1. General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Coming into effect: 25th May, 2018
Affected parties: Binding and directly applicable in its entirety in all Member States of the European Union (UK government has confirmed that GDPR will still apply in the UK following Brexit)

2. What is GDPR?
General Data Protection Regulation (GDPR) is a European Union legal instrument ensuring the protection of individuals with regard to the processing of personal data and on the free movement of such data
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
The main aim of the GDPR is to give EU citizens control over the use of their personal data. Other jurisdictions are following suit with similar data protection laws. The GDPR aims to protect the rights of all EU citizens, as such, it affects not only organisations within the EU, but also those that do business with citizens of the EU.
The GDPR requires that those who engage in the processing of personal data comply with its provisions and confers important rights to individuals whose personal data are being processed. Both natural persons and legal persons, including companies and governments, that are involved in the processing are required to act in accordance with the regulation.
GDPR isn’t a ‘Pass/Fail’ compliance regulation – it applies a risk based approach.

3. Key Definitions of GDPR
Term
Meaning
Controller
Person (or legal person/entity) determining the purpose and means of processing personal data.
Data Breach
Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access
Data Subject
A living, identified or identifiable natural person. A natural person can be seen as identified individual within a certain group of people if he or she is distinguished from all the other members of that group, directly or indirectly.
DPA
Data Protection Authority or Supervisory Authority.
EU-US Privacy Shield
A standard making transfer of data to the US lawful.
GDPR
General Data Protection Regulation (the law)
Personal Data
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, etc.
Processing
Any operation or set of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as collection, recording, organisation, structuring and storage
Processor
Person (or legal person/entity) that processes data on behalf of a controller
Sensitive Personal Data
Data the reveals race or ethnic origin, political opinions, religious or other beliefs, trade union membership, physical or mental health and sex life. In most states, criminal proceedings or convictions are treated as sensitive in addition.
Third Country
A jurisdiction of the EEA.

4. Key Changes Brought in by GDPR
Same basic principles as current Data Protection law, but strengthened
One of the biggest changes is the requirement to obtain consent from Data Subjects
Direct accountability of data controllers/data processors
New rights for individuals (data subjects), and strengthening of existing rights
Breach reporting and record keeping (72 hours to notify breaches to regulators)
Expanded territorial scope: organisations in countries outside of the EU will come into scope if processing the data of EU citizens
Data Protection Impact Assessments
Higher penalties for non-compliance
Greater of 4% of global turnover or €20m for top tier infringements
Greater of 2% of global turnover or €10m for lower tier infringements
These penalties in addition to damages awarded to Data Subjects, breach remediation costs, legal costs, other penalties (eg PCI DSS) and reputational damage etc
GDPR is designed to protect individuals from modern issues, including: identity theft, nuisance calls, spam/phishing s
GDPR requires all data controllers/processors to implement “Privacy by Design and Default” throughout the lifecycle of any data processing system

5. Principles of GDPR
Six data protection principles form the basis of the processing of personal data and are of crucial importance for achieving compliance with GDPR.
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Data security (Integrity and confidentiality)

6. Principle 1: Lawfulness, Fairness and Transparency
This is the requirement to process data fairly and lawfully and is extensive in scope. It includes an obligation to tell Data Subjects what their data will be used for.
For example, the main purpose may be to carry out a contract with the Data Subject, but contract details may then be used or passed on for marketing purposes. This will not be allowed under the GDPR unless the Data Subject has given specific consent and the exact nature of the further processing is disclosed and agreed to.
Transparency implies that any information and communication concerning the processing of personal data must be easily accessible and easy to understand. Also, clear and plain language needs to be used in this regard.
More specifically, this principle ensures data subject receive information on the identity of controllers and purposes of the processing of personal data.

7. Principle 1: Lawfulness, fairness and transparency cont…
There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.

8. Principle 1: Lawfulness, fairness and transparency cont…
Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
You must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time - you should not swap to a different lawful basis at a later date without good reason.
Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).
If you are processing special category data (sensitive personal data) you need to identify both a lawful basis for general processing and an additional condition for processing this type of data. For example, if you are processing criminal conviction data or data about offences you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
The processing of personal data of a child can be lawful if the child is at least 16 years old. If a child is younger than 16 years, the processing can be considered lawful only when consent is given and authorised by the parent or legal guardian of the child. These requirements do not affect the general contract law of EU Member States such as the rules on the validity, formation or effect of a contract in relation to children. It is allowed for EU Member States to introduce laws that set a lower age threshold for these purposes: the age of a child, however, cannot be lower than 13 years.

