The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) was proposed by the European Commission in 2012 and finally agreed by the European Parliament and Council in December 2015. It was formally adopted and published in the Official Journal of the EU in May 2016, and there will be a two year lead time for full implementation.

Despite the vote to leave the European Union, the Government has confirmed that they will adopt the GDPR, which will therefore be law in the UK from 25 May 2018.

The main aim of the GDPR is to harmonise data protection law across Europe, and to bring it up to date with technological advancements. It aims to promote a more compliance-based approach to data protection, with an emphasis on transparency, accountability and data protection by default and design.

The focus is shifting away from enforcement purely against security breaches and data loss towards ensuring an overall compliance culture, requiring a more comprehensive framework of policies and procedures. The Information Commissioner’s Office (ICO) will have greater enforcement powers, including the ability to issue fines for a much wider range of breaches of the Regulation. The maximum available fine will be increasing significantly from the current level of £500,000 to €20 million or 4% of annual global turnover, whichever is higher.

Some key points from the GDPR are:

  • There is a wider definition of personal data, including technical data such as location data and online identifiers (e.g. IP addresses). New categories of sensitive personal data are added: genetic data and biometric data,
  • There is a strong emphasis on accountability and transparency.
  • There will be increased rights for data subjects.
  • It specifies more detailed security requirements.
  • There are increased controls on the use of third parties for processing of personal data.
  • A Data Protection Officer must be appointed.

Revised policy, procedures and guidance, covering all of these areas and more, will be released on these pages over the course of the next year, leading up to the full implementation of the GDPR from May 2018.

Further guidance on the GDPR can be found on the ICO website.

A copy of the regulation can be found on the EU website.