EU Data Protection

The EU General Data Protection Regulation (GDPR) is new European Union (EU) legislation. The new regulations come into effect on 25th May 2018 and will replace all data protection legislation in EU member states (including the UK’s Data Protection Act 1998 (DPA) without the need for further national legislation.

The Information Commissioner’s Office (ICO) have confirmed BREXIT will not affect the UK implementation of the GD

What information does the GDPR apply to?

Personal Data

Like the DPA, the GDPR applies to ‘personal data’ which is any data that enables an individual to be identified, either directly or indirectly.

GDPR’s definition is more detailed and reflects the change

in the way organisations collect information about people since the existing DPA was introduced – for example an online identifier such as an IP address can be personal data.

Special Categories of Personal Data

This includes what was referred to as sensitive personal data under the DPA and includes data relating to mental or physical health, racial origin, or sexual orientation and genetic or biometric data used to identify an individual.

The data protection principles

The GDPR requires that personal data shall be:

  • processed lawfully, fairly and in a transparent manner in relation to individuals;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
  • accurate and, where necessary, kept up to date;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

A significant addition to the legislation is ‘Accountability and Governance’; that the data ‘controller shall be responsible for, and be able to demonstrate, compliance with the principles’.


Consent to processing under the GDPR requires some form of clear affirmative action, which must be freely given, specific, informed and an unambiguous indication of an individual’s wishes – silence, pre-ticked boxes or inactivity do not constitute consent.

The consent must be verifiable – some form of record must be kept of how and when consent was given. Individuals have a right to withdraw consent at any time.

It is possible to rely on alternative legal bases to consent – for example, where processing is necessary for the purposes of your organisation’s or a third party’s legitimate interests, or for the performance of a contract.


The GDPR contains new provisions intended to enhance the protection of children’s personal data, these include requirements in relation to Privacy Notices and online services.

Individuals’ Rights

The GDPR provides the following rights for individuals:

The right to be informed –

which encompasses the obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how personal data is used.

The right of access –

individuals will have the right to obtain:

  • confirmation that their data is being processed;
  • access to their personal data; and
  • other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.

Changes in this area include amendments to the requirements in relation to Subject Access Requests (SARs).

The right to rectification –

individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If the data has also been disclosed to a third party, they must be advised of the rectification where possible.

The right to erasure –

also known as ‘the right to be forgotten’, this is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

The right to restrict processing –

a right to ‘block’ processing of personal data.

The right to data portability –

this allows individuals to obtain, move or transfer their personal data easily from one IT environment to another in a safe and secure way, for their own purposes.

The right to object –

Individuals can object to:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics.

Rights in relation to automated decision making and profiling –

safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.

Data Breaches

GDPR introduces a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected; this includes a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, where it is likely to have a significant detrimental effect on the individual(s) concerned.

Consequences of non-compliance (fines & compensation)

GDPR provides the ability to levy significantly higher fines for breaches; for the most significant breaches, up to €20 million or 4% of an organisation’s annual global turnover for the previous financial year, if greater.

Individuals also have the right to take Civil Action against organisations that do not compliantly manage their data.

Your responsibilities under this act as a member of FRMAT:

  1. Check the information you hold about children / staff. Is it lawful? Who are we sharing it with? Is it securely stored? Who can access it? When should it be deleted?
  2. Do you hold any inaccurate personal information that has been shared with another organisation? If so you will need to tell the other organisation about the inaccuracy so it can correct its own records.
  3. Do you have unambiguous consent for the information you hold?
  4. Ensure you know who your Data Protection Officer is and ensure you report any potential breaches to them immediately.