Guide to the General Data Protection Regulation 2018 (GDPR)

What is the GDPR?

EU Directive 95/46/EC of the European Parliament was adopted in 1995 and stipulated that each EU member state must develop and implement their own law to meet the EU standards for handling and processing personal data. In accordance, the UK enacted The Data Protection Act 1998 (DPA) to ensure that British law complied with the 1995 directive. However, back in January 2012, the European Commission proposed the General Data Protection Regulation (GDPR) that would apply to all EU member states and provide consistency and standardisation on the processing and using of personal data. This proposal was formally approved by the European Parliament in April 2016 and is a regulation rather than a directive, and will therefore supersede existing national data protection laws. The GDPR imposes stricter penalties and has broader definitions and comes into effect in the UK on the 25th May 2018 and the UK government have already confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR, meaning all firms who currently have obligations under the DPA, will need to comply with the GDPR.

GDPR Definitions

The General Data Protection Regulation (GDPR) has a lot of similarities with the UK’s current Data Protection Act and so firms will not necessarily need to start again when devising and implementing policies, procedures and measures. However, there are of course also new and different regulations that will need to be addressed. Personal Data Under the current DPA, personal data is defined as: –
Data which relates to a living individual who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
The GDPR definition of personal data is somewhat broader but also more specific: –
Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive Personal Data The current DPA defines sensitive personal data as: –
Personal data consisting of information as to the racial or ethnic origin of the data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, whether he is a member of a trade union, his physical or mental health or condition, his sexual life, the commission or alleged commission by him of any offence, or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
Whereas the GDPR replaces the term sensitive personal data with ‘special categories of personal data’ and advises: –
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited – unless one of the Article 9 clauses applies.
Although criminal convictions, offences and court proceedings are not specifically named in the GDPR definition of special categories of personal data, they are referred to in Article 10, where the regulations advise that processing shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects and any comprehensive register of criminal convictions shall be kept only under the control of official authority.

GDPR Principles

The 8 Data Protection Principles are highly recognised among firms who have obligations under the DPA and whilst the GDPR Principles differ slightly, their meaning and interpretation are not dissimilar. To see each Principle in its entirety, visit the ICO website for the current DPA Principles and/or navigate to Article 5 of the new regulations for the GDPR Principles.

Fail to Prepare – Prepare to Fail

Whilst May 2018 may seem like a long way off yet, those firms who have gone through the FCA authorisation process and encountered the new FCA regulations, will know that you can never start preparing too early! The GDPR will apply to all ‘controllers’ and ‘processors’ and whilst the definitions of each are generally the same as under the current UK DPA, there are some specific legal obligations that will apply to both, along with new compliance areas that firms must develop, implement and evidence. Our team will be publishing a number of articles over the coming months regarding the GDPR, helping firms to understand the new regulations, their obligations and preparation guidance. Our next article will look more in-depth at areas of the GDPR that must be complied with, including: –
  • Lawfulness of Processing Conditions
  • Conditions for Special Categories
  • The Right to Rectification
  • The Right to Erasure
  • Sanctions, Penalties and Compensation