To change the appearance of the page, edit the styles of the corresponding elements (in most cases by using the "Main Frame" Style Zone).  
 
To change the menu’s links: edit, copy-paste, or delete the Link Elements within. 
 
To hide an element without deleting it, use its property Visible.
GDPR
General Data Protection Regulation
On the 26th April 2016 the EU ratified Regulation (EU) 2016/679 the General Data Privacy Regulation which repeals Directive 95/46/EC so called the Data Privacy Directive. Unlike the directive, which requires member states to enshrine the directive in local law after a certain time, this is a regulation and so applies directly on member states and is enforceable through the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.

However, there is a period by which member states must comply and that is set as 25th May 2018 (article 51). Does this mean that, given BREXIT the UK does not need to comply? Well this is covered by Article 3, Territorial scope which states that this regulation applies to organizations processing data of EU “data subjects” who are not established in the EU. This is regardless of whether the services are paid for or not and goes as far as including the monitoring of their behaviour in the EU. To labour the point Article 27 requires organizations that are not in the EU to designate in writing a representative in the EU who could be prosecuted in the event of non-compliance by that organization (provision 80). And there are duties applicable to the Representative such as maintaining a record of processing activities under its responsibility.

So why change the data protection directive? The provisions in the regulation give a hint as to why the EU started an in-depth review of the data privacy laws. Notwithstanding the fundamental right of people to have their data protected (Article 8(1) of the Charter of Fundamental Rights) it would appear that there are three main reasons.  
  • Harmonization of legislation across member states: First of all the data privacy directive (95/46/EC) needed to be enshrined in local member state laws and the EU recognised the some were better than others. The regulation now guarantees an even level protection under EU law.
  • Rapid technological developments and globalisation: Things have moved on since 1995 when the data privacy directive was written and personal data is being collected in vast amounts quite often without the individual’s consent. The regulation is intended to catch up and look ahead into the future. 
  • Enhancement of data flow across borders: This one seems to be counter-intuitive as it would appear that it encourages data sharing. However, the EU has recognised that this is going to happen, come what may, and so the GDPR has been written with this assertion and has sought to provide protection. There is a hidden benefit in that freedom of data sharing can only help the EU economy. 
There are some key differences between the directive and the regulation which will have an impact on organizations. 

Lawfulness of processing: This is explicit in the regulation as the directive relied on local laws to determine the laws. That said, there is freedom for the member states to augment what is meant by lawful processing.

Consent: Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.  

Children’s consent: The regulation makes provision for consent being required from a parent or legal guardian. The age set is 16 years but provision is made for member states to lower it to 13 (Chapter II, Article 8). 

Applicability of Data Processors: GDPR places specific legal obligations on data processors; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. This does not relieve the data controller of responsibility. Indeed, the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR. 

Extended reach: The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. As described above, the idea of a Representative in a member state is introduced.

Exceptions: Not surprisingly, GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive or processing for national security purposes. It also does not apply to processing carried out by individuals purely for personal/household activities or businesses in respect of HR functions.
 
Manual filing: The GDPR applies also to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.

Data protection by design and by default: Whereas the directive did refer to anonymization the GDPR specifically refers to in article 25 as an option for protecting personal data. It goes on to require that data protection should be designed into the systems and that the data shall be protected by default. It even introduces the idea of certification (Article 42) to prove that this requirement has been implemented (see below). 

Data Protection Officers: The GDPR introduces the role of a Data Protection Officer which is mandatory where data is held by public authorities or where the core activities require regular monitoring data subjects on a large scale. It conveniently does not define what constitutes a “large scale”. There is a whole section on the DPO (Chapter 4, section 4, Articles 37-39). 

Right to be forgotten: In addition to the existing requirements on deletion of personal data, 
the GDPR introduces the righ to be forgotten (Chapter III, Section 3, Article 17). The regulation goes on to deal with the situation where the data has been made public. Of course there are exceptions including "for exercising the right of freedom of expression and information".

Data protection Impact Assessment: Where the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the the GDPR mandates a Data Impact Assessment. This is quite a significant document and should include the risks to the rights and freedoms of data subjects.

Transparency of data collection: There is a requirement for clear communication to the data subjects that their data is being collected and processed; it even designates that where a child is involved that it must be understandable to that child. It must indicate the purpose for which the data is collected and processed and identify the controller (or representative in the EU) and the data protection officer (where there is one; see above). What makes this really onerous is that this must be done where personal data have not been obtained from the data subject.

Notification of data breaches: Data controllers must notify most data breaches to the DPA. This must be done without undue delay and, where feasible, within 72 hours of awareness. A reasoned justification must be provided if this timeframe is not met. In some cases, the data controller must also notify the affected data subjects without undue delay. That said, there are provisions for NOT communicating to the data subject in certain circumstances (Article 34).

Fines: The GDPR establishes a tiered approach to penalties for breach which enables the DPAs to impose fines for some infringements of up to the higher of 4% of annual worldwide turnover and EUR20 million (eg breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent). Other specified infringements would attract a fine of up to the higher of 2% of annual worldwide turnover and EUR10m. 

The GDPR It is a hefty document comprising 11 Chapters, 99 Articles and 88 pages. It was compiled by a group called the Article 29 Working Party so called after Article 29 of the EU Data Privacy Directive 95/46/EC. Since the GDPR repeals the directive the role of the working party will be handed to an independent European Data Protection Board (EDPB) which will comprise the EDP Supervisor and the senior representatives of the national DPAs. Its obligations include issuing opinions and guidance, ensuring consistent application of the GDPR and reporting to the Commission. 

This page will be updated as we go into the GDPR in more depth so please visit it again or contact us. 

*** New ***   Download a free copy of CS-001 GDPR Implementation standard V1.0.
                           Question and Answer page.


Contact us                                                                                                     Date updated 29/07/17
To "activate" displaying of an arrow, use its property "Visible"