The purpose of the GDPR is to provide a set of standardised Data Protection laws across all of the member countries. GDPR is currently the strongest protection regulation in the world
The term European Union resident is more useful, or a person located within the European Union. GDPR requires the personal data of an individual residing within an European Union country to be subjected to certain safeguards and their rights and freedoms must be protected.
The GDPR will apply to non European Union companies who deal with personal data relating to offering goods or services to European citizens, or monitoring European citizens behaviour occurring within the European Union. In essence, where a business has a European Union connection, then its highly likely that it will fall within the scope of GDPR.
The Information Commissioners Office will provide written advice within eight (8) weeks, or fourteen (14) weeks in a complex cases. If appropriate, the ICO issue a formal warning not to process the data, or ban the processing of the data altogether.
The ICO can serve information notices requiring companies to provide specified information within a predefined time period. The ICO can impose penalty notices for a wider range of failures, including failure to comply with an information notice, assessment notice or an enforcement notice
GDPR accommodates claims for breach. It provides that individuals may sue in corcumstances when they have suffered a) damage or b) distress. This means that you only have to demonstrate that such a breach caused you some level of distratess in order to claim compensation.
A data breach is a confirmed incident in which sensitive, confidential or otherwise protected data has been accessed and/or disclosed in an unauthorized fashion. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.
How long certain kinds of personal data is kept may also be governed by specific business-sector requirements and agreed practices. For example, the ICO have agreed that credit reference agencies are permitted to keep consumer credit data for six (6) years.
The GDPR has direct effect across all EU member states and has already been passed. This means organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the DPA 2018 is the details of these. It is therefore important the GDPR and the DPA 2018 are read side by side
Probably. Under the GDPR, you must appoint a DPO if you
We have appointed a DPO based on their professional qualities and expert knowledge of data protection law and practices.
We aren’t required to appoint a DPO under the GDPR but we have decided to do so voluntarily. We understand that the same duties and responsibilities apply had we been required to appoint a DPO. We support our DPO to the same standards.
Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the GDPR.
The WP29 guidance also clarifies the position under Articles 38 and 39 in relation to the role and tasks of the DPO:
In the WP29’s guidance, it is also emphasised that the DPO is not personally responsible for non-compliance with the GDPR. The liability still remains with the controller or processor to demonstrate that the processing activities are being performed in accordance with the GDPR.
To add a Data Protection Officer (DPO) email firstname.lastname@example.org with the subject line ‘Add a DPO’ and include:
The ICO will publish details of all controllers who pay the data protection fee on the data protection register, which is available on our website. Please state clearly within your email whether or not you wish to publish the name of your DPO if they are an individual.
Information about an employee's health is considered a ‘special category of data’ under the GDPR (sensitive personal data under the DPA), which an employer will need to process if it obtains a medical report. Processing special categories of data is prohibited unless one of a number of exceptions apply.
It appears that as GDPR came into effect it will be almost impossible for an employer to rely on consent to process employees' personal data, even if it is given in relation to a particular medical issue.
For special categories of data, employers are likely to rely on processing being “necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment law” (Article 9(2)(b) GDPR). For this, under the new data protection bill, employers will need an ‘appropriate policy document’ explaining how they handle special categories of data.