penalties for non-compliance?
For Tier one incidents, which relate to the organisation's obligations, the fine is up to €10 million, or 2% annual global turnover (whichever is higher).
For Tier two incidents, which are incidents affecting an individual's privacy rights, the fine is up to €20 million, or 4% annual global turnover (whichever is higher).
The fines are discretionary, not mandatory, and are made on a case-by-case basis. When deciding which tier applies and what the resulting fine should be, the ICO must consider many factors including:
- the extent of the damage
- what data was involved
- the data protection policies and procedures of the organisation
- any mitigating and corrective actions taken following the infringement
- if any previous incidents have been caused by the organisation
Individuals have the right to material and non-material compensation.
What are the main differences between GDPR and the DPA 1998?
The core principles of data protection remain broadly the same, so if you know about the DPA requirements, you'll find GDPR familiar. But GDPR provides a far more comprehensive framework for data collection, processing and storage. The penalties for getting it wrong are also much more severe.
GDPR gives individuals more control over the data held on them. It introduces tougher fines for privacy breach and non-compliance, and there are some key changes, such as the age of minors.
- An individual’s consent over how their data is processed is given a higher standard. Consent must be quite clear and freely given, and can be withdrawn. Consent must be a positive opt-in, so tick boxes alone will no longer be sufficient. Individuals have the right to know in detail how their personal data is processed, used and shared. (Consent is not the only reason for processing data - there are other reasons such as ‘legitimate interests’.)
- Individuals have greater rights, including the right to have their data corrected or erased, to restrict the processing of their data and to reclaim their personal data and send it on elsewhere. Reasonable requests are free of charge and must be met within a month.
- GDPR sets the age of consent as 16 but this may be lowered to 13 in some cases (Parliamentary approval pending).
- The ICO must be notified about any breaches where there may be a risk to the rights and freedoms of individuals. All breaches must be recorded even where notifying the ICO isn’t necessary.
- The fines for organisations which don’t get it right can be much larger than previously (up to 4% of annual worldwide turnover and €20 million).
- Some organisations will have to appoint data protection officers to oversee their data processing activities.
- Data controllers will have to have written contracts with any data processors they appoint.
It will remain a legal requirement for data controllers to pay the ICO a data protection fee, but you will no longer have to register your data processing activities with the ICO.
Changes are still being made so check the ICO website regularly. If you sign up for the ICO newsletter, you will get regular updates on the guidance available.
GDPR terms and definitions
Data breach and notification
A personal data breach is a security incident affecting the confidentiality, integrity or availability of personal data, whether caused deliberately or accidentally.
- personal data is lost, destroyed, corrupted or disclosed
- someone has accessed or passed on data without the correct authorisation
- data becomes unavailable, with significant negative effect on individuals
When a security incident takes place, you must quickly establish if a breach has occurred and the severity of risk. You must take appropriate steps as soon as possible. It's vital that you know when and what to disclose and to whom. You must notify all those affected without delay and within 72 hours of the breach. You may also have to report the breach to the ICO within this timeframe.
Failure to report as required can result in a Tier two fine.
A person who determines the purposes for which any personal data is processed and the way in which it will be done. They may act alone, jointly or together with other people. Processing means recording or holding personal information or carrying out any operations on it.
GDPR will give individuals the right to have their personal data returned to them in an electronic format by the data controller. They may then pass this data onto another controller. This will enable individuals to move to alternative service providers more easily.
Any person, other than an employee of the data controller, who processes personal data on behalf of the data controller.
Data protection impact assessments (DPIAs)
DPIAs help identify, assess and minimise the privacy risks of data processing. They’re especially important when new processes, systems and technology are being introduced.
Data protection officer
A DPO advises an organisation and its employees about data protection obligations, including GDPR, and monitors compliance. They are the first point of contact for supervisory authorities and data subjects.
Public companies, or those whose core activities include large-scale systematic monitoring and processing of personal data (including data relating to criminal convictions and offences) will need to appoint a DPO under GDPR. You may still choose to appoint a DPO even if you're not required to do so.
The person whose personal data is being processed.
Personal data is any personal information that could be used to identify the individual directly or indirectly. Under GDPR the definition is more detailed than under DPA 1998.
Previously, this data might be a name, address or photo, but it can now also be an email address, computer IP address, medical information, dietary requirements and social media posts. This reflects technological changes and how organisations collect information about people today. GDPR also applies to both automated personal data and to manual filing systems.
Personal data that has been pseudonymised (for example key-coded) may fall under GDPR requirements, depending on how difficult it is to match the code to a specific individual and whether that individual could be identified through the contents of the data. For example, removing a client's name may not be enough if the client could be identified through other information on the file, such as marital status, address or issues arising.
For most organisations that already keep HR records, customer lists and contact details according to DPA 1998 requirements, the changed definition should have minimal practical impact.
Sensitive personal data
The categories are broadly the same as in the DPA 1998:
- political opinions
- religious beliefs or beliefs of a similar nature
- trade union membership
- physical/mental health or condition
- sexual life
- commission or alleged commission of any criminal offence; plus any proceedings, or outcome of any proceedings, relating to an actual or alleged offence.
Under GDPR, personal data also extends to genetic and biometric data where this is processed to identify an individual.
Privacy by design
Under GDPR, data security and privacy compliance must be built into new organisational and technical systems during their development, not added in later. Only data that is determined as ‘absolutely necessary for the completion of duties’ can be stored and processed.
Right to access
Under GDPR, an individual has the right to find out from a data controller if their personal data is being process, where this is happening and why. Controllers must provide a copy of that data free of charge when requested. Individuals may also have query and contest decisions affecting them which are entirely algorithmically based.
Right to erasure
Also known as ‘the right to be forgotten’, individuals can ask the data controller to:
- delete their personal data
- stop its dissemination
- stop third parties stop processing it
What do I need to do about GDPR?
It's essential that you review your approach to governance and data protection and plan your compliance now. Get all the key people onboard, update the relevant policies and procedures and develop any that are missing.
Things to consider when planning for GDPR
What data do you hold?
Conduct an audit. Do you know what personal data you hold, where it comes from and who you share it with?
How do you communicate about privacy?
Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
How do you respond to data requests?
Make sure that your procedures are up to date with GDPR requirements. How will you handle requests to see personal data within GDPR timescales and provide any additional information?
What is your legal basis for processing personal data?
Consider the various types of data processing you carry out. Identify and document your legal basis for doing these.
How do you seek, obtain and record content? Do you need to make any changes?
How can you be sure of individuals’ ages? Consider what systems you will need in place to gather consent for those who cannot give it themselves.
What procedures do you need to identify a breach, report it and carry out an investigation? Do you know what to disclose, when and to who?
Data protection by design and impact assessments (DPAs)
Make sure you are familiar with the specific guidance produced by the ICO. Where and how should you implement DPAs in your business?
Data protection officers
Do you need to designate a DPO? If so, where should the responsibility sit within the organisation and who will hold it?
Are all decision makers and key people in your organisation aware that GDPR is coming in? Do they appreciate the impact that this is likely to have?
If you operate internationally, make sure you know which supervisory authority you come under for data protection.
For further information see:
How can I check if I am GDPR compliant?
The ICO compliance self-assessment may help you.
What else do I need to know about GDPR?
This quick guide is just the beginning. You still need to find out about the full requirements of GDPR, assess how far your business meets the requirements and plan for change where needed.
For further information, please see:
Good Practice in Action - Legal resource: Update on data protection GPiA 097
Information Commissioner’s Office (ICO) resources
EU GDPR text and information