GDPR or the General Data Protection Regulation, is the EU’s effort to update and upgrade data protection laws across the whole of the EU, to bring it in line with how data is actually being used across the digital world by huge firms such as Facebook and Google. Given that the UK currently remains part of the EU, we will automatically be bound by the GDPR which will replace the Data Protection Act 1998 (the DPA 1998), brought into effect in the UK to implement the 1995 EU Data Protection Directive. The GDPR is due to come into effect from 25 May 2018.
The new regulations essentially try to give individuals more control over how companies use their data, and some of the key changes we are going to see include larger penalties arising from non-compliance, and increased responsibility and liability being positioned on data controllers and data processors.
Both data controllers and data processors will need to comply with the GDPR. A controller is essentially the party who determines the purpose and manner that personal data is to be collected and processed, and the data processor is the party that processes the data on behalf of the data controller.
It is the data controller who has the obligation to ensure that their data processor complies with the GDPR, however the data processor must also ensure to abide themselves and maintain records of their activities given that if processors find themselves involved in a breach, they will be much more accountable under the GDPR than previously under the DPA 1998.
Due to the nature of the work, it is highly likely that services provided by contractors will involve the processing of personal data, meaning that you will need to consider the GDPR going forward, ensuring that data is processed in a way which is GDPR compliant, ensuring security and confidentiality and avoiding any unlawful processing.
Under the GDPR:
“Personal data” includes “any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
“Processing” means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
The GDPR states that as a processor you must provide your client with "sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject".
Therefore, in order to become properly prepared for the implementation of the GDPR in practice, you should consider the following:
In addition to considering the above we advise that you review the relevant guidance issued by the ICO, and seek legal advice relating to compliance procedures and documentation. Not only will you need to ensure that your internal procedures are GDPR compliant, but a legal specialist would also be able to review and advise in relation to your data protection rights and obligations contained in any written agreements you may have with clients.
Ask away! One of our team will get back to you!