The new General Data Protection Regulations (GDPR) are due to take effect from March 2018 and will replace and enhance the existing Data Protection Act. The current Act sets out 8 principles of data protection including that data must be processed lawfully and fairly.
The GDPR is a response to the changing technological environment whereby the way in which data is processed and transferred has moved on since the original legislation came into effect.
New rights for individuals include:
Express Consent – the right to give permission, for example, to transfer personal data to another party, although legitimate interest can still be an alternative to consent (i.e. when an individual takes up the legitimate services of a company or organisation).
Withdraw Consent – individuals have the right to withdraw consent at any time.
Rectification – individuals will have the right to have incorrect details about them corrected (including details that have been transferred to third party organisations).
Erasure – the right to have personal details removed AKA the ‘right to be forgotten’. N.B. There are exceptions to this including for example, payroll records, health & safety records, etc.
Data Portability – the right to bring personal data from one data controller to another.
There will be increased responsibilities for companies including more specific requirements around offering consent to process an person’s data and appointing a data protection officer where volumes or complexity of data dictate.
Individuals will also have the right to make a subject access request (SAR) to see what data is held on them and in normal circumstances this can be no longer charged for and must be complied with within the reduced time frame of one month (previously 40 days).
Companies will be liable for data breaches resulting from mis-use from any third party handling their information so companies will need to gain express consent when they wish to transfer data to another organisation, for example, outsourced payroll functions. In addition, companies will have to demonstrate accountability by having processes in place to: a) inform individuals of their rights; b) manage requests to withdraw consent; and c) rectify/delete data when requested. Any data breaches will also have to be reported to the Information Commissioner’s Office within 72 hours. Sanctions for breaches will attract appropriate administrative fines but for serious breaches could be up to 20 million Euros or 4% of turnover.
Please note that articles appearing on this website are for advisory purposes only and should not be relied upon for legal basis.