A guide to GDPR
Overview of the GDPR – Ashtons Legal
Posted 20/06/2017 By: James Tarling
Effective from 25th May 2018.
Data Protection Principles – Personal data must be:
- processed lawfully, fairly and transparently
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and kept up to date
- kept no longer than necessary
- processed with appropriate security.
Accountability Principle – There are new obligations to implement appropriate measures to ensure and demonstrate that you comply with the GDPR including undertaking and documenting privacy impact assessments. Some organisations will be required to appoint a Data Protection Officer. Organisations with more than 250 employees have additional internal record keeping obligations.
Lawful Basis of Processing – The lawful basis for processing personal data is more important under GDPR. The lawful processing conditions are:
- consent of the data subject (there is a greater emphasis on consent being freely given, specific, informed and unambiguous)
- necessary for the performance of a contract
- necessary for compliance with a legal obligation
- necessary to protect the vital interests of a data subject or other person
- necessary for the purposes of legitimate interests pursued by the controller.
Individuals’ Rights – The GDPR codifies existing rights of data subjects and creates new rights:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure or ‘right to be forgotten’
- the right to restrict processing
- the right to data portability
- the right to object
- rights in relation to automated decision making and profiling.
Fair Processing Information – data subjects must be provided with certain information when data is first collected probably through more detailed privacy notices.
Subject Access Requests – similar to existing rights but with the time to respond reduced to one month (with the ability to extend for complex requests) and the removal of the £10 fee.
Breach Notifications – the GDPR incorporates new obligations to notify data subjects and the ICO of certain data breaches within 72 hours of the breach.
steps to take to comply with gdpr
1. Plan – Create a project team reporting to senior management team to oversee compliance to ensure that have a coordinated approach to prepare for May 2018.
2. Data Protection Officer – Consider if you are required to appoint a DPO or if it would be helpful to do so. Identify appropriate candidate with necessary authority, skills and experience.
3. Audit – Identify what categories of personal data you hold or process and consider as a starting point in relation to each category: