GDPR Guidelines

GDPR

From 25 May 2018, the General Data Protection Regulation (‘GDPR’) will change how businesses in the UK process, protect and store information identifying individuals. The GDPR significantly extends the current requirements of the Data Protection Act 1998 (‘DPA 98’) to reflect advances in technology and to create a unified approach to data protection across the EU.

Significant breaches of the requirements could see CET Structures paying a levy of up to €20 million or 4% of the total worldwide annual turnover, whichever is greater.

The GDPR will become automatically effective on 25 May 2018. The GDPR will also be accompanied by a new Data Protection Bill (‘DP Bill’), which will implement the GDPR standards across all data processing within the UK and will provide clarity on some part of the GDPR. The contents of the Bill have not been finalised.

What is the GDPR?

The GDPR is a European regulation intended to strengthen and unify data protection for all individuals within the European Union.

Will it apply to CET Structures Ltd?

Yes, the GDPR will apply to all UK businesses including CET Structures Ltd who are ‘controllers’ and ‘processors’ of data. We’ll touch on these roles later.

What will happen to the Data Protection Act 1998 (DPA 98)?

The GDPR will replace the DPA 98, and a new Data Protection Act will sit alongside the requirements of the GDPR.

What are data ‘controllers’ and ‘processors’?

A ‘controller’ says how and why personal data is processed and the ‘processor’ acts on the controller’s behalf. The definitions have not changed from those within the DPA, but there are now specific duties and obligations placed on processors. If you are a processor or controller (or both) of data or currently subject to the DPA 98, it is likely that you will also be subject to the GDPR.

What activities are covered?

The broad activity covered by the GDPR is the ‘processing’ of personal data either manually or automatically which form part of a filing system or it is intended to form part of a filing system.

What is personal data?

Both the GDPR and the DPA 98 direct how ‘personal data’ should be processed. The scope of ‘personal data’ has broadened under the GDPR. Personal data is any information about an identifiable living person.

The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria.

Examples of personal data include CCTV film, door access information, computer log on data, data on websites visited, phone calls made and emails sent or received.

What about sensitive personal data?

Businesses will need to continue to take additional care when processing sensitive personal data.

The definition of sensitive personal data has not changed and continues to include:

  • Racial or ethnic origin
  • Political opinions
  • Religious and philosophical beliefs
  • Trade union membership
  • Health, sex life or sexual orientation
  • Genetic and biometric data

Subject Access Requests

GDPR brings in specific changes to subject access requests (SARs).

A SAR is a written request made by or on behalf of an individual to find out what personal data we may hold about them, why we hold it and who we disclose it to. Under the GDPR guidelines all SARs must be handled free of charge

If a SAR is received CET Structures Ltd must provide information without delay and within one month of receipt.

If you receive a Subject Access Request please immediately email InformationSecurity@cet-uk.com with details of the request. 

Complying with the Act

When processing personal and sensitive personal data we have to comply with the 8 principles which are:

1. Data must be collected lawfully and fairly

2. It must be used only for specified purposes

3. The quantity of data collected should be appropriate

4. The data should be accurate and up to date

5. It should be kept only as long as necessary

6. It should be processed in accordance with the rights of those it concerns

7. It should be kept securely

8. It should not be transferred out of the EEA (European Economic Area) unless it is to an area which has similar standards

What is a personal data breach?

GDPR defines a personal data breach as:

“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

What do you have to report?

Where notification is required this should include the following information:

  • The nature of the personal data breach including (if possible), the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
  • The name and contact details of the data protection officer or other contact point where the regulator can obtain more information.
  • The likely consequences of the personal data breach.
  • Measures (or proposed measures) taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

If you suspect a data breach has occurred, please email InformationSecurity@cet-uk.com

Penalties

The penalties have increased under the GDPR. Where a serious breach has taken place, CET Structures Ltd could be fined up to £18 million, or 4% total worldwide annual turnover (whichever is the higher).

Clearly the size of the fines could severely impact non-compliant businesses. Previously fines were set at a maximum of £500,000. The ICO has said that it will take a fair and reasonable approach to enforcement.