The General Data Protection Regulation (GDPR).

Important changes and how to be compliant.

There is a great deal of debate, and a certain amount of anxiety, among businesses surrounding GDPR. As qualified accountants we are regularly asked by our customers to help them deal with the implications of GDPR and provide advice. At Llewellyns we are here to support our customers through changes such as this.

The most important thing to understand is that if you’re operating with full compliance of the current data protection legislation, then you are unlikely to need to change your existing basis for processing. The GDPR has largely been designed to plug a lot of gaps in DPA that weren’t originally foreseen, particularly with the growth in personal data and the internet. The scope has been widened as to what is considered personal data, so while this may mean some businesses are now included that previously weren’t, the general approach required to comply is largely the same.

In this page we have listed some of the key differences as well as provided some of the expanded definitions under the new rules. However, this isn’t a fully comprehensive guide. The current resource which we feel best documents the GDPR, is the ICO’s guidance available here…

What is now considered 'personal data' ?

Much like the DPA, the GDPR applies to personal data but here the definition has been widened. The official definition of ‘personal data’ within the GDPR is thus….

  1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Notably, this definition includes things such as ‘online identifiers’… something not considered in 1995 when the DPA was created. This may have an impact on your business as, for example, collection of IP addresses would be considered collection of personal data under this definition. Another example would be collection of GPS data, something commonly done by mobile apps. Many organisations also use tracking facilities on their vehicles and you may have to consider how this information is kept, stored and whether it needs to be deleted when an employee leaves.

The definition is very wide, much wider than before, and a fully comprehensive list of ‘personal data’ would take up many pages to list in total. In fact, there is no conclusive list. The key consideration to make is ‘can any piece of data be related directly to an individual at any time?’. If it can, then it’s almost certainly included.

Data Breach Policy

One of the more significant differences between the DPA and the new GDPR law is the requirement for data breaches to be reported. Under the old DPA legislation there was no mandate to force organisations to reveal information regarding data breaches. This is no longer the case. Under GDPR, data breaches of personal information must be reported to the supervisory authority with 72 hours of becoming aware of the breach. If the breach is likely to risk individuals rights and freedoms, they must also be informed without delay.

Changes to Consent

Under the old DPA rules, data collection didn’t necessarily require an ‘opt-in’. This has changed significantly under GDPR. For example, pre-ticked consent boxes on websites would not be legal. Under GDPR clear privacy notices must be provided to consumers, allowing them to make an informed decision on whether they consent to allow their data to be stored and used. This consent can then be withdrawn at any time. There is also a category of Sensitive Personal Data, for which consent is an absolute requirement.

Accountability and Penalties

GDPR will place a much greater focus on explicit accountability for data protection, placing a direct responsibility on companies to prove they comply with the principles of the regulation, rather than the hands-off approach of the Data Protection Act. Currently, non-compliance with the Data Protection Act can see companies fined up to £500,000, or one per cent of annual turnover. Under GDPR, these limits will rise significantly to €20 million, or four per cent of annual turnover, whichever is higher. It’s also worth remembering that GDPR will allow individuals to claim compensation for material and non-material damage resulting from data security lapses, whereas the current rules only cover material damage.

Important Rights under GDPR

There are some key differences to the new rights individuals have under GDPR compared to the data protection act. Here are some of the key differences, although this isn’t a fully comprehensive list. Notably, many DPA rules such as the right to access personal data and rectify errors are very much still in place, but we won’t cover them all in full.

  • The Right To Be Informed

    Individuals have the right to be informed about the collection and processing of their personal data. You must provide information including the purposes for collecting the data, how it will be processed and how long you will keep it for. This information, called the ‘privacy information’ must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

  • The Right To Be Erased

    Under the new rules, individuals have the right to have their data erased upon request. A request can come in writing, or it can be made verbally. Once a request is received, the business has 1 month to respond to the request. There are very specific circumstances where the request can be refused (for example, if the data is necessary to comply with a legal obligation), but generally the right must be upheld.

  • The Right of Access and Right of Rectification

    Similar to DPA, individuals still have the right to access the personal data you have kept. They also retain the right to rectify any errors in the data that is held about them.

  • Rights related to automated decision making.

    As technology has improved, organisations are now using fully automated individual decision making software that runs without human involvement. This type of processing is becoming more common and under GDPR rules can only be performed under certain rules. This would be one of the circumstances where explicit written consent is required.


When does the right to be erased apply?

Individuals have the right to have their personal data erased if:

  • the personal data is no longer necessary for the purpose which you originally collected or processed it for;
  • you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
  • you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
  • you are processing the personal data for direct marketing purposes and the individual objects to that processing;
  • you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
  • you have to do it to comply with a legal obligation; or
  • you have processed the personal data to offer information society services to a child.
What 'privacy information' do I need to provide.
  • The name and contact details of our organisation.
  • The name and contact details of our representative (if applicable).
  • The contact details of our data protection officer (if applicable).
  • The purposes of the processing.
  • The lawful basis for the processing.
  • The legitimate interests for the processing (if applicable).
  • The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
  • The recipients or categories of recipients of the personal data.
  • The details of transfers of the personal data to any third countries or international organisations (if applicable).
  • The retention periods for the personal data.
  • The rights available to individuals in respect of the processing.
  • The right to withdraw consent (if applicable).
  • The right to lodge a complaint with a supervisory authority.
  • The source of the personal data (if the personal data is not obtained from the individual it relates to).
  • The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
  • The details of the existence of automated decision-making, including profiling (if applicable).
What is Sensitive Personal Data ?

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is considered Special Personal Data and cannot be processed unless..

  • The data subject has given explicit consent to the processing of those personal data for one or more specified purposes
  • Processing is necessary in the field of employment and social security and social protection law.
  • Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
  • Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.
  • Processing relates to personal data which are manifestly made public by the data subject.
  • Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
  • Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued.
  • Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
What Do I Need To Document For Compliance ?

You must document the following information:

  • The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer).
  • The purposes of your processing.
  • A description of the categories of individuals and categories of personal data.
  • The categories of recipients of personal data.
  • Details of your transfers to third countries including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of your technical and organisational security measures.

As part of your record of processing activities, it can be useful to document (or link to documentation of) other aspects of your compliance with the GDPR and the UK’s Data Protection Bill. Such documentation may include:

  • information required for privacy notices, such as:
    • the lawful basis for the processing
    • the legitimate interests for the processing
    • individuals’ rights
    • the existence of automated decision-making, including profiling
    • the source of the personal data;
  • records of consent;
  • controller-processor contracts;
  • the location of personal data;
  • Data Protection Impact Assessment reports;
  • records of personal data breaches;
  • information required for processing special category data or criminal conviction and offence data under the Data Protection Bill, covering:
    • the condition for processing in the Data Protection Bill
    • the lawful basis for the processing in the GDPR
    • your retention and erasure policy document.