9. Principle 2: Purpose limitation
This refers to using information only for the specified, explicit and legitimate purposes for which the data was collected and not for any other purpose.
Some archiving and statistical purposes are still allowed but, put simply, data collected for another. Marketing is the most obvious example, where marketing was not the original purpose to which the individual consented.
Note that data collected and processed in line with a contract may be kept on record, but purely to enable the organisation holding the data to defend itself against potential future litigation.
One should bear in mind, however, that further processing for the purposes of the public interest, scientific or historical research or statistical purposes is not considered as incompatible with the initial purposes and is therefore allowed.

10. Principle 3: Data minimisation
This means that only the personal data actually needed to achieve the intended purpose may be collected. Personal data should be adequate, relevant and limited to what is necessary. Where appropriate, such data should also be kept up to date.
Every reasonable step should be taken to erase or correct inaccurate data.
Organisations cannot collect data on a ‘just in case it becomes useful’ basis. This means that business should think carefully about what they might want the personal data for and ensure they obtain informed consent from individuals for anything they might subsequently wish to do with the data collected.

11. Principle 4: Accuracy
It is required to ensure that personal data are accurate and are kept up to date where it is necessary.
Personal data that are inaccurate – considering the purposes for their processing – must be deleted or rectified without any delay.
Data controllers are responsible for taking reasonable steps to ensure that personal data is accurate.
This means that where outsourced processing takes place, a controller must be able to correct inaccuracies in data held by the processor on their behalf as well.

12. Principle 5: Storage limitation
Personal data must be kept in a form that makes it possible to identify data subjects for no longer than is necessary for the purposes of the processing.
Storing these data for longer periods is allowed when the processing of the data will aim at achieving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Legal requirements for retention can deem data retention necessary, such as record keeping requirements imposed by a regulator.
Note that where an organisation may need to produce evidence for a legal defence in the future, this may also be a legitimate reason to retain data that is no longer needed for processing.

13. Principle 6: Data security
Data security needs to be achieved with integrity and confidentiality.
This should include protection against unauthorised or unlawful processing, destruction and damage. Appropriate technical or organisational measures are to be taken in order to comply with this requirement: such data security measures can include the use of encryption and authentication and authorisation mechanisms.
Controllers are responsible for the security of the data they collect. This includes the security of the data when it is being processed by a third party as well as by the Controller itself.
Security refers to external and internal threats, for example, external hackers and badly trained internal staff can pose a risk to data security.
Security of both electronic and physical records is required.

14. Accountability
In addition to the six principles at the heart of GDPR, the regulation also introduces the principle of accountability, without which they cannot be brought to life.
According to this principle, the Data Controller is responsible for compliance with the data protection principles and must be able to demonstrate the steps taken to ensure compliance.
This would include checking contract terms and privacy policies of any processors used.

15. Role of DPO
The GDPR introduces a duty for you to appoint a Data Protection Officer (DPO) if you are a public authority, or if you carry out certain types of processing activities such as large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
A DPO can be an existing employee or externally appointed. In some cases several organisations can appoint a single DPO between them.
DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.

16. Supervisory Authorities
A Supervisory Authority is a public authority in an EU country responsible for monitoring compliance with GDPR. An EU country within the European Union is also referred to as a member state. A Supervisory Authority is typically a Privacy Commission or equivalent in a member state. It may have a different name in each country.
EU legislators have established, national supervisory authorities (and the Lead Supervisory Authority in case of cross-border data transfers) and the European Data Protection Board as enforcement mechanisms to ensure data protection and legal compliance.
The key role of the Supervisory Authority is to advise companies about GDPR, conduct audits on compliance with GDPR, address complaints from data subjects, and issue fines when companies are deliberately not complying with GDPR.
The Information Commissioner’s Office (ICO) is the UK’s Data Protection Authority or Supervisory Authority.
ICO as the SA is the place to go to in the UK in case of a violation of data protection legislation (in the scope of the GDPR for EU citizens) and for advice and specific questions and/or assistance from the perspective of organizations.
There is an obligation for Data Controllers to report any data security breaches to the ICO without undue delay and within 72 hours. You must also notify Data Subjects of the breach to enable them to protect themselves.

17. Rights of Data Subjects
Data Subjects have various rights under the GDPR, more than previously under the Data Protection Act.
Be Informed of Their Rights
The Rights to Information - Data controllers must provide certain minimum information to data subjects, regarding the collection and further processing of their personal data. The GDPR adds that such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Data subjects have a right to be informed about the purposes of processing, categories of data being processed, the categories of recipients with whom data may be shared and period of time the data will be stored and the criteria for determining this.
The Right of Subject Access – To obtain from the data controller a copy of their personal data, together with an explanation of the categories of data being processed, the purposes of such processing, and the categories of third parties to whom the data may be disclosed. The GDPR expands upon this right, requiring data controllers to respond to SARs with additional information, including details of the period for which the data will be stored (or the criteria used to determine that period) and information about other rights of data subjects.
The Right to Rectification - The idea that data subjects should have the right to require the data controller to correct errors in personal data processed by (or on behalf of) that controller.
The Right to Erasure (the 'right to be forgotten’) - Article 17 allows data subjects to require data controllers to delete their personal data where those data are no longer needed for their original purpose, or where the processing is based on the consent and the data subject withdraws that consent (and no other lawful basis for the processing exists).
The Right to Data Portability - Another new feature of the GDPR is the right to data portability. This permits the data subject to receive from the data controller a copy of his or her personal data in a commonly used machine-readable format, and to transfer their personal data from one data controller to another or have the data transmitted directly between data controllers. For example, it would allow users of online services to transfer their profile data from one service provider to another.

18. Rights of Data Subjects cont…
The Right to Object - Data subjects continue to have a right to object to processing of their personal data on certain grounds, in addition to the right to object to processing carried out for the purposes of profiling or direct marketing. the GDPR allows the data subject to raise objections and then requires the data controller to demonstrate that it either has compelling grounds for continuing the processing, or that the processing is necessary in connection with its legal rights. If the data controller cannot demonstrate that the relevant processing activity falls within one of these two grounds, it must cease that processing activity.
The Right to Withdraw Consent - The Data Subject must be able to withdraw consent easily and by same mechanism as consent was granted. This is not a retrospective right, so consent cannot be withdrawn for processing that has already occurred. Firms should consider the mechanism for this to happen and put a process in place. This process should be imparted to Data Subjects.
Right to Restriction of Processing - GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data. This is not an absolute right and only applies in certain circumstances.
Rights Related to Automated Decision Making Including Profiling - The GDPR has provisions on: automated individual decision-making (making a decision solely by automated means without any human involvement);and profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
Controllers must exercise the Rights of Data Subjects free of charge, with some exceptions. Controllers are permitted to charge a reasonable fee for the provision of information where the request is repetitive, manifestly unfounded or excessive for further copies.

19. How does GDPR affect Linbrooke?
GDPR is the law, not optional
Non-compliance and serious infringements could cost the organisation hefty fines
These penalties in addition to damages awarded to Data Subjects, breach remediation costs, legal costs and other penalties (eg:- PCI DSS)
Reputational damage from any infringements
Our clients are already demanding our compliance and commitment to GDPR
GDPR will provide improved information security across the organisation
GDPR compliance is a pre-requisite for the information security standards and certifications such as ISO27001:2013 and Cyber Security Essentials that we are working towards to secure future business
Compliance with correct processes/controls in place will protect the business and improve sustainability

20. Achieving/Demonstrating Compliance
Implement appropriate technical and organisational measures that ensure and demonstrate that we comply.
This may include internal data protection measures such as;
staff training
internal audits of processing activities
reviews of internal HR policies
maintain relevant documentation on processing activities
use technical control such as encryption and pseudonymisation
where appropriate, appoint a data protection officer
implement measures that meet the principles of data protection by design and data protection by default
use data protection impact assessments where appropriate
adhere to approved codes of conduct and/or certification schemes
The ability to demonstrate to Supervisory Authorities that the organisation has implemented the necessary processes/controls to action any Rights of Data Subjects

21. Reference/Further Reading
Further information can be obtained on GDPR from the National Supervisory Authority (ICO) by following the URL below.
Guide to the General Data Protection Regulation (GDPR)
Please refer to the following links for additional reference/resources and information on GDPR
Protection-Impact-Assessments.aspx

22. Please Click below to enter your details and confirm.
I confirm that I have fully read the Linbrooke GDPR Awareness Program and understand my responsibilities as a Data Processor when processing personal data on behalf of Linbrooke Services (Data Controller) in order to comply with the GDPR .
Please Click below to enter your details and confirm.
Click here
Thank You for your cooperation!