What is the GDPR?
The General Data Protection Regulation (GDPR) is a new, Europe-wide law. The UK General Data Protection Regulation (UK GDPR) is part of the data protection landscape that includes the Data Protection Act 2018 (the DPA 2018). The GDPR sets out requirements for how organisations need to handle personal data.
What information does the GDPR apply to?
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. You can find more detail in the key definitions section of our Guide to the GDPR.
Can you help me decide what to include in my privacy notice?
The GDPR sets out the information you should supply and when individuals should be informed.
The information you supply about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
There’s more information in our right to be informed section of the Guide to the GDPR.
Are we a public authority under GDPR?
The Data Protection Act (when passed) will define ‘public authority’ but it is likely that if you are a public authority as defined under the Freedom of Information Act 2000 or Freedom of Information (Scotland) Act 2002, you will be a public authority for the purposes of the GDPR. State schools in Scotland are not public authorities in their own right but under the control of the relevant local authority; nevertheless, head teachers should familiarise themselves with the guidance below.
Do I need to appoint a data protection officer (DPO)?
Under the GDPR, you must appoint a DPO if you:
- are a public authority (except for courts acting in their judicial capacity);
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure your organisation has sufficient staff and skills to discharge your obligations under the GDPR.
Even if you don’t have to appoint a DPO, you do still have to comply with the other requirements of the GDPR.
Can organisations share a DPO?
You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size. There is more on appointing a DPO in our section on DPOs and when they need to be appointed in our Guide to the GDPR.
What are the rules on security under the GDPR?
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. You can find more guidance in the security section of our Guide to the GDPR.
What lawful bases of processing should I use?
The six lawful bases for processing are broadly similar to the old conditions for processing, although there are some differences. You need to review your existing processing, identify the most appropriate lawful basis, and check that it applies. More information can be found in our lawful basis section of our Guide to GDPR.
How do we comply with subject access requests under GDPR?
There’s information about subject access requests in the right to access section in the Guide to the GDPR.
Do I always need consent?
In short, no. Consent is one lawful basis for processing, but there are five others. Consent won’t always be the easiest or most appropriate.
You can get more information about all the lawful bases in our Guide to the GDPR.
You should always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing. If consent is difficult, this is often because another lawful basis is more appropriate, so you should consider the alternatives.
It’s your responsibility to identify a lawful basis for processing under the GDPR.
There are also checklists on consent to help in the Guide to the GDPR.
Is parental consent always required when collecting or processing children’s personal data?
The GDPR contains new provisions intended to enhance the protection of children’s personal data, in particular, privacy notices and parental consent for online services offered to children.
Article 8 imposes conditions on children’s consent, but it does not require parental consent in every case. Other lawful bases may still be available. Article 8 only applies when the controller is:
- offering information society services (ISS) directly to children; and
- wishes to rely on consent as its basis for processing.
So if an ISS is actually intended for parents to use, or if the controller is relying on a different lawful basis such as legitimate interests, then Article 8 won’t apply.
We’ve included a section covering this topic in our Guide to the GDPR.
How do I know if the consent I have for marketing under the DPA is good enough for the GDPR?
Our consent checklist sets out the steps you should take to seek valid consent under the GDPR. This checklist can also help you review existing consents and decide whether they meet the GDPR standard, and to seek fresh consent if necessary.
You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard.
You will need to be confident your consent requests already met the GDPR standard and that consents are properly documented. You will also need to put in place compliant mechanisms for individuals to withdraw their consent easily.
If existing DPA consents don’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR- compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.
You are also likely to need consent under ePrivacy laws for many marketing calls, texts and emails. These rules are currently found in the Privacy and Electronic Communications Regulations 2003 (PECR). For more about PECR please see ICO’s Guide to PECR.
Is there a toolkit we can use to help us comply with the GDPR?
Use our checklists to assess your compliance with data protection law and find out what you need to do to make sure you are keeping people’s personal data secure. Once you have completed each self assessment checklist a short report will be created suggesting practical actions you can take and providing links to additional guidance you could read that will help you improve your data protection compliance.
Do I always need consent for marketing and does it have to be opt in or can it be opt out?
No. You won’t need consent for postal marketing but you will need consent for some calls and for texts and emails under PECR. See ICO’s Guide to PECR for more on when you need consent for electronic marketing.
If you don’t need consent under PECR you can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.
If you do rely upon consent it requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. See our consent checklist for more detail.
Will data portability apply to universities and will there be any technical guidance on how to comply with this?
The right of data portability only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is carried out by automated means.
It does not apply to personal data processed using other lawful bases of processing.
There is more detail in the individual rights section of the Guide to GDPR.
How will personal data breach reporting work in practice?
Under GDPR the reporting of personal data breaches becomes a requirement where it is likely to result in a risk to the rights and freedoms of individuals. In some cases this will also mean that the controller will also have to inform the affected individuals.
There’s more detail in the data breach section of the Guide to the GDPR.
How is the Privacy Impact Assessment (PIA) process different from the Data Protection Impact Assessment (DPIA) process?
Under the Data Protection Act 1998 a Privacy Impact Assessment is a tool that organisations can use to achieve good practice when bringing in new or revised processing of personal data.
Under GDPR a Data Protection Impact Assessment (DPIA) must be carried out when:
- using new technologies; and
- the processing is likely to result in a high risk to the rights and freedoms of individuals.
- Processing that is likely to result in a high risk includes (but is not limited to):
- systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals.
- large scale processing of special categories of data or personal data relation to criminal convictions or offences. This includes processing a considerable amount of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to rights and freedoms eg based on the sensitivity of the processing activity.
- large scale, systematic monitoring of public areas (CCTV).
There’s more detail on DPIAs in the Guide to the GDPR.
Does my organisation need to register under the GDPR?
If you needed to register under the Data Protection Act 1998, then you will probably need to register, and pay a relevant fee, under the Data Protection (Charges and Information) Regulations 2018.
The new Regulations will come into force on 25 May 2018. This doesn’t mean that everyone has to re-register and pay the new fee on that date. Data controllers who have a current registration (or notification) under the 1998 Act, do not have to re-register or pay the new fee until that registration has expired.
You can find more detail in our Guide to the Data Protection Fee.
Thank you for reading.