Access to Information
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is the new legal framework in the EU which came into force on 25 May 2018. There is also a new Data Protection Act. This new Act supplements the GDPR and provides new rights to individuals concerning their personal data and is the most significant overhaul of data protection laws in the EU for 21 years.
The main changes are:
i. Increased fines - Fines for breaching GDPR (max - greater of 4% of turnover or €20M) are significant compared with the current fines regime (max £500K).
ii. Accountability and Privacy by design – the Council must be able to demonstrate compliance with GDPR and implement data protection by design to reflect processing activities and risk
iii. Data Protection Officer (DPO) – this becomes a statutory role which requires the Council to provide the necessary support and resources to enable the DPO to carry out the role
iv. Data Processors – data processors can be held liable for non-compliance
v. Extra Territorial reach - GDPR’s reach extends to organisations outwith EU that process personal data of individuals in the EU.
vi. Consent as basis for processing - GDPR makes it much harder to rely on consent as a basis for processing personal data and HBC should check whether the basis upon which consent was obtained meets GDPR requirements.
vii. Privacy Notices - must be concise, intelligible and communicated by means likely to be noticed and read by data subjects. GDPR also requires further information to be added to privacy notices.
viii. Data Subject Rights - GDPR expands rights of data subjects to include e.g. right to be forgotten, right to portability, right to prevent customer profiling.
ix. International transfers - basis on which local authorities can transfer personal data outwith the EEA have been restricted
x. Data Breaches - subject to limited exceptions, all data breaches must be notified to the Information Commissioners Office within 72 hours.
Should you require any further information please visit www.ico.org.uk
Personal data is anything that can be used to identify a person. For example:
- Email address
- Date of birth
- National insurance number
- Postal address.
It also covers sensitive personal data, which includes information, such as, ethnicity, religious beliefs and medical history.
The GDPR contains six Principles, plus an additional section, regarding personal data. The Principles are that personal data should be:
- Processed lawfully, fairly and in a transparent manner (stored, used, destroyed)
- Obtained for a specified, explicit and legitimate purpose
- Adequate, relevant and limited
- Accurate and, where necessary, kept up to date
- Kept no longer than is necessary
- Have appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction
- The organisation also has to be able to demonstrate accountability and compliance.
Collecting and Processing Personal Data
The GDPR increases individuals’ rights on personal data meaning the Council will need to have consent, or one of five other specific legitimate reasons to hold and process individuals’ data. The Council will collect and process personal data only to the extent that it is needed to fulfil operational needs or to comply with legal requirements.
Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) is a process designed to help an organisation systematically analyse, identify and minimise the data protection risks of a project or plan. It is a key part of an organisation's accountability obligations under the General Data Protection Regulation, and helps an organisation to assess and demonstrate how they comply with all of the data protection obligations.
The Council's DPIA's are available on request by emailing email@example.com or telephoning 01429 523087.