1. General Data Protection Regulation (EU 2016/679)
Philippa Doyle
Associate
22 June 2017

2. Overview What is the GDPR? How will it affect me / my organisation?
What do I need to do?
What about Brexit?

3. What is the GDPR? Replaces current European data protection directive
Implements a single data protection law across Europe
As it is a Regulation, it has direct effect in the UK without national implementing legislation
Greater / more prescriptive obligations on those that process personal data
Serious consequences for non-compliance

4. How will the GDPR affect me / my organisation?
In many ways – not at all because you are unlikely to be trading with or operating in other EU member states
In other respects – lots of changes to take on board and implement
Sensitive personal data becomes “special categories of personal data”
Introduces concept of joint data controllers
Removes ability to charge for a subject access request

5. How will the GDPR affect me / my organisation? Cont.
No general notification requirement
Not enough to comply with the GDPR, got to demonstrate compliance – “the Accountability Principle” (detailed – see later)
Greater clarity on consent required
Public authorities can no longer rely on legitimate interests in relation to processing
Enforcement – incl fines /audit / order compliance / ban on processing

6. What do I need to do? Review: Appoint a Data Protection Officer
Consent forms
Policies
Procedures
Training
Appoint a Data Protection Officer

7. Accountability Principles
Must be able to demonstrate compliance with the following:
Personal Data must be
Processed lawfully, fairly and in a transparent manner
Collected for specific / explicit / legitimate purposes and not further processed in an incompatible manner
Adequate, relevant and limited to what is necessary
Accurate (every reasonable step must be taken to rectify / erase inaccurate date without delay)
Kept in a form which permits identification for no longer than is necessary
Kept secure

8. Accountability Principles cont.
Consent
Consent must be freely given, specific, informed and unambiguous indication of the individual’s wishes by which the individual by a statement or by clear affirmative action, signifies agreement to the processing of their personal data
Consent to process sensitive personal data must be explicit
Needs to be intelligible (plain clear drafting)
Silence, pre-ticked boxes or inactivity not appropriate

9. Accountability Principles cont.
New principle – requires you to be responsible for and able to demonstrate compliance with the data protection principles
Means keeping detailed records that may need to be presented to the regulator on request
Means building in evidence of compliance with DP principles throughout your processes
Means implementing appropriate technical / organisational measures to ensure & demonstrate compliance – policies and procedures

10. Written records to demonstrate compliance
Written records of processing activity must be kept including:
The purpose of processing
The description of data subjects / personal data
The categories of recipients
The details of transfers outside the EEA
The envisaged retention periods
A description of security measures
Remember you hold two types of records
Staff files
Patient files

11. Data Protection Officer
Do I really need one?
Yes, not necessarily an employed member of staff
Could engage services of a specialist to support your organisation or share between providers
Needed where:
Controller / processor is a public authority or body;
Core activities involve regular or systematic monitoring on a large scale; or
Core activities consist of processing special categories of data

12. Data Protection Officer cont.
What is their role?
Must be designated on the basis of professional qualities and expert knowledge of data protection law and practice
Must directly report to highest management level in the organisation
Tasks:
Inform and advise
Monitor compliance

13. Data Subject Rights
Information & communications must be consider, transparent, intelligible, accessible and in clear / plain language
Rights exercised free of charge unless manifestly unfounded /excessive
Information must be provided promptly and generally within “one month”
Review and update data retention policies

14. Breaches Two tiers of fines:
Up to 2% of annual turnover or €10,000,000 (whichever is higher)
Up to 4% of annual turnover or €20,000,000 (whichever is higher)
Rights of audit, order compliance, ban on processing
Rights of compensation to data subjects

15. What about Brexit? GDPR applies from 25 May 2018
UK will still be a member of the EU therefore GDPR will apply
ICO will be represented on the European Data Protection Board
Once we leave EU – we will need to implement GDPR into national law – government will review
Hopefully still get a seat at the EUPB

16. In summary….
GDPR will apply from 25 May 2018 and likely will continue to apply in same or very similar format post Brexit
Start preparing now –
Identify a Data Protection Officer
Review policies / procedures / governance structures / training
Audit and document data processing activities
Review consent forms
Secure a copy of the ICO guidance

17. E: p.doyle@hempsons.co.uk
Any questions?
Philippa Doyle
Associate T: E: