The General Data Protection Regulation (GDPR) is the new EU-wide law that comes into force from 25 May 2016. As this is a piece of EU legislation, there is now uncertainty about whether the regulation will be adopted in the UK, or whether the UK government will produce its own version.
But even if the regulation is ignored by UK authorities, all British companies that trade with EU countries must abide by the legislation. So what is the General Data Protection Regulation (GDPR) – and what impact will it have on UK organisations?
GDPR in a nutshell
The GDPR has been created by the European Commission to strengthen data protection for individuals within the EU. A key aim is to give citizens control of their personal data and to simplify the regulations for international businesses. The new regulation replaces the data protection directive (95/46/EC) and was adopted on 27 April 2016, entering application on 25 May 2018.
The GDPR applies to both controllers and processors of data. Controllers are organisations that determine how and why personal data is processed; the processor acts under the controller's guidance.
Data protection rights for individuals
Individuals' rights have been expanded under the GDPR. Key rights for individuals include:
- Right to be informed – of how their data will be processed and used
- Right of access – to their personal data
- Right of rectification – if data is incomplete or incorrect
- Right to erasure – also known as the right to be forgotten
- Right to restrict processing – gives people to the right to block processing of their data
- Right to data portability – people can move, copy or transfer the data
- Right to object – to their personal data being processed
- Rights related to automated decision making and profiling – gives people the right to not be subject to a decision based on automated decision making (i.e. not involving human intervention)
Obligations for data controllers and processors
GDPR also expands protections for individuals by increasing the requirements for organisations that control and process personal data:
Accountability and governance – "You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances." – Information Commissioner's Office
Breach notification – under GDPR, organisations will be obliged to notify relevant authorities of certain types of data breaches.
Transfer of data – GDPR includes a restriction on the transfer of personal data to countries outside the EU. This ensures that the protection of the GDPR is not undermined.
Is your organisation prepared to meet the requirements of GDPR, and do your employees understand the implications of the new legislation? Will the new rules create new work for your organisation – or will you be able to meet the new standards with ease?
You can find out by taking our FREE GDPR online training course. This GDPR eLearning module provides answers to questions including:
- What does the GDPR mean for you?
- How does it apply to the UK post Brexit?
- Will the DPA change?
- What will you need to do differently?
You can access our GDPR eLearning Courses here