What is the GDPR?
The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Bill. The GDPR sets out requirements for how organisations will need to handle personal data from 25 May 2018.
What information does the GDPR apply to?
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. You can find more detail in the key definitions section of our Guide to the GDPR.
Can you help me decide what to include in my privacy notice?
The GDPR sets out the information you should supply and when individuals should be informed.
The information you supply about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
There’s more information in our right to be informed section of the Guide to the GDPR.
Are we a public authority under GDPR?
The Data Protection Act (when passed) will define ‘public authority’ but it is likely that if you are a public authority as defined under the Freedom of Information Act 2000, or Freedom of Information (Scotland) Act 2002, you will be a public authority for the purposes of the GDPR.
Do I need to appoint a data protection officer (DPO)?
Under the GDPR, you must appoint a DPO if you:
- are a public authority (except for courts acting in their judicial capacity);
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure your organisation has sufficient staff and skills to discharge your obligations under the GDPR.
But even if you don’t have to appoint a DPO, you do still have to comply with the other requirements of the GDPR.
Can organisations share a DPO?
You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size. There is more on appointing a DPO in our section on DPOs and when they need to be appointed in our Guide to the GDPR.
Can the DPO be an existing employee?
The person you appoint as a DPO can be an existing employee, provided the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interest.
What is a conflict of interest in relation to a DPO?
Conflict of interest means a conflict with possible other tasks and duties. This means the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. More information on this can be found at questions 9 and 10 of the Article 29 DPO FAQ's and in the Article 29 guidelines on DPO's
What are the legal implications for a DPO?
DPO’s are not personally responsible for non-compliance with the GDPR. The GDPR makes it clear that it is the controller or the processor who must demonstrate that processing is undertaken in compliance with the GDPR. Data protection compliance is the responsibility of the controller or processor.
What are the rules on security under the GDPR?
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. You can find more guidance in the security section of our Guide to the GDPR.
Can councillors still communicate using their private email accounts and personal devices?
The ICO has produced guidance under the DPA that helps data controllers understand what they need to consider when permitting the use of personal devices to process personal data for which they are responsible. The Bring Your Own Device Guidance is a good place to start.
Is there a toolkit I can use to prepare for GDPR?
As part of your preparations for GDPR we have created GDPR two checklists – one for data controllers and one for data processors. You can find these checklists in the getting ready for the GDPR section.
What lawful bases of processing should I use?
The six lawful bases for processing are broadly similar to the old conditions for processing, although there are some differences. You need to review your existing processing, identify the most appropriate lawful basis, and check that it applies. More information can be found in our lawful basis section of our Guide to GDPR.
Do I still need to register under GDPR?
If you needed to register under the Data Protection Act 1998, then you will probably need to register, and pay a relevant fee, under the Data Protection (Charges and Information) Regulations 2018.
The new Regulations will come into force on 25 May 2018. This doesn’t mean that everyone has to re-register and pay the new fee on that date. Data controllers who have a current registration (or notification) under the 1998 Act, do not have to re-register or pay the new fee until that registration has expired.
You can find more detail in this blog post.
How will GDPR affect data sharing agreements?
If you have an existing data sharing agreement, and this agreement complies with the DPA, it is likely to remain valid under the GDPR. However, under GDPR a data protection impact assessment (DPIA) should be carried out for any new or revised data sharing agreements. DPIA guidance will be available in early 2018.
Also, the GDPR contains explicit provisions about documenting processing activities including maintaining records on data sharing. More information on the documentation requirements can be found in the documentation section of the Guide to GDPR.