This overview highlights the key themes of the General Data Protection Regulation (GDPR) to help organisations understand the new legal framework in the EU. It explains the similarities with the UK Data Protection Act 1998 (DPA), and describes some of the new and different requirements. GDPR came into force in the UK on May 25 2018.
GDPR is relevant for organisations in the UK that process the data of EU citizens. GDPR also introduces several new elements – for example breach notification procedures and data portability. With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. Having clear laws with safeguards in place is more important than ever for the growing digital economy.
Who does the GDPR apply to?
GDPR applies to ‘controllers’ and ‘processors’ of personal data. A data controller decides how and why personal data is processed and the processor acts on the controller’s behalf. If you are a data processor, GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under GDPR. However, if you are a controller, you are not relieved of your obligations where a processor is involved – GDPR places further obligations on you to ensure your contracts with processors comply. GDPR applies to processing of personal data carried out by organisations operating within the EU. It also applies to organisations outside the EU that process the personal data of EU citizens.
GDPR is designed to help organisations achieve best practices for data protection. It advocates privacy by design and good information management policies, procedures and technologies to minimise possible data loss incidents.