The UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO), has described the GDPR as being “the biggest change to data protection law for a generation”. The EU adopted the GDPR in 2016; however it won’t be fully enforced in the United Kingdom until 25 May 2018.
Although the GDPR introduces new and enhanced requirements for businesses that process personal data, the principles for managing personal data that businesses must adhere to, remain largely unchanged from the regulations it replaces which are the EU Data Protection Directive and the UK Data Protection Act 1998.
Who does the GDPR apply to?
The GDPR applies to all businesses that control or process ‘personal data’ relating to ‘data subjects’ living in the EU. Therefore it applies to Brown Shipley.
‘Personal data’ is defined as “information relating to a natural person or ‘data subject’ that can be used to directly or indirectly identify the person”. This can come in the form of a name, email address, bank details, medical information, photograph etc.
A ‘data subject’ is an individual who is the subject of personal data. For example, Brown Shipley processes personal data about all its clients, making each client a data subject.
Firms must now offer individuals real choice and control over how they use their personal data. If a firm requires explicit consent to process personal data then it must be sought from the individual via a clear statement of intent, without misinterpretation.
Changes that might affect you.
The GDPR aims to provide you with more control over how your personal information can be used. The regulation will achieve this by strengthening the rights you have over your personal data:
1. Right to be informed - The right to be informed encompasses Brown Shipley’s obligation to provide ‘fair processing information’, typically through a privacy notice.
2. Right of Access - Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
3. Right to Rectification - The GDPR gives individuals the right to have personal data rectified if it is inaccurate or incomplete.
4. Right to Erasure - Also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
5. Right to Restriction of Processing - Individuals may be entitled to limit the purposes for which the controller can process their personal data.
6. Right to Data Portability - Allows individuals to obtain and reuse their personal data for their own purposes across different services.
7. Right to Object - Individuals have the right to object to:
Please do not hesitate to contact your usual Brown Shipley adviser at any time should you have any questions regarding these changes and how they may impact you.
Chief Risk Officer