Close

Updated Cookies Policy - you'll see this message only once.

Barclays uses cookies on this website. They help us to know a little bit about you and how you use our website, which improves the browsing experience and marketing - both for you and for others. They are stored locally on your computer or mobile device. To accept cookies continue browsing as normal. Or go to the cookie policy for more information and preferences. If you clear your browser history to disable or delete all cookies, your cookie preferences will automatically be reset to accept all cookies. Please go to the cookies policy to make any changes.

GDPR: What it is and why it matters

September 2017

Robert Ratcliff, Head of Content Marketing at Barclays Corporate explains the importance of GDPR, and how to start preparing for its May introduction.

Embarrassing photos are a part of almost everyone’s past. Those of us who had long since grown up before the advent of social media would doubtless be relieved to know that most of these photos only exist in a long-since forgotten box in an attic somewhere. New data protection rules will mean the next generation of embarrassed adults could see their digital footprint suffer a similar fate, as the EU General Data Protection Regulation (GDPR) is introduced.

The new rules will mean more than just the much-reported ‘right to be forgotten’ though – the UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO), has described GDPR and the associated reforms as being “the biggest change to data protection law for a generation.”1

GDPR will be introduced in full in the UK on 25 May 2018, despite Brexit. It should be noted that although GDPR introduces many new and enhanced requirements, the principles for managing data that sit at the heart of the new law are largely unchanged from the existing EU Data Protection Directive and the UK Data Protection Act 1998.

GDPR introduction

25 May 2018

The so-called ‘right to be forgotten’ provision is one element among a raft of significant changes – fundamentally designed to harmonise data protection laws across the EU, and to enhance the rights of consumers and citizens in the information age.

What is the ‘right to be forgotten’?

This is a qualified right that could apply to all organisations and should be considered for all personal data, though it is primarily aimed at information that is available online, especially information about a child or information that was published when the individual was still a child.

Who’s impacted?

Broadly, if your business is handling personal data then you’ll be subject to GDPR. The UK government has decided to adopt GDPR in full to ensure that the UK continues to provide high standards for data protection, and ultimately so personal data can continue to flow unhindered between the UK and the EU after Brexit.

GDPR applies to all companies within the EU that handle personal data but also to organisations outside of the EU that offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU. This extraterritorial scope gives GDPR a long reach.

The penalties for non-compliance

The maximum fine that the ICO can impose for a data breach will increase from the current £0.5m to £17m or 4% of global turnover from the previous financial year, whichever is higher. However, the ICO has emphasised that under the current rules, they have never imposed a maximum £0.5m fine, and that in 2016/17, they imposed just 16 fines from a total of 17,300 cases.

Financial penalties for non-compliance of GDPR are likely to continue to be reserved for only the most serious breaches, but the increased potential fine highlights the importance of data protection.

Data Protection Officers

The ICO recommends that businesses appoint someone responsible for data protection compliance. Many businesses will have such a person in place already. However, public authorities, organisations that carry out ‘systematic monitoring’ of individuals or large-scale processing of higher risk personal data (such as information about a person’s health, religion or race) or criminal convictions will be required to have a named Data Protection Officer (DPO).

The DPO is not personally responsible for compliance breaches, however – that liability remains with the organisations themselves.

Key points of GDPR
Maximum fine of £17m or 4% of global turnover from the previous financial year.
Increased accountability for organisations, including being able to demonstrate compliance through appropriate technical and organisational measures, including the implementation of appropriate data protection policies.
New and enhanced individuals’ rights, providing people with more control over their personal data.
More prescriptive requirements for organisations to be transparent to individuals about data protection - businesses will need to provide individuals with more granular privacy notices in a concise way, using clear and plain language.
Organisations will be required to notify the ICO and impacted individuals of higher risk data breaches, such as those likely to result in a risk such as fraud.
Specific requirements and restrictions relating to personal data processed about children.
Subject access requests – where a person requests data held on them – must be processed within a month, instead of the 40 days that they must currently be processed within, and normally at no cost to the individual.

What is ‘personal data’?

A specific list of what is or is not ‘personal data’ is not provided within GDPR. Broadly though, current rules define personal data as any data that can lead to an individual being identified or data that ‘relates to’ or is obviously about an identifiable individual. GDPR will expand this to specifically include online identifiers, such as IP addresses, and location data.

Whether or not the data you are handling is ‘personal’ will vary between organisations; the ICO has recommended that organisations document their data processing activities, and that an ‘information audit’ may be required in order to prepare for GDPR.

GDPR flow chart graphic - View text version of this graphic below

Accountability

Accountability is the key watchword that GDPR introduces. Organisations are required to ensure they are compliant with the key principles of GDPR, but also that they are able to demonstrate their compliance, for example through their internal policies, procedures and controls.

Transparancy

Organisations must provide individuals with concise, transparent, intelligible and easily accessible privacy notices, using clear and plain language, including a requirement to signpost individuals’ rights.

Breach notifications

If your organisation suffers a personal data breach, you may be required to notify the ICO within 72 hours of becoming aware of it.

Not all data breaches will have to be reported, only those where individuals are likely to suffer an outcome such as fraud, harm, misuse of data or loss of privacy, but it would be prudent to establish an internal process in your business for managing data breaches, and assessing whether these would then also need to be reported to the ICO. You may also need to report breaches to any individuals that are likely to be adversely impacted, such as your customers or employees.

Opportunity?

GDPR is an important piece of legislation, and you should be thinking about its impact well ahead of the May 2018 implementation. While it may be a cause of concern for many businesses, it could also represent an opportunity as those businesses that are most able to demonstrate they are guarding their customer’s data, above and beyond the regulatory requirements, will have the opportunity to win new customers through a demonstration of mutual trust and respect.

The purpose of this article is not to provide legal advice but instead to give a brief overview of the new rules and direct you to other sources of information. If you have questions you may need to obtain legal advice.

Further resources:

  

GDPR flow chart graphic details:

Are you answering yes to any of the following questions? If so, the data is likely to be ‘personal data’ for the purposes of the DPA.

1. Can a living individual be identified from the data, or, from the data and other information in the possession of, or likely to come into the possession of, the data controller?

2. Does the data ‘relate to’ the identifiable living individual, whether in personal or family life, business or profession?

3. Is the data ‘obviously about’ a particular individual?

4. Is the data ‘linked to’ an individual so that it provides particular information about that individual?

5. Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?

6. Does the data have any biographical significance in relation to the individual?

7. Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event?

8. Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity?

If you answered no to all of the above questions, the data is not likely to be personal data for the purposes of the DPA.