Significant advancements in the field of information and communication have radically increased the ease with which data may be collected, transmitted, stored, manipulated and, most importantly, disseminated. These developments, together with a general increase in awareness of fundamental rights, particularly the right to privacy, have led to legislative changes and the emergence of a new regime of privacy protection.
Overview of the General Data Protection Regulation
The most significant development in this area that affects organisations, regardless of the sector, is the General Regulation of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR). It examines the nature and scope of the regime and the rights of data subjects. It also provides information on the obligations of controllers and processors and summarises the restrictions on the transfer of personal data outside the EU.
The GDPR replaced the Data Protection Directive when it became directly applicable from 25 May 2018. The reform was intended to respond to new technological challenges and to put in place a harmonised framework for the protection of personal data. Because the GDPR was incorporated into UK legislation – via the Data Protection Act 2018, amended on 1 January 2021 to reflect the UK’s status outside of the EU – its requirements survive the UK’s exit from the EU, and all organisations handling data must have regard to it.
Although originating within the European Union, the legislation builds upon existing UK data protection law to strengthen the protection of an individual’s personal data. It requires that the personal data of every UK citizen, especially if sensitive, must be protected, however and wherever it is stored.
The GDPR applies to an organisation if it:
- alone or with others determines the purposes for processing personal data relating to living individuals (known as acting as a data controller) or processes personal data relating to living individuals strictly in accordance with the instructions of another (known as acting as a data processor); and
- is ‘established’ in the EU, meaning that the business exercises real and effective activity through stable arrangements in the EU – including through a branch or subsidiary.
Key changes introduced in the GDPR include:
- Governance – organisations have increased responsibility and accountability on how they control and process personal data.
- Consent – a more active consent-based model is introduced. Wherever consent is required for data to be processed, it is defined as ‘freely given, specific, informed and unambiguous’. In other words, consent must be explicit rather than implied.
- Transparency – organisations have increased transparency obligations.
- Data processors – organisations processing data on behalf of other companies are required to comply with a number of specific data protection related obligations.
- Security – there is no definitive standard to adhere to when it comes to data security. Rather, controllers and processors are required to evaluate risks involved with their processing activities and implement appropriate measures to prevent loss and unauthorised access to data, such as pseudonymisation, encryption or restricted access.
- Enforcement – stronger enforcement means non-compliance could le