General Data Protection Regulation:
Back to Blog Home

General Data Protection Regulation:


CONSENT

There are a number of significant changes to the way that consent is obtained under the GDPR. Now, consent must be obtained through an “affirmative action” – meaning that opt-out or pre-ticked consent boxes will no longer suffice. Consent is one ground for lawfully processing personal data; although it is a common misconception that consent is always required by a business when using personal data. For example, consent is not required if there is a legitimate interest to process the personal data (when weighed-up against the potential risks to the individual in question). Consent will most likely be required for direct e-mail and other electronic marketing, unless the data was collected during the course of sale of services and the marketing relates to the same or similar services.

DATA PROCESSORS

Under the GDPR, data processors are now subject to direct responsibilities for the first time. “Data processors” are effectively those individuals or organisations who process data on your behalf, which may include property managers or reference agencies. That means that anyone who uses or stores data on your behalf will also need to comply with certain elements of the GDPR.

DATA PROCESSING AGREEMENTS

There are new requirements under the GDPR setting out certain terms that a data controller (i.e. the organisation that decides what happens with the data) needs to include in its contracts with its third party service providers, who are most likely to be data processors. These terms include the right to carry out an audit of the processor’s data protection compliance, together with the requirement for the data processor to have proper security measures in place when using and storing the personal data.

DATA BREACH

A data breach can be any loss or unauthorised use of personal data, from a database being hacked by a third party to leaving a work laptop containing personal data on the train. In the event of a data breach, the GDPR now includes formal notification requirements. If you discover a data breach, you may in certain circumstances need to notify the Information Commissioner’s Office (who are responsible for governing data protection in the UK) or the individuals themselves. Whether or not you need to notify the ICO or individuals, will ultimately depend on the risk that the data breach has caused to the individuals in question; where sensitive or large volumes of data have been breached, this is more likely to require notification.

FINES

It has been well-documented that the fines under the GDPR are much higher than they have been previously. Under the GDPR, the ICO will be able to levy fines of up to €20m or 4% of global turnover in certain situations. By comparison, the ICO can currently only fine up to £500,000 for data protection non-compliance.