What do I need to do?
All colleagues should familiarise themselves with the GPDR summary and GDPR principles, and raise awareness of the changes in your team. Please also remember to keep up-to-date by regularly reading Weekly Bulletin and Team Brief, which will contain more details over the coming months.
Summary of the main changes to the law
- Consent - We must gain consent from the data subject, which must be freely given, specific, informed and unambiguous. It must be opt-in (so using personal data because the individual has not opted-out does not constitute consent.) Individuals also have the right to withdraw consent at any time.
- Right to be informed - Individuals have the right to be informed about the data we hold, and the purpose and the legal basis for processing it – usually via Privacy Notices. Individuals also have the right to request access to their personal data – known as subject access requests (SAR)
- Right to rectification - Individuals have the right to rectification
- Right to be forgotten - Individuals have the right of erasure (to be forgotten)
- Right to data portability – Individuals can request their data in a portable format, in order to move it to another data controller
- Right to object - Individuals have the right to object, including the right to object to personal data being used for profiling, direct marketing and processing for research
- International transfers – there are new rules for transfers of personal data outside the European Economic Area (EEA)
- Breach notification – the Information Commissioner’s Office must be notified within 72 hours of a data protection breach
- Fines – the maximum fine for a data breach has increased to £17 million ($20 million) or 4% of annual turnover