New Data Privacy Regulations On The Way
A new EU-wide regulation for protecting the personal data of EU residents will come into effect from 25th May 2018. Personal data includes any information related to a natural person referred to as a ‘Data Subject’, that can be used to directly or indirectly identify them, for example: their name, a photo of them, their email address, bank details, or an IP address. The new regulation, referred to as the General Data Protection Regulation (GDPR), will introduce new protections in addition to those of the UK’s existing Data Protection Act. It will apply to all companies that process personal data of Data Subjects, regardless of the company’s location or whether or not the processing takes place in the EU. Penalties for breaching the GDPR may be substantial.
In general, unless there is some other legal basis, a person will need to consent to their personal data to be collected, stored or shared with others, for example. Requests for consent must be in plain language and easily accessible, with the purpose of the data processing being clearly explained; and it must be as easy to withdraw consent as it is to give it. Examples of lawful basis for processing personal data include: to fulfil a contractual obligation to the Data Subject, or because they have asked you to do something before entering into a contract (e.g. to provide a quote); to comply with a legal obligation, to the extent that the processing is absolutely necessary; or where it would be necessary for the specified legitimate interests of a person, be they the Data Subject or someone else. The legal basis must be specifically stated and explained in a privacy notice issued to the Data Subject.
Data subjects will have certain rights, including the rights to be notified promptly of a breach, to access their personal data, to have their personal data erased (which must be balanced against the public’s interest in the data being available), and to have their personal data sent to them.
Additional information about the GDPR can be obtained from the UK Information Commissioner’s Office (ICO).