The key changes including in the General Data Protection Regulation (GDPR): 

• The Regulation will enforce tough penalties – proposed fines up to 4% of annual global revenue or €20million, whichever is greater.

• Even though the UK will not be in the EU in post-Brexit, we will still have to comply with the Regulation. Although regulation beyond EU borders will be a challenge, those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.

• KEEPING UP WITH GDPR REQUIRMENTS

  

  The EU General Data Protection Regulation (the “Regulation”) came into effect on 25 May 2018, replacing the Data Protection Act 1998. The GDPR requirements largely repeat the security principles set out in the DPA, although with a much tougher regime and more severe sanctions for breach.

  This change has brought about business challenges for which there is little, if any, legislative or regulatory clarity at present.

   1. How does controllerand processorliability work in practice? 

• SAR AND CONFIDENTIAL REFERENCES

  

  A Subject Access Request (SAR) is a written request from an individual, in relation to their access to information, which they are entitled to ask for under the Data Protection Act.

  There has been some debate on what must be included in an SAR:

  Recently in relation to the inclusion or exemption of confidential references. As previously, under the Data Protection Act 1998, employees had the right to access their personal information, including references from current or former employers, although employers did have the right to refuse disclose of this information to the employee. In this instance, an employee could overrule the employer’s decision by applying to the recipient employer regarding their reference, whereby the employer could not decline disclosure.

• TERRITORIAL SCOPE OF GDPR

  

  A common scenario involves country-level sites managed by a central team with some in the EU, and some outside. 

  The question is, will all the sites be in scope of GDPR as EU visitors may access any of the sites while visiting those countries?

• THE RESPONSIBILITIES OF THE PROCESSOR

   

  

  A cloud service provider of apps and storage for businesses is a data processor. However, that does not mean it is not exempt from appointing a Data Protection Officer (DPO) if the data processed presents potential risks to the rights and freedoms of others, or large scale systematic processing.

• THE RIGHT TO BE FORGOTTEN

   

  Companies need to consider what technical measures they can take in an effort to adhere to the data subject's right to erasure, or 'right to be forgotten'.

  Anonymisation ensures that the anonymised data is no longer identifiable to a person. Therefore, it is no longer considered personal data under GDPR. Where anonymisation has been done, and a subject access request (SAR) follows, you would be then able to explain that you no longer have personal data related to that subject on your database. That said, anonymised data is very hard to achieve perfectly and leaves some risk unless performed properly.

• WHEN TO HIRE A DATA PROTECTION OFFICER

   

  

   Under the GDPR, you must appoint a data protection officer (DPO) if you:

  1) are a public authority (except for courts acting in their judicial capacity);
  2) carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or

  3) carry out large scale processing of special categories of data or data relating to criminal convictions and offences.