TED Web Chat

Talk to TED

Training & Development
>
Data & Privacy Policies
>
GDPR Awareness

GDPR Awareness

Document upload URL

General Data Protection Regulations

What is it

A fundamental review of data privacy law was long overdue to address the challenge of protecting the privacy rights of individuals in the digital age.

As a result of this review, the final text for the General Data Protection Regulations (GDPR) was agreed by the European Council, Parliament and Commission in December 2015 and released in March2016.  It will replace the data protection legislation  in all member states – The Data Protection Act 1998 in the UK.

When did it come into force

  • The GDPR came into force on the 25th May2018
  • We must continue to comply with Data Protection Act 1998 (DPA) until then
  • A new UK Data Protection Act 2018 will also come into force to protect the rights of UK citizens once Brexit is complete

The Key Differences

  • Wider territorial scope with broader definition of ‘Personal Data’.
  • Existing Principles condensed into 6 with 1 additional relating to accountability and governance.
  • Maintaining evidence of compliance including information asset register and more detailed privacy notices (but no annual notification to the ICO)
  • Privacy by design and by default
  • More data subject rights
  • Legal requirements extended to 3rd party suppliers (Data Processors)
  • Tougher sanctions (€000,000s)
  • Compulsory breach notifications
  • Privacy Impact Assessments (PIAs)
  • Appointment of a Data Protection Officer - all Public Bodies and some others

Key Legislative Changes – Privacy Notice

Current DPA

Fair processing notices must include -

  • Who you are
  • What you are going to do with their information
  • Who it will be shared with
  • Plus anything else needed to make the processing fair
For GDPR compliance (privacy notices must have)
  • The legal basis for the processing
  • Contact details of the data protection officer
  • Automated decision making, including profiling
  • The right to withdraw consent at any time
  • Is provision of personal data a statutory or contractual requirement?
  • The right to data portability where applicable
  • Transfers  of personal data overseas

Key Legislative Changes – Security

DPA

The DPA states that organisations must apply appropriate organisational and technical security.

GDPR

Consideration must be given to:

  • The ability to ensure ongoing confidentiality, integrity, availability and resilience of systems and services;
  • Pseudonymisation and encryption of personal data;
  • The ability to restore the availability and access to personal data in a timely manner;  
  • A process for regularly testing, assessing and evaluating all security measures

Key Legislative Changes – Data Subject Rights

  • The right to restrict processing
  • The right to data portability
  • Rights in relation to profiling
  • Right to rectification
  • Right to erasure
  • Disclosure within 20 working days not 40 calendar days
  • Can claim extra time for complex or numerous Subject Access Requests (SARs) but must be stated at the start of the process
  • Can’t charge for a Subject Access Request (SAR)
  • For ‘manifestly unfounded’ or excessive requests particularly where they are repetitive we are able to consider either:
  • Refusing the request explaining why, or Charging a reasonable amount for the SAR
  • No longer a requirement for requestors to advise where their data may be held, (i.e. tell us which services they have received)

Key Legislative Changes – Outsourcing/Contracts

  • Data Processors (i.e. 3rd party contractors) now have specific legal obligations to maintain their own records of personal data and processing activities.
  • Where we can prove that a breach resulted from a processor not following our instructions they can be held directly accountable  for the breach and any resulting fine.
  • All contracts need to be reviewed prior to 25th May 2018 to ensure contract provisions meet GDPR requirements.

Key Legislative Changes – Breaches

‘High risk’ breaches must be reported to the ICO and the relevant data subjects within 72 hours e.g. Just failing to notify a breach could result in a significant fine of up to €10 million Euros

Medium breaches will be subject to administrative fines: whichever is higher of the following:

  • up to €10,000,000 EUR  (Around  £9.2million)
  • up to 2% of the total worldwide annual turnover of the preceding financial year

Major breaches will be subject to administrative fines: whichever is higher of the following:

  • up to €20,000,000 EUR  (Around £18.5million)
  • up to 4% of the total worldwide annual turnover of the preceding financial year (in the case of an undertaking)

Our preparation activities included

  • Conducting a gap analysis
  • Creating a work plan for GDPR readiness
  • Formation of a working group for the implementation of GDPR with a senior group for oversight
  • Ensuring all staff are aware of the change in legislation and of its implications (training programme)
  • Appoint a Data Protection Officer
  • Project to collate our Records of Processing Activity

For any queries or questions please contact Judy Barker (Jbarker@tendringdc.gov.uk)

Link to form
Uploaded Document file
Author:
Judy Barker
Last updated on:
September 2017