The General Data Protection Regulation (GDPR)
The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR. If you are a proces-sor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR. However, if you are a con-troller, you are not relieved of your obligations where a processor is involved – the GDPR places further obliga-tions on you to ensure your contracts with processors comply with the GDPR.
Read the full guidance on the ICO website
The GPC have published guidance for practices
The guidance sets out the main themes of the legislation and what you need to do to ensure compliance, including:
- What is a data controller?
- Consent and other lawful bases for processing
- Right to object
- Data controller responsibilities for processing: privacy notices
- Accountability: demonstrating compliance
- Dealing with requests for confidential health data
- Breach reporting
- Subject access requests
- Breach reporting
- Additional concepts under GDPR