What is GDPR?
The EU General Data Protection Regulations (GDPR) came into force on 25 May 2018 and places greater obligations as to how organisations handle personal data.
GDPR replaces the current EU Data Protection Directive which was transposed into UK law by the Data Protection Act 1998 (DPA 1998). The Data Protection Act 2018 came into force on the same day and supplements GDPR.
What information does GDPR apply to?
GDPR applies to ‘personal data’ which is any information relating to an identified or identifiable natural person, also known as the ‘data subject’.
The definition of ‘personal data’ under GDPR has been expanded and includes:
What does this mean for my practice?
GDPR is principles based (Article 5 GDPR) and takes a risk-based approach to data protection. This enables practices to decide what steps are appropriate and proportionate for them to comply with GDPR.
Practices that already comply with the DPA 1998 and that have effective data governance in place have a good starting point when preparing for GDPR. However, new elements have been introduced by GDPR and there are some significant changes that practices should be aware of.
What are the key changes?
What resources are available?
GDPR is principles based and takes a risk-based approach to data protection. This allows practices to decide for themselves what steps are appropriate and proportionate to comply with GDPR, meaning that the approach large practices need to take to get ready for GDPR is likely to be different to the approach smaller firms and sole-practitioners need to take.
The ICO has produced a Guide to GDPR which will be regularly updated along with a package of tools to help organisations prepare for GDPR:
Practices should be able to demonstrate compliance with GDPR and may consider documenting i) what personal data the practice holds, ii) where it came from, and iii) who it is shared with. An information audit should help to achieve this.
Other ways of demonstrating compliance may be through a data protection policy, a data breach notification procedure, data protection impact assessments and consent forms. The scale of the policies and processes should be appropriate to the size and complexity of the practice.
What information should be included in a privacy notice?
GDPR includes a more detailed list of information that must be provided to an individual than the DPA 1998. The most common way to provide the information is through a privacy notice.
The ICO has produced guidance on privacy notices and what information should be included.
What is a data protection officer (DPO) and does my practice need to appoint one?
The DPO’s tasks may include:
GDPR requires the data controller to appoint a DPO where:
Whilst it is unlikely that the majority of CLC regulated practices fall under these criteria, practices may still wish to appoint a DPO.
The ICO has produced guidance on DPOs and when they need to be appointed.
What are the lawful grounds for processing data?
Article 6(1) GDPR sets out the lawful grounds for processing data, in other words, the reason for collecting the data. The lawful grounds are:
Personal data can only be collected for ‘specified, explicit and legitimate purposes’ therefore data gathered for one purpose cannot then be used for something else unless consent is obtained from the data subject or there is a legitimate purpose to do so.
Practices should be able to demonstrate how decisions about lawful grounds for processing have been reached and may consider documenting their decisions.
What should I do if I discover a personal data breach?
Any personal data breach which could impact an individual or cause harm must be reported to the ICO without undue delay, and no later than 72 hours after detection. If the breach is likely to result in a high risk of adversely affecting individuals’ rights, practices must also inform those individuals without undue delay.
Records of any personal data breaches should be kept whether or not they are reported to the ICO and/or the individual.
The ICO has produced guidance on personal data breaches.
How does GDPR impact file storage?
Under the GDPR, personal data must not be kept for longer than is necessary for the purposes for which it was processed. However personal data stored for legitimate reasons under existing legislation, for example, the Limitation Act 1980 or the Money Laundering Regulations 2017, can be stored and processed under the lawful ground of compliance with a legal obligation.
As stated in the CLC Transaction Files Code, practices should retain the contents of files relating to all matters for a minimum of six years, except those relating to:
Practices should review their file storage policies and the legal and regulatory reasons for retaining personal data for specified periods of time.
Do I need to pay a fee?
The Government has announced a new charging structure for data controllers which is yet to be approved by Parliament. The ICO has produced a Guide to the Data Protection Fee to help explain the new funding model and what payments are required.
If your practice is currently registered under the DPA 1998, you will not need to pay the new fee until your current registration expires.
What is the Data Protection Act 2018 and how does it relate to GDPR?
The Data Protection Act 2018 (Act) came into effect on 25 May 2018 and replaces the DPA 1998. The Act updates data protection laws in the UK by supplementing GDPR. It also implements the EU Law Enforcement Directive and extend data protection laws to areas not covered by GDPR.
More information can be found on the ICO website: Data Protection Bill.
Will Brexit impact GDPR?
No. GDPR comes into effect before the UK leaves the EU and the UK government has committed to fully implement it.