GDPR – the things you need to know
The General Data Protection Regulation (GDPR) is a set of regulations governing how organisations in EU countries capture, process and hold personal information. It is due to be enforced on May 25th 2018 and all UK companies that handle data will have to comply.
The following provides a summary of some of the key aspects. Detailed guidance on your obligations and how to prepare can be found on the ICO website: https://ico.org.uk/
Article 5 of the GDPR requires that data is processed lawfully. For processing to be lawful, you need to identify a lawful basis for that processing. This is often referred to as the “conditions for processing” under the current Data Protection Act (DPA).
It is important that you determine your lawful basis for processing personal data and document this. The lawful basis for processing also has an effect on individuals’ rights. If you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted.
While there has been a lot of focus placed on the need for consent from a data subject, it is important to remember that consent is not the only lawful basis. The lawful processing conditions detailed in Article 6 of the GDPR include:
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessary for the purposes of legitimate interest pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject