This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our PRIVACY POLICY for more information on the cookies we use and how to delete or block them.
Home > Services > Advisory > GDPR
  • GDPR

GDPR

The European Union’s General Data Protection Regulation (EU GDPR) came into force in May 2018, with the promise to provide a single, harmonised data protection law for the European Union. The GDPR aims to safeguard the personal data of EU subjects, regardless of where that data is held or processed, and as such its reach is global.  Both Guernsey and Jersey updated their own laws to ensure the Islands’ remain in line with the EU.

Consent

The GDPR makes it a requirement that data subjects have to make 'an affirmative action' in order for consent to be considered lawful. For example, under the GDPR it will no longer be acceptable for websites to state, as many currently do, that 'by using this website you agree to our use of cookies'. Consent must be clear and the wording used to describe the processing for which consent is being sought, must be provided in an intelligible and easily understandable form, using clear and plain language. Further, it must be as easy for a data subject to withdraw consent as it was for them to grant it.​

Increased Territorial Scope

One of the biggest changes that the GDPR brings is in respect of its reach. Its scope is all EU citizens and therefore it is extra-territorial. In other words it applies to all companies processing the personal data of EU data subjects regardless of company’s location. 

Penalties

Under GDPR, organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million, whichever is greater. This is the maximum fine that can be imposed for the most serious infringements e.g. having insufficient customer consent to process data or violating the core principles.

There is a second rule under which a company can be fined up to 2% of annual global turnover or €10 million for not having their records in order (article 28), not notifying the supervising authority and affected data subjects about a breach or not conducting impact assessment.

It is important to note that these rules apply to both data controllers and data processors - those third party organisations which provide outsourcing services, including "cloud" providers.

Breach Notification

Under the GDPR, breach notification will become mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach. 

Privacy by Design

Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the start of process or system design, rather than as a subsequent addition. More specifically - 'The controller shall implement appropriate technical and organisational measures in an effective way in order to meet the requirements of this Regulation and protect the rights of data subjects'. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing. 

Data Subject Rights

The GDPR defines 8 rights for individuals:

Right to be Informed

All organisations must be completely transparent in how they are using personal data (personal data may include data such as a work email and work mobile if they are specific to an individual).

Right to Access

Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.

Right to Correction/Rectification

All individuals will have the right to have personal data rectified if it is inaccurate or incomplete.

Right to be Forgotten

Also known as the right to data erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.

Right to Restrict Processing

All individuals have the right to block or suppress processing of their personal data.

Right to Data Portability

GDPR introduces data portability, the right for a data subject to request a copy of any data held about them and also request that the information be transmitted to another data controller. The regulation doesn't detail specifics for this, only to say that information must be provided in a 'structured, commonly used and and machine-readable format'.

Right to Object

in certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.

Right to not be subject to automated decision making and profiling

The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them or is based on automated processing.

Up next: