What is the GDPR?
The GDPR (General Data Protection Regulation) is the “the biggest change to data protection law for a generation” in the UK and the EU. One of its key aims is to give more control to individuals over their personal data, how it is used, for what purpose, how it is shared and on what basis.
What is “personal data” under the GDPR?
One big change from the current regime (Data Protection Act 1998) is that the GDPR expands the definition of personal data. The GDPR states that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”. An identifiable natural person can be identified (whether directly/indirectly) by reference to:
- a name;
- an identification number;
- location number;
- online identifiers such as IP addresses and mobile device IDs;
- one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural personal; or
- personal data that has been pseudonymised but could identify a natural person through the use of additional information.
Can you give some examples of personal data when it comes to IPs?
IPs will come across personal data when dealing with the assets of the insolvent company e.g. HR recorder, customer lists etc. IPs will also come across personal data when dealing with the records relating to the directors of the companies that they are appointed to e.g. list of creditors and their dividend distribution.
How will the GDPR affect me?
At the moment, IPs have compliance obligations under the Data Protection Act 1998 (DPA) if they are “data controllers” i.e. they decide how and why personal data is processed. If they handle personal data on behalf of a data controller, they do not have compliance obligations under the DPA. But under the GDPR, IPs will have compliance obligations even if they are data processors.
What GDPR obligations will I have when I am a data controller or a data processor?
A data controller must (amongst other obligations):
- notify the relevant national data protection supervising authority before carrying out any data processing;
- comply with the GDPR data protection principles. For example, processing data fairly and lawfully;
- implement technical and organisational measures to protect personal data against accidental loss/destruction, unauthorized access or other unlawful processing; and
- enter into written contracts with their processors. These contracts must oblige data processors to (a) act only on the data controller’s instructions and (b) comply with the same security obligations imposed on the data controller.
As for data processors, they (among other obligations):
- must keep a record of all processing operations under their responsibility;
- may be deemed to be a joint controller in respect of any data processing that they carry out outside the scope of their data controller’s instructions;
- be directly responsible for implementing appropriate security measures;
- need to inform their data controller of a data breach according to strict timelines; and
- need to appoint a Data Protection Officer if certain criteria are met.
What happens if I don’t comply with the GDPR?
For serious breaches, fines of up to 20 million Euros or 4% of group worldwide turnover (whichever is greater) against both data controllers and data processors. For lesser breaches, fines up to 10 million Euros or 2% of group worldwide turnover.
What should I do next?
Follow the 12 steps to GDPR compliance issued by the UK Information Commissioner and start preparing now – 25 May 2018 is fast approaching!
Thank you to Emmanuel Vranakis for providing this blog post.