Scribd Logo
Upload

Welcome to Scribd!

  • The GDPR - What You Need To Know: in Association With

    Uploaded by

    Tom Nall
    113 views10 pages
    The GDPR updates and replaces the 1995 EU Data Protection Directive. It will apply from May 2018 and requires personal data to be lawfully and transparently processed, stored securely, and not kept for longer than necessary. It introduces greater accountability, data subject rights, mandatory breach reporting, and fines of up to 4% annual turnover for violations.

    Original Description:

    Original Title

    GDPR slides

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The GDPR updates and replaces the 1995 EU Data Protection Directive. It will apply from May 2018 and requires personal data to be lawfully and transparently processed, stored securely, and not kept for longer than necessary. It introduces greater accountability, data subject rights, mandatory breach reporting, and fines of up to 4% annual turnover for violations.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    113 views10 pages

    The GDPR - What You Need To Know: in Association With

    Uploaded by

    Tom Nall
    The GDPR updates and replaces the 1995 EU Data Protection Directive. It will apply from May 2018 and requires personal data to be lawfully and transparently processed, stored securely, and not kept for longer than necessary. It introduces greater accountability, data subject rights, mandatory breach reporting, and fines of up to 4% annual turnover for violations.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    The GDPR -

    What you need to know

    In association with
    Background to GDPR

     The current EU data protection legislation is the Data


    Protection Directive of 1995

     The requirements of the EU Data Protection Directive are


    given legal effect in the UK by the Data Protection Act
    (1998)

     Despite robust supervision concerns remained that data


    protection regulation was inadequately harmonised across
    the EU

    In association with
    Background to GDPR

     To update legislation a General Data Protection


    Regulation (GDPR) came into force in May 2016

     Member states must adopt its provisions by 25th May


    2018

     GDPR will apply in the UK from above date


    (regardless of any plans to leave the EU)

     Data Protection Directive 1995 will be repealed

    In association with
    Overview

     GDPR requires that personal data shall be:

     Purchased lawfully, fairly and in a transparent


    manner
     Collected for specified, explicit and legitimate
    purposes
     Adequate, relevant and limited to what is necessary in
    relation to the purposes for which it is processed
     Accurate and up to date
     Kept in a form which permits identification of data
    subjects for no longer than is necessary for reason for
    which the personal data is processed
     Processed in a manner that ensures appropriate
    security of personal data

    In association with
    Main changes

     New accountability requirement

     Data controllers must be able to demonstrate their


    compliance with data protection principles
     Including requirement to maintain a written record of
    their data protection activities
     This replaces the current system of notifications under
    the Data Protection Act whereby a data controller
    registers with the Information Commissioners Office
    when intending to process personal data

    In association with
    Main changes
     Extended territorial reach
     Although an EU Regulation, GDPR covers data controllers
    and data processors outside the EU where their
    processing activities relate to offering goods and services
    within the EU

     Requirement for a data protection officer ‘with expert


    knowledge of data protection law and practices’ to be
    appointed in certain circumstances, for example:

     Public authorities

     Where core activities of the data controller or data


    processor involve the ‘regular and systematic monitoring
    of data subjects on a large scale’ or where the
    organisation conducts the large scale processing of
    ‘special categories of personal data’
    In association with
    Main changes
     Enhanced rights for data subjects

     Data subjects can elect to have data processed for


    restricted purposes only

     Right to data portability, to have data transferred


    to a new data controller

     The right to charge a fee in respect of a data


    subject access request has been removed except
    in specific circumstances (see below)

     A fee can still be charged where requests are


    excessive or repetitive

     Right to be ‘forgotten’, to have personal data


    erased in certain circumstances
    In association with
    Main changes
     New European Data Protection Board

     Consisting of European Data Protection Supervisor and


    senior representatives of national data protection
    authorities
     Role is to issue opinions and guidance to ensure the
    consistent application of GDPR

     Notification requirements
     Currently, no requirement to inform the Information
    Commissioners Office in the event of a breach

     GDPR changes this

     In the event of a breach, a data controller must notify their


    relevant Data Protection Authority ‘without undue delay’
    (generally taken to be 72 hours)
    In association with
    Main changes
     Fines

     Currently the Information Commissioners Office can


    apply a monetary penalty notice of up to £500,000 for
    serious breaches of the Data Protection Act

     GDPR introduces a new system of fines for breaches of


    the GDPR

     For more severe breaches a fine of (the greater of)


    4% of annual turnover or €20 million can be applied

     For less severe breaches a fine of (the greater of)


    2% of annual turnover or €10 million can be applied

    In association with
    Main changes

     Consent
     As per current rules under the Data Protection Act,
    data controllers must have a specified reason for
    processing data

     Consent must be freely given (by the data subject)


    and be specific, informed and unambiguous

     Any request for consent must be:


     Separate from other (contractual) terms; and
     Be in clear and plain language

    In association with

    You might also like