What is GDPR?
The EU General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016 and enters into force on 25 May 2018.
The GDPR is intended to update and enhance current data protection legislation to require businesses who deal with EU citizens, including employees, to be transparent about how they use their data.
This GDPR covers the collection, storage and handling of personal and special category data:
- Personal data is any information relating to a person who can be identified by an identifier such as a name, identification number, location data, online identifier or through specific factors relating to their biological or social identity.
- Special category personal data is data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, genetic, medical information or orientation. There are additional restrictions when processing these types of data.
Organisations which the GDPR applies to will be subject to the oversight of the data protection authority situated in the EU Member State where the majority of their operations are situated or take place.
What are the key requirements?
Processing personal data must be lawful, fair and transparent.
Processing personal data is only permitted if:
- Consent has been obtained; or
- The processing is necessary and an appropriate privacy notice has been provided.
Processing is necessary if it is undertaken to meet at least one of the following criteria:
- Perform a contract with the individual;
- Comply with a legal obligation;
- Protect the vital interests of the individual or another person;
- Perform a task in the public interest;
- Allow your organisation to pursue its legitimate interests, provided these are not overridden by fundamental rights of the individual such as the right to privacy.
The requirements are more onerous where special category data is involved, and normally the individual’s explicit consent will be needed.
How does it differ to current legislation?
The key principles of data protection in the GDPR are consistent with the Data Protection Directive, however the standards expected of data controllers and processors are increased. Now, organisations must not only comply with the requirements under the GDPR, they must also demonstrate compliance.
- Implied consent to the use of personal data by organisations will no longer be available, and there will be increased requirements to notify individuals about what data an organisation collects about them, the purposes for which that data is collected and who it might be shared with.
- The maximum fine which can be imposed on companies for data protection breaches will be increased to a maximum of either 2% or 4% of worldwide turnover depending on the type of breach.
- Individuals have increased rights to request organisations to provide or delete data held about them.
- Any company, whether established within an EU member state or not, will be subject to the GDPR if it provides services to EU nationals.
GDPR - Loss Prevention Briefing
The answers have been produced alongside experts from Hill Dickinson, PPT Legal and Mazars.
Additional External Resources
If Members have questions regarding the GDPR they should contact their usual contact at the Club.