The GDPR is here! What now?

Three weeks ago, on 25 May 2018, the requirements of the EU General Data Protection Regulation 2016/679 (GDPR) kicked in across the EU. The UK Data Protection Act 2018 (DPA) also appeared and applied from the same day. The DPA supplements the GDPR, and importantly contains conditions for use of sensitive categories of data (such as health, ethnic origin, criminal convictions), exemptions from some GDPR requirements (including those relating to rights of individuals), and provisions on data protection enforcement and remedies within the UK.

For those in the public sector, the DPA also brings unstructured manual records within the scope of some data protection requirements. There are also detailed provisions on use of personal data for the law enforcement and intelligence services sectors (including those which implement the EU Directive on data protection matters for the police and criminal justice sector 2016/680).

If you weren’t quite fully prepared for 25 May (after all, you had two days to absorb and apply the requirements of the DPA before they applied), you can keep going now to get things into shape. If you had it all sorted by 25 May then, firstly, well done! But you also need to keep going – the GDPR and the DPA obviously contain ongoing obligations, and UK and EU guidance is still being produced to help to interpret some of the provisions.

And we mustn’t forget that we still have the proposed new EU E-privacy Regulation (2017/0003) to look forward to (still in proposal form and not yet finalised). So keep an eye out for this, in particular in relation to the rules on direct marketing requirements and cookies, and wider obligations for those in the communications sector.

Also on the horizon, we need to think about how Brexit impacts data protection compliance and risks, in particular in consideration of international data transfer rules.

Some key guidance on the GDPR and DPA which is already out there is set out below.

UK ICO’s Guide to the GDPR

This is available on the ICO’s website (ico.org.uk) and provides an overview of the requirements of the GDPR. The ICO has been regularly adding to and updating this. It has indicated it is now intending to make further updates in light of the DPA (including to this Guide and to a separate overview of the DPA, which was previously an overview of the Data Protection Bill).

UK ICO guidance on specific topics

The following guidance (separate to the main GDPR Guide) is also available on the ICO’s website (ico.org.uk).

  • Automated decision-making and profiling
  • Children and the GDPR
  • Consent
  • Documentation
  • Draft guidance on Contracts and liabilities between controllers and processors
  • Data protection impact assessments (including template documents)
  • Determining what is personal data
  • Lawful basis interactive guidance tool
  • Legitimate interests
  • The right to be informed
  • Self-assessment toolkit (aimed at small to medium organisations)

European Data Protection Board Guidelines

The European Data Protection Board (EDPB) is an independent European data protection body established by the GDPR. It replaces the former EU Article 29 Working Party. Its Guidelines are available on the EDPB website (edpb.europa.eu). Those previously adopted by the Article 29 Working Party have now been endorsed by the EDPB.

  • Administrative fines (though these don’t obviously yet appear in the guidelines section of the EDPB website)
  • Automated decision-making and profiling
  • Draft guidelines on Certification
  • Consent
  • Data protection impact assessments and high risk processing
  • Data protection officer
  • Derogations applicable to international transfers
  • Lead supervisory authority
  • Personal data breach notifications
  • Right to data portability
  • Transparency

Olivia Whitcroft, principal of OBEP, 14 June 2018

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details