On the 25th of May 2018 the General Data Protection Regulations were implemented which replaced the Data Protection Directive and impacted on the domestic legislation of the Data Protection Act which governed organisations’ obligations with regards to the holding and processing of data.
There are a number of areas which have been impacted including but not limited to the following:
Subject Access Requests
Following the change to GDPR it is no longer permitted to charge for providing information requested under Subject Access Requests unless the request is excessive or repetitive whereupon “a reasonable fee” can be charged or it may be possible to refuse. Requests must be normally complied with within one month or be it if the request is complex it may be possible to extend the period for compliance by a further two months. It is recommended that legal advice is obtained before seeking to rely upon an extension or any refusal to comply.
Lawful Basis for Processing Data
You are now required to identify the lawful basis for processing personal information. Processing can include storing/ holding and deleting. Your organisation should have a documented privacy notice which covers the same.
The lawful basis set out in Article 6 of the GDPR are as follows:
- Necessary for the performance of a contract;
- Necessary to comply with legal obligations;
- Necessary to protect someone’s life;
- Necessary to perform a task in the public interest;
- Necessary for your organisation or a third parties’ legitimate interest.
Following the introduction of GDPR you will be obliged to notify the Information Commissioners Office “ICO” and the individual concerned of certain breaches within 72 hours of the breach occurring.
A failure to notify within 72 hours is likely to lead to an increased fine.
The notification is required where the breach is likely to result in a risk to the rights and freedoms of individuals. Most commonly this may involve situations where data is lost or stolen.
Organisations are required to have systems and procedures in place for detecting, reporting and investigating any personal data breaches.
In addition, organisations also have an obligation to show that they have in place procedures to protect individual’s data and demonstrate the same by undertaking Data Protection Impact Assessments where data processing may be high risk to the individuals.
Biscoes have GDPR specialist advisors who can help your organisation with compliance including providing template policies, privacy notices, compliance assessments and assisting in dealing with Data Subject Access Requests and data breaches.