Changes in GDPR
GDPR has made some changes to how some sector organisations process personal or special category of data.
Some requirements apply to all sectors, others specific to public/private sector:
- All public authorities are required to have in place a Data Protection Officer (Article 37(1)(a). GP Practices are considered as public authorities (schedule 1 Freedom of Information Act 2000 (through contract)).
- Public Sector authorities are no longer permitted to use ‘legitimate interests’ (now Article 6(f)) as a legal basis for processing. Public Sector authorities (if appropriate to the specific processing) should replace this with Article 6(e) ‘…. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.
- The right to erasure does not apply to health records (Article 17(3)(c))
- The right to data portability does not apply to health records unless the process involves automated decision making or profiling (Article 20(1)(b)) and 20(3))
- Privacy by design is now mandated (use of Data Protection Impact Assessments (DPIA)(Article 25 and Article 35).
- Requirement to document processing activities (Article 30)
- Transparency requirements have been strengthened to ensure Controllers are transparent with how they are processing data and the means of informing their data subjects (including their rights) Article 12, 13, 14 and 15).
- Monetary penalties have been increased from £500,000 to £17,000,000. This includes breaches against any part of the regulation, not just the principles (Article 83(4)(5) and (6)).
- Consent for international transfers. For public sector organisations, where consent cannot be freely given and used as a legal basis, public sector organisations cannot utilise consent for international transfers. Therefore, public sector organisation can only exchange data with third countries only if there is a legally binding and enforceable instrument between public authorities (Article 49)
- Monetary penalties have been increased from £500,000 to £17,000,000 or between 2% to 4% of the organisation’s annual turnover. This includes breaches against any part of the regulation, not just the principles. (Article 83(4)(5) and (6)
- Article 6(e) is extended to private organisations, as a legal basis) if they have been commissioned by a public authority to carry out its work on its behalf (Article 6(3)).
- Consent requirements has been strengthened and companies will need to make sure that consent is legible, distinguishable, accessible form, clear and in plain English (Article 7)
- Breach notifications – 72 hour response and inform their Controllers (and data subjects) without undue delay after becoming aware of the breach (Article 33 and Article 34)
- Individual rights requests (Article 14 to 22). Some new individual rights (to be informed, erasure, portability, automated decision making) and strengthened existing rights (right to access, restriction, rectification)
- Requirement to ensure a Data Protection Officer is in place for systematic monitoring or large scale processing or large scale processing of special categories of data and criminal convictions (Article 37(1)(b)(c).
- Requirement to document processing activities – Record of Processing (Article 30)
- Privacy by design is now mandated (Article 25 and 35)
- Transparency requirements – open and transparent regarding the controller’s processing activities (Article 12, 13, 14, and 15).
- International transfers – Compliance with GDPR irrespective of company’s location/sites for EU citizens or companies who process EU citizen data (Article 46 and 47).
- Controllers now only defined as ‘Sole’ or ‘Joint’ Controllers (Article 4(7)).
- Controllers are required to have representatives within the EU (Article 27(1)
- Accountability and Governance are key aspects of GDPR and must demonstrate compliance (Article 5(2))
Other Controller aspects have already been defined within the above sections.
- Processors now have responsibilities under GDPR – they are required to demonstrate to controller that they can process with sufficient guarantees (controls and controller instructions). Processors are not permitted to engage with another 3rd party without instruction, must have appropriate technical, security and organisational measures in place prior to processing, support the controller in meeting compliance with GDPR and also demonstrating compliance to the controller on how it meets GDPR (Article 28, 29 and 32)
Other Processor aspects have already been defined within the above sections.