A guide to GDPR

By Brigette Currin 18 March 2019 4 minute read

Overview of the GDPR – Ashtons Legal

Posted 20/06/2017 By: James Tarling

Effective from 25th May 2018.

Data Protection Principles – Personal data must be:

processed lawfully, fairly and transparently
collected for specified, explicit and legitimate purposes
adequate, relevant and limited to what is necessary
accurate and kept up to date
kept no longer than necessary
processed with appropriate security.

Accountability Principle – There are new obligations to implement appropriate measures to ensure and demonstrate that you comply with the GDPR including undertaking and documenting privacy impact assessments. Some organisations will be required to appoint a Data Protection Officer. Organisations with more than 250 employees have additional internal record keeping obligations.

Lawful Basis of Processing – The lawful basis for processing personal data is more important under GDPR. The lawful processing conditions are:

consent of the data subject (there is a greater emphasis on consent being freely given, specific, informed and unambiguous)
necessary for the performance of a contract
necessary for compliance with a legal obligation
necessary to protect the vital interests of a data subject or other person
necessary for the purposes of legitimate interests pursued by the controller.

Individuals’ Rights – The GDPR codifies existing rights of data subjects and creates new rights:

the right to be informed
the right of access
the right to rectification
the right to erasure or ‘right to be forgotten’
the right to restrict processing
the right to data portability
the right to object
rights in relation to automated decision making and profiling.

Fair Processing Information – data subjects must be provided with certain information when data is first collected probably through more detailed privacy notices.

Subject Access Requests – similar to existing rights but with the time to respond reduced to one month (with the ability to extend for complex requests) and the removal of the £10 fee.

Breach Notifications – the GDPR incorporates new obligations to notify data subjects and the ICO of certain data breaches within 72 hours of the breach.

steps to take to comply with gdpr

1. Plan – Create a project team reporting to senior management team to oversee compliance to ensure that have a coordinated approach to prepare for May 2018.

2. Data Protection Officer – Consider if you are required to appoint a DPO or if it would be helpful to do so. Identify appropriate candidate with necessary authority, skills and experience.

3. Audit – Identify what categories of personal data you hold or process and consider as a starting point in relation to each category:

– why was the data collected and what is it used for?

– what will be the appropriate legal basis of processing under GDPR?

– if relying on consent consider whether way in which consent is obtained complies with GDPR.

– is any of the personal data passed to any third parties?

– is any of the personal data ever transferred outside the country?

4. Data Processor Agreements – Review agreements with third parties who process personal data on your behalf. In particular consider stronger breach notification requirements.

5. Privacy Impact Assessments – Start adopting a ‘privacy by design’ approach and consider privacy impact assessments in respect of existing processing of personal data and put in place process for considering and recording decisions in respect of future data processing plans.

6. Privacy Notices – Review existing notices and prepare to update or replace to make GDPR compliant. You will almost certainly need different notices to be issued to different data subjects.

7. Data Breaches – Establish procedures to detect, report and investigate personal data breaches.

8. Staff Awareness – consider updating policies and guidance and rolling out a training programme to bring staff uptodate with the changes in the law and how your organisation has responded.