Data Protection

On 25 May 2018 the General Data Protection Regulation (GDPR) was enforced across Europe. This is the most significant change we have seen to data protection in over 20 years.

It's important to ask yourself, is my organisation aware of the changes and what can I do to meet the requirements?


Wider scope - territorial and definition of personal data

The GDPR applies to any organisation that is 'established' in the EU and processes personal data. If you are an organisation established outside the EU, you could still be caught if your processing activities relate to: offering goods and/or services to EU residents (even if complimentary), and/or the monitoring of behavior within the EU.


Personal Data - broader definition

The definition of personal data is even wider than it was under the Directive, as it now expressly includes identification numbers, location data and online identifiers such as IP addresses and cookies. Essentially the only data that will fall outside of the definition or personal data is that which is truly anonymised.


Consent - conditions for processing

There are stricter conditions for obtaining consent - it must be freely given, specific, informed, unambiguous, distinguishable and not 'bundled' with other written agreements or statements. It must be as easy to withdraw consent as it is to give and data subjects have the right to withdraw consent at any time.


Increased individual rights

The GDPR provides numerous enhanced rights for individual data subjects. For example, individuals have the right to require information about whether their personal data is being processed and further information such as the purposes of processing and the recipients of the data. Individuals also have the right to object to their personal data being processed for direct marketing.


Direct obligations on data processors

Data processers now have certain direct obligations. For example, they must maintain written records of their processing activities and implement appropriate security standards. They must also carry out routine data protection impact assessments, appoint a Data Protection Officer (DPO), if necessary.


Data Protection Officers

A DPO with expert knowledge of data protection law must be appointed if your organisation is a public authority, carries out large scale systematic monitoring of individuals or large scale processing of sensitive personal data. Each domestic regulator is free to make additional requirements in respect of DPO's, to date the ICO has not commented on any additional DPO requirements.


Breach notification

The GDPR contains the breach notification obligations for the Processor and the Controller and in certain circumstances individual data subjects will also need to be notified of the breach.


Harsher penalties

The maximum fine for the most serious infringements (such as not gaining sufficient consent for processing) is up to 4% of annual global turnover or €20 million (whichever is greater). Administrative failures (such as failing to report breaches) can result in a fine of up to 2% of annual global turnover or €10 million (whichever is greater).

Send us a message