What is the GDPR?
The General Data Protection Regulation (GDPR) will be implemented in the UK on 25 May 2018 and organisations have less than a year left to prepare for its impact.
The GDPR overhauls the current data protection legislation, mainly the Data Protection Act (DPA), to bring it in line with 21st century ways of working.
It introduces strict new privacy requirements for data controllers handling personal data and it gives data subjects (individuals whom the personal data is about) significantly greater control and rights over the manner in which their data is collected, shared, retained, and destroyed.
The GDPR also gives the Information Commissioner the authority to impose fines ranging from 2 per cent to 4 per cent of an organisation’s global revenues for violations of the Regulation.
How are we preparing for GDPR in Welsh Government?
There is a fair amount of overlap between the GDPR and the current Data Protection Act. However there are some significant changes and enhancements to the existing law which will require data controllers to do things differently. Although many of these will take time to prepare for, the introduction of GDPR in 2018 will have an immediate impact.
In Welsh Government we have been preparing for its introduction by:
1. Raising awareness that the law is changing and the potential impact this will have – We aim to ensure that everyone developing policy within Welsh Government knows that data protection law is changing and how those changes will affect how we carry out our work.
2. Documenting the personal data we process – We are currently reviewing and documenting the personal data we process. This will enable us to identify where we’re already compliant with GDPR, along with any areas that require further attention.
3. Reviewing our existing privacy notices and updating them where necessary in line with GDPR requirements – Privacy notices explain how a data subject’s personal data is collected, shared, retained and destroyed. Under GDPR, the information provided to data subjects in privacy notices needs to be more prescriptive than under the current Data Protection Act. There is also a significant increase in the amount of information that has to be mandatorily communicated in all cases, and it has to be provided in a concise, transparent, intelligible and easily accessible way. Some of this information includes:
- The identity and contact details of the data controller
- The purpose of processing their data and the legal basis for doing so
- Who the personal data is shared with
- Any transfers of personal data outside the EU
- The retention period for the data
- A statement regarding the legal rights of the data subject (e.g. the right to withdraw their consent to their data), including the right to complain
4. Ensuring that we develop policy in line with GDPR ‘privacy by design’ principles – A key principle of GDPR is that simple compliance with the legislation is not sufficient in itself. As data controllers we will also have to implement a range of accountability measures such as mandatory Privacy Impact Assessments, data protection audits, policy reviews, activity records and, in the case of public authorities, mandatory appointment of a Data Protection Officer.
5. Ensuring we obtain ‘consent’ in line with GDPR requirements – Following publication of the Information Commissioner’s draft guidance on ‘consent’ under GDPR, we have been reviewing our existing data collection processes to ensure that, where used, consent mechanisms are prominent, concise, easy to understand, that there is no ambiguity around their collection and that there is evidence of affirmative action being taken on the part of the data subject.
Why are we doing this?
Preparing for the GDPR and the changes it will bring in time for the May 2018 deadline can seem overwhelming, but the regulations should ultimately have a positive impact on both the public and the organisations responsible for upholding them. GDPR encourages data controllers to take extra care about how they collect, store and use personal data, meaning it should be easier to locate and report on. For public authorities, it presents an opportunity to examine and overhaul how the personal data they process is collected, stored, used and deleted so as to future-proof its data practices in the digital age.
Where can I find more information?
The Information Commissioner’s Office (ICO) has produced guidance around various aspects of GDPR and more will be published over the next year. This is an important resource for all organisations preparing for GDPR:
The ICO have also been active in giving presentations and attending workshops to help organisations prepare and for us in Welsh Government this has provided a useful sounding board as we consider the implications of GDPR.
We’re also planning on publishing additional blog posts covering how we’re preparing for other aspects of GDPR, such as implications on contracts and third party processors of personal data.
Post by Information Rights Unit.