A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 16 March 2018
The time to act to make sure you are ready for the General Data Protection Regulation (the 'GDPR') (Regulation (EU) 2016/679) is now. The GDPR provides data subjects with genuine, on-going control over their personal data and requires organisations to be transparent