Where a Controller uses third party systems to process personal data, the responsibility for consent still lays with it. Controllers bear the onus of acquiring GDPR-standard consent (or indicating any other lawful basis for processing the data), demonstrate it to the regulator and ensure it can be withdrawn as easily as it was given. Therefore, selecting Processors who are themselves GDPR-compliant and can support the controller’s obligations is key.

If the third party has processing purposes that are separate from the Controller's purposes, then the third party is deemed a Controller under Article 28.10. Here, the third party must secure its own legal basis for processing, whether by consent or another legal basis.

The Controller may update its contracts to seek certainty that its Processors are adhering to the same GDPR standard and that any breach can be indemnified by the Processor. Meanwhile, if the Processor believes the Controller infringes GDPR, they have an obligation under Article 28 to inform the Controller and record the notification.

Supermarket chain, Morrisons face paying out compensation claims to more than 5,000 of their staff after the Court of Appeal upheld the High Court’s ruling in regard to Morrisons being liable for the data leak conducted by their former employee, Andrew Skelton.

The supermarket chain is now involved in the UK’s first data leak group action, due to Mr Skelton’s actions in 2014, in which the former senior internal auditor leaked payroll data whilst working at Morrison’s head office in Bradford.

The claimants are a mixture of both former and current employee, who allege that the data breach enabled them vulnerable to the possibility of identity theft and financial losses. This has been ruled as Morrison’s responsibility, and they are therefore in breach of data protection, privacy and confidence laws.

The GDPR law is not the only new European privacy regulation everyone is talking about. There has been a lot of discussion regarding the ePrivacy Regulation, which deals with e-communication, although technically it is a revised version of the ePrivacy Directive or the ‘cookies law’. The ePrivacy Regulation was initially supposed to be introduced on 25^th of May 2018, the same day as GDPR. However, it has been delayed but it is still expected to come in to effect this year pending review by the European Union’s member states.

Although, some of the changes may appear small, as a whole it will have a huge impact in the long run and will also make organisations more aware of the regulations they must adhere to, which will also align with GDPR requirements.

The new European data legislation or GDPR requires a balance between the needs of the many and the needs of the individual.

The benefits and risks of using personal data splits opinion particularly within the medical research sector. 

'Big data' can digest previously unimaginable quantities of information and uncovers previously-unforeseen patterns.  On the one hand, it may address the challenges posed by chronic conditions such as heart disease or cancers. But, the way forward is less clear.  

The General Data Protection Regulation (GDPR) was enforced on the 25^th May 2018, which applied major changes to the way data is protected, enabling employers to reconsider their employment and HR procedures, and amend them in order to comply with GDPR requirements.

 Employers should maintain focus on the following factors:

Superdrug have recently announced that they have been the target of a data hack, with a warning to customers that their personal data may have been stolen.

The health and beauty chain admitted that they had been contacted by someone who appears to be a hacker, claiming that they have obtained personal data from approximately 20,000 customers.

A spokeswoman from Superdrug stated:

“The hacker shared a number of details with us to try and prove he had customer information – we were then able to verify they were Superdrug customers from their email and log-in”.

The company also confirmed that 386 accounts had been access, including customers’ names, addresses, data of birth, phone number, and Superdrug balance points, however luckily no card information was obtained.

They sent out an email to their customers, in addition to a confirmation on Twitter stating: