Structure and governance
The GDPR changes
- The legislation is now technology neutral, so it applies to personal data held in any format whether paper or electronic, held in files, on laptops, phones, cameras, video tapes, audio recordings, and so on
- The definition of Personal Data has changed to include location data and online identifiers
- The definition of Sensitive Personal Data has been extended to include genetic and biometric data but only for the purpose of uniquely identifying a living individual
- The term Sensitive Personal Data itself changes to Sensitive Category Data (SCD)
- Data subject rights are now extended and improved
- There is a new requirement to know and state – in fair processing notices – the lawful basis for all types of processing of personal and sensitive personal data, and for this to be made clear at all times
- A compulsory data breach notification has been introduced
- There are increased fines for data and notification breaches
- A greater requirement for transparency and accountability
- Those processing data now have greater responsibility for effective data processing
How the GDPR affects you
The GDPR shouldn't affect you very much. But you may notice, when your data is requested, you can get a clearer picture of how, where, why and for how long your personal data is being processed, who will see it, and how it will eventually be deleted. It's a good thing for individuals – whose data is now better protected than ever – and for organisations like us, as secure, high-quality data is vital to the work we do.
The lawful bases for processing personal data under the GDPR
Whenever processing personal data, we have to have a lawful basis for the processing. Under the GDPR these will be:
How the definition of 'consent' has changed
The GDPR requires consent to be ‘specific, explicit, informed and freely given’. For the consent to be ‘specific’, the request for consent must be distinguishable from any other parts of the form.
Similarly, for the consent to be ‘explicit’ the individual must sign/agree to the request to provide the information separately from any other part of the form. For example, where a student agrees to be part of a research project, they agree/sign once to agree to be part of the research and then sign/agree a second time to the actual data processing that's involved. This consent must be retained for as long as the data to which it refers is held.
The final element of consent – that it is ‘freely given’ – may be the hardest to achieve. If there's any element of the processing of the personal data that cannot be started, or continue without the individual’s consent to it, then the consent cannot be freely given and it will be necessary to find another legal basis for the data processing.
What ‘privacy by design’ means
‘Privacy by design’ is another term for ‘data protection by design’, and refers to the action of determining the minimum personal data required to carry out the necessary processing. By processing only the minimum personal data required, we're maintaining an individual’s privacy (protecting data).
What the new 'data subject rights' mean
The GDPR builds on the data subject rights in the Data Protection Act. These are:
- the right to be informed via Fair Processing Notices
- the right of access – known as Subject Access Requests
- the right to rectification of data
- the right to be forgotten (new under the GDPR)
- the right to restrict processing
- the right to data portability (new under the GDPR)
- the right to object to processing
- rights in relation to automated making and profiling
The right of data portability is only available where the personal data is processed with the consent of the data subject, not where the personal data has been collected using any of the other legal basis for processing.
More information about the GDPR
You can find more information about the GDPR: