Skip to main content

Latest Releases

October 17, 2017


GDPR is thought to be the biggest change to data protection in 20 years and brings legislation into place that is more suitable to the modern (and digital) methods of data collection and the treatment of that data. It will replace the Data Protection Directive 95/46/EC and will bring more clarity and consistency between data privacy laws across Europe. It was approved by the EU in April 2016, and comes into effect on 25 May 2018; with the main parties defined as 'data controllers' and 'data processors'. Any businesses that fail to comply with it will be subject to large penalties.

There are several key facts about GDPR that organisations should know:

It will apply to extra-territorial regions: Under the GDPR, even non-EU organisations that do business in the EU which involves any kind of personal data from EU data subjects will have to comply with these laws. In addition, data controllers or data processors processing the personal data of EU data, data subjects will have to comply even if they are not established in the EU if the activities are concerning providing goods/services to EU citizens or monitoring behaviour within the EU. The GDPR means that if a non-EU organisation is processing the data of EU citizens, there will be a requirement to appoint a representative in the EU.

Consent: The new legislation introduces greater conditions surrounding the consent given by data subjects for the processing of their personal data, and the data controller must now be able to prove consent is freely given, specific, informed, and by a statement or affirmative action (e.g. actively ticking a box) of the data subject. If personal data from a child under the age of 16 is to be collected or processed, then consent from the child's parent is required. This will require businesses to provide evidence of their procedures and policies used when obtaining consent, copies of compliant consent forms as well as policies explaining what the personal data can be used for under the consent given. Additionally, data subjects must be able to easily withdraw their consent if they wish, meaning data controllers are required to have policies in place on how to respond to such a request.

Breach notification: The GDPR requires a data controller to report a data breach to their supervisory authority within 72 hours of becoming aware of it unless it does not pose a risk to the freedom or rights of the individuals. It is also a requirement that the customers of the organisation are notified “without undue delay” if harm could be caused as a result of the breach. This may require the data controller to provide documentation, such as a security breach response plan or team or template letter for breach notification, to show they are in compliance with the GDPR.

Data subject rights: The new legislation gives data subjects more rights than previously, meaning that data controllers have to provide data subjects with a privacy notice about the processing activities and confirmation of whether their personal data is being processed. This gives data subjects the right to restrict the processing of their personal data and receive a copy of the personal data that the data controller has. Please note, this list is not exhaustive.

Processing sensitive personal data: The GDPR prohibits the processing of sensitive categories of personal data unless there is a lawful justification, and therefore data controllers will be required to produce documentation specifying their policies/procedures regarding sensitive data collection and processing, compliant consent forms etc.

Compliance and accountability: The GDPR also requires that data controllers are accountable and can demonstrate, to the supervisory authority and individuals, their compliance with the new regulations. Evidence required to show this compliance could include internal policies and compliance measures, codes of conduct and certificates. In order to supply this evidence, the data controller will need to apply a data protection compliance program, maintain documentation of the privacy measure implemented, embed privacy measures and train employees. This compliance programme could require data controllers to appoint an EU representative (if the data controller is not established in the EU) and a Data Protection Officer (DPO). The GDPR regulation requires the data controllers to appoint a DPO if the processing is being conducted by a public body or, the main activities of the data controller/data processor are processing operations on a large scale, or if there is processing of certain types of personal data or criminal convictions/offences data.

Data controllers will also be required to provide documentation to prove that they are processing lawfully; these documents could include the procedures carried out to obtain the data subject’s consent under GDPR regulations or a record showing the lawful basis for the processing of the data. They will also need to record all their processing activities, and make this available to the supervisory authority if required. Data controllers/data processors that transfer personal data outside of the EU also have to comply with certain GDPR regulations and provide documentation supporting this compliance e.g. a data inventory of processing activities identifying cross-border data transfers. However, there is a wide range of documentation that could be required to show compliance.

Penalties: Additionally, it imposes greater penalties to those that are found in breach of the GDPR with fines of up to 4% of their annual global turnover or €20m (whichever is greater) for serious infringements. 

This article was first published on Business Wales on the 16th October 2017

Return to index