What do I need to do?

All colleagues should familiarise themselves with the GPDR summary and GDPR principles, and raise awareness of the changes in your team. Please also remember to keep up-to-date by regularly reading Weekly Bulletin and Team Brief, which will contain more details over the coming months.

The Information Commissioner’s Office also offers a range of useful information and training videos on GDPR.

Summary of the main changes to the law

  • Consent - We must gain consent from the data subject, which must be freely given, specific, informed and unambiguous. It must be opt-in (so using personal data because the individual has not opted-out does not constitute consent.) Individuals also have the right to withdraw consent at any time.
  • Right to be informed - Individuals have the right to be informed about the data we hold, and the purpose and the legal basis for processing it – usually via Privacy Notices. Individuals also have the right to request access to their personal data – known as subject access requests (SAR)
  • Right to rectification - Individuals have the right to rectification
  • Right to be forgotten - Individuals have the right of erasure (to be forgotten)
  • Right to data portability – Individuals can request their data in a portable format, in order to move it to another data controller
  • Right to object - Individuals have the right to object, including the right to object to personal data being used for profiling, direct marketing and processing for research
  • International transfers – there are new rules for transfers of personal data outside the European Economic Area (EEA)
  • Breach notification – the Information Commissioner’s Office must be notified within 72 hours of a data protection breach
  • Fines – the maximum fine for a data breach has increased to £17 million ($20 million) or 4% of annual turnover