GDPR is designed both to harmonise data protection law throughout Europe and to modernise it. A great deal has changed in the last 2 decades, not least the ways in which personal data is collected and processed by organisations. In particular, the growth of the internet and the significant increase in the amount of personal data being transferred, stored, and processed online means that legislation that worked 20 years ago is, in many respects, no longer up to the task.
Simply put, if you handle personal data of any kind, you are already subject to the Data Protection Act 1998, so yes, it will. GDPR will apply to all organisations operating within the EU and to organisations outside of the EU that deal with individuals within the EU. The good news is that if you’re already complying with the Data Protection Act, you’re off to a strong start. Nonetheless, it’s very important to be aware of, and to understand, your obligations (existing and new) under GDPR.
The UK government has made it clear that the provisions of the GDPR will still apply after Brexit. In September 2017, the Government published a new Data Protection Bill, the main purpose of which is to bring the provisions of the GDPR onto the UK statute book after we leave the EU. There are already some differences between the GDPR and the Data Protection Bill, but it is likely that from the perspective of most businesses, the steps necessary for compliance will be the same.
Compared to the current data protection framework under the Data Protection Act 1998, the GDPR will bring a number of important changes and enhancements including:
A data protection impact assessment (DPIA) is a mechanism for identifying, quantifying and mitigating data privacy risks. It is undertaken to ensure appropriate controls are put in place when any new process, system or ways of working involving the use of high risk processing (such as processing health data) is introduced.
When undertaking a DPIA, an organisation’s designated data protection officer must be consulted. A DPIA should be signed off by an organisation’s senior information risk owner (SIRO) and the data protection officer.
A DPIA has to be completed before any new process, system or way of working goes live (ie at the business planning stage of a project) where it involves high risk processing.
The completion of a DPIA will help to minimise the chance that any new process, system or way of working will present a high risk to the rights of individuals through a failure to comply with the GDPR (or new DPA).
The GDPR requires all public authorities to have a data protection officer (DPO). Their role is to inform and advise their organisation(s) about all issues in relation to GDPR compliance. The DPO will also be responsible for monitoring the organisation(s) compliance with GDPR. The DPO reports directly to an organisation’s highest management level and may not be disciplined or dismissed for carrying out their tasks as a DPO. It is envisaged that the DPO will be supported by the organisation’s information governance team.
It is important to note that data processors that process personal data on behalf of health or social care organisations must appoint a DPO where they either: