The browser you are using is no longer supported. Please switch to Edge or Chrome

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world.

What is GDPR?

It means that organisations which ask and use information about people to only use the information in certain ways, and to make sure people know how it is being used. Such as the NHS which asks people for information about:

  • their name and address
  • their date of birth
  • telephone number
  • details about their health

Who does the UK-GDPR apply to?

  • The UK-GDPR applies to controllers and processors.
  • A controller makes decisions about how information about people is used and why (this is called personal data).
  • A processor is responsible for using people’s personal data on behalf of a controller.
  • The UK GDPR makes it clear that information can only be used for certain things and that processors must keep records of personal data safe. Processors can be fined large sums of money if they break data protection regulations.
  • Data controllers also have legal obligations to ensure their contracts with processors comply with the UK GDPR.
  • The UK GDPR applies to processing carried out by organisations operating within the UK. It also applies to organisations outside the UK that offer goods or services to individuals in the UK. This includes companies that provide health services for the NHS.

Does UK-GDPR affect my work?

If you are sent and use people’s personal data to do your job, then you must make sure it is used in accordance with the Data Protection Act 2018. This includes the requirements of UK-GDPR. UK-GDPR applies to all organisations operating in the UK. Organisations outside the UK that deal with individuals now operate under the EU-GDPR.

It is very important:

  • for you to understand the UK-GDPR
  • how you should use people’s personal data
  • how to keep it safe
  • what things you should not do with it

If you don’t you may be breaking the law.

UK-GDPR key points

  • You and the organisation you work for are responsible for making sure personal data is only used how it is supposed to be used, and is kept safe. You are breaking the law if you don’t.
  • Organisations must keep records of the types of information being used, tell people how their personal data is being used, and keep these records safe.
  • You must complete a data protection impact assessments (see below).
  • A wide range of information is classed as personal data and would include any information which can identify an individual.
  • Data processors (for example contractors and service providers) are also required to meet data protection regulations regulated.
  • You can get fined up to £17.5 million or 4% of total worldwide turnover, whichever is higher, if you break the law.
  • Data controllers must notify the Information Commissioner’s Office within 72 hours of a data breach. For example if your information is sent to the wrong place. individual rights including greater transparency which means individuals must be told how their information will be used before it is used and the right to be forgotten.
  • By law, organisations must employ someone called a data protection officer (DPO) if they are collecting and using lots of personal data.
  • Stricter rules about consent given by people for the collection and processing of their personal data.
  • In most cases, we won’t charge you for sending you copies of records held about you.

What is a data protection impact assessment?

A data protection impact assessment (DPIA) is a mechanism for identifying, quantifying and mitigating data privacy risks. For example, this could be an IT security or legal risk. Multiple risks can also be identified.

The DPIA is completed by organisations to ensure appropriate controls are put in place. For example when any new process or system includes the use of high risk data such as health data.

The DPO in the organisation must be consulted when completing a DPIA. A DPIA should be signed off by the organisation’s senior information risk owner and the DPO.

A DPIA must be completed before any new process or system goes live where it includes processing health data. For example at the business planning stage of a project.

The completion of a DPIA will help to minimise the chance that any new process or system present a high risk to the rights of individuals through a failure to comply with the UK-GDPR or Data Protection Act.

What and who is the data protection officer?

All public organisations including the NHS must have a DPO. The DPO makes sure the organisation does not break the law and uses people’s data correctly. The DPO reports directly to an organisation’s highest management level. A DPO may not be disciplined or dismissed for carrying out their tasks.

It is important to note that data processors that process personal data on behalf of health or social care organisations must appoint a DPO if they:

  • process special categories data on a large scale
  • perform regular or systematic monitoring of data subjects

Google Translate

Text Size

Change font

Contrast