The GDPR was approved and adopted by the EU Parliament in April 2016 and is coming into force in May 2018, but there are still many GDPR questions that need answering. The FAQ’s in this section will be updated frequently, so please be sure to keep posted if you have any GDPR questions.
- The GDPR sets a high standard for consent.
- Doing consent well should put individuals in control, build customer trust and engagement, and enhance your reputation.
- Check your consent practices and your existing consents. Refresh consents if they don’t meet the GDPR standard.
- Consent means offering individuals genuine choice and control.
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.
- Explicit consent requires a very clear and specific statement of consent.
- Keep your consent requests separate from other terms and conditions.
- Be specific and granular. Vague or blanket consent is not enough.
- Be clear and concise.
- Name any third party controllers who will rely on the consent.
- Make it easy for people to withdraw consent and tell them how.
- Keep evidence of consent – who, when, how, and what you told people.
- Keep consent under review, and refresh it if anything changes.
- Avoid making consent a precondition of a service.
- Public authorities and employers will find using consent difficult.
- Remember – you don’t always need consent. If consent is too difficult, look at whether another lawful basis is more appropriate.
‘controllers’ and ‘processors’
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
Sensitive Personal Data
The GDPR refers to sensitive personal data as “special categories of personal data”.
The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Read more on what information GDPR applies to on the ICO website:
Many of the fundamentals remain the same and have been known about for a long time. Fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process – these are all things you should already be doing with data and GDPR seeks only to build on those principles.
Visit the ICO website to answer some online questions and find out if you are on the way to being GDPR ready.
Administrative fines – which can amount to a maximum of 20 million euros or 4% of the global turnover – whichever is of greater value. The ICO could also impose fines up to £500,000. These fines may be imposed on both the controller and the processor. However, warnings would be issued before this happens and the amount of the actual fine will depend on the nature of the situation.
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
A hospital could be responsible for a personal data breach if a patient’s health record is inappropriately accessed due to a lack of appropriate internal controls.
Read more on GDPR and data breaches
When the GDPR will come into play next year the UK is still likely to be in the EU, GDPR is an EU regulation and whilst the UK is a member of the EU and the above legislation is in force, GDPR will automatically come into force in the UK. This will not be affected in the event that the UK gives notice to leave the EU, whether it does so before or after 25 May 2018.
At a glance
- The GDPR contains new provisions intended to enhance the protection of children’s personal data.
- Where services are offered directly to a child, you must ensure that your privacy notice is written in a clear, plain way that a child will understand.
If you offer an ‘information society service’ (ie online service) to children, you may need to obtain consent from a parent or guardian to process the child’s data.
The GDPR states that, if consent is your basis for processing the child’s personal data, a child under the age of 16 can’t give that consent themselves and instead consent is required from a person holding ‘parental responsibility’ – but note that it does permit member states to provide for a lower age in law, as long as it is not below 13.
Read more on the ICO website