GDPR refers to the General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to (a) the processing of personal data and (b) on the free movement of such data.
This Regulation repeals Directive 95/46/EC, so all local legislation currently enforce in the UK, Jersey, Guernsey (and other EU countries and “adequate” status countries) will need to be replaced by a new data protection law to bring in the GDPR legal provisions.
GDPR law is effective from 25 May 2018.
What is GDPR?
GDPR is one of the three core data protection laws in the EU. The EU is strengthening the laws around data protection and updating them for the new digital age.
The new data protection “package” of laws are (a) GDPR (b) a new directive in Law Enforcement (EU) 2016/680 and (c) currently being negotiated the new e-Privacy Directive.
Why is GDPR needed?
With the rapid development of new technology (e.g. internet, biometrics, artificial intelligence) over the last few years and the fast growth in digital and on-line services, citizens are sharing and publishing personal data at a rate not seen before.
Social media platforms like Facebook and Instagram, as well as more integrated and automated business applications, have resulted in a huge increase in personal data being shared and held by organisations. The transferring of this data between countries and continents is also happening at a rate not seen before.
Cyber security threats such as hacking, malware, virus and Trojan horse attacks have led to many significant data breaches of customers personal information (e.g. Equifax, Talk Talk) putting peoples security (data, financial and physical) at risk.
Stronger data protection, security laws and information handling protocols are now required to address these increased risks.
The Scope of GDPR
GDPR applies to any “Data Controller” (DC) or “Data Processor” (DP) who processes “personal data” of a person in the EU.
It applies to any DC or DP who provides products or services (even free of charge) to a person in the EU.
The Irish government published their Data Protection Bill 2018 in early February 2018 and after much debate and comment, it was signed into law by the President on 24 May 2018. It is now referred to as the Data Protection Act 2018.
For the UK:
The UK Government agreed to implement the GDPR regulation in time for the effective date 25 May 2018 and the new law, the Data Protection Act 2018, received Royal Assent just before that date.
For Jersey & Guernsey:
Jersey and Guernsey currently have "adequacy" status when it comes to data protection and data portability matters with the EU. Both governments have new domestic legislation to bring in the rules of GDPR but this was done by having separate Jersey and Guernsey island legislation. This means that the requirements of GDPR will apply to both jurisdictions with minor changes reflected within the respective laws. The new laws are respectively referred to as the Data Protection (Jersey) Law 2018 and The Data Protection (Bailiwick of Guernsey) Law, 2017.
It applies to any DC or DP whether they are located in the EU or not.
The main elements of GDPR are around the concepts of principles and rights.
RIGHTS for people:
- Right to be informed
- Right of access
- Right to rectification
- Right of erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights in relation to automated decision making and profiling
PRINCIPLES to adhere to:
- Legality, Transparency and Fairness
- Purpose Limitation
- Storage Limitation
- Integrity and Confidentiality
- Consent: Must be opt-in basis and clearly recorded
- Children: Improved protection for children
- Sensitive information: Special provisions for special category information
- GDPR imposes fines for breach of the GDPR laws.
- Tier 1 fines: Up to €20m or 4% of global annual revenues
- Tier 2 fines: Up to €10m or 2% of global annual revenues