GDPR: Changes to the way we handle data
Structure and governance
The General Data Protection Regulation (GDPR) are regulations from the European Union dealing with the processing of personal data and the movement of that data. These regulations have now been incorporated into United Kingdom law, as The European Data Protection Regulation on 25 May 2018.
Since then we have seen that failure to comply with these regulations can result in very large financial penalties for organisations and individuals involved in the data processing. The new regulations will remain in effect when the U.K. leaves the E.U.
A Summary of GDPR changes
Here are some of the key changes:
- The regulations now apply to personal data held in any format whether paper or electronic. (e.g. held in files, on laptops, phones, cameras, video tapes, audio recordings).
- The definition of Personal Data has changed to include location data and online identifiers.
- The term Sensitive Personal Data has changed to Special Category Data (SCD). This category has been extended to include genetic and biometric data but only for the purpose of uniquely identifying a living individual.
- Data subjects have now extended and improved rights.
- There is a new requirement to know and state – in fair processing notices – the lawful basis for all types of processing of personal and sensitive personal data, and for this to be made clear at all times.
- A compulsory data breach notification has been introduced.
- There are increased fines for data and notification breaches.
- A greater requirement for transparency and accountability.
- There is now a greater responsibility on data processors for effective data processing.
How the GDPR affects you
If you request your data, you can get a clearer picture of how, where, why and for how long your personal data is being processed, who will see it, and how it will eventually be deleted. It is a good thing for individuals, whose data is now better protected than ever.
The principles of processing personal data
Whenever processing personal data, there has to be a lawful basis for the processing. Under the GDPR these will be:
- that the data subject has given their consent to this processing
- that the processing is necessary for the performance of a contract involving the data subject
- that the processing is necessary for compliance, by the data controller, with a legal obligation
- that the processing is necessary to protect the vital interests of the data subject or another living individual
- that the processing is necessary for the performance of a task carried out in the public interest of the data controller
- that the processing is necessary or the legitimate interests of the data controller
What the new 'data subject rights' mean
The GDPR builds on the data subject rights established in the Data Protection Act, 1998. These are:
- The right to be informed via fair processing notices
- The right of access – known as subject access requests
- The right to rectification of data
- The right to be forgotten (new under the GDPR)
- The right to restrict processing
- The limited right to data portability (new under the GDPR)
- The right to object to processing
- Rights in relation to automated making and profiling
How the definition of 'consent' has changed
The GDPR requires consent to be ‘specific, explicit, informed and freely given’.
For the consent to be ‘specific’, the request for consent must be distinguishable from any other parts of the form.
Similarly, for the consent to be ‘explicit’ the individual must sign/agree to the request to provide the information separately from any other part of the form. For example, where a student agrees to be part of a research project, they agree/sign once to agree to be part of the research and then sign/agree a second time to the actual data processing that's involved. This consent must be retained for as long as the data to which it refers is held.
The final element of consent – that it is ‘freely given’ – may be the hardest to achieve. If there's any element of the processing of the personal data that cannot be started, or continue without the individual’s consent to it, then the consent cannot be freely given and it will be necessary to find another legal basis for the data processing.
Personal data is any information that can identify a living person either by itself (e.g. a person's name), or when linked with other information (e.g. an address plus a name) and includes unique reference numbers, location data and online identifiers.
Special Category Data
The GDPR defines some personal data as 'special category data'. Special category data must be processed more securely with respect to the purposes for which it is collected and who will have access to that information, than other data collected.
Special category data is defined in the legislation as data referring to:
- the racial or ethnic origin of the data subject,
- his/her political opinions,
- his/her religious or philosophical beliefs,
- membership of a trade union,
- genetic or biometric data for the purpose of uniquely identifying an individual
- his/her health,
- his/her sexual life or sexual orientation,
- criminal convictions and offences.
'Processing' is the inclusive term given to the collection, recording, organisation, use, storage, adaptation or alteration, retrieval, disclosure, restriction and ultimate destruction of any personal data.
A data subject is the individual to whom the information relates.
The data controller is the organisation that processes the personal data.
A data processor is a third party that processes personal data on behalf of the data controller, but responsibility for that processing remains with the data controller.
Subject Access Request
Anyone can make a request to find out what information is held about them. This is known as a Subject Access Request.
What ‘privacy by design’ means
‘Privacy by design’ is another term for ‘data protection by design’, and refers to the action of determining the minimum personal data required to carry out the necessary processing. By processing only the minimum personal data required, we're maintaining an individual’s privacy (protecting data).
What is a Privacy Impact Assessment (PIA)
A Privacy Impact Assessment, also known as a Data Protection Impact Assessment, is a form of (risk) assessment that identifies whether the proposed processing of data might have an adverse impact on the privacy of the individual(s) whose data is being processed and if so, the steps that can be taken to remove or minimise the risk to the individual.
The GDPR requires that an Impact Assessment should be carried out whenever new technologies for processing are to be used, where automated processing is involved, where there is a high risk to privacy involved in the processing, where profiling takes place, and where large amounts of sensitive personal data is being processed.
More information about the GDPR
You can find more information about the GDPR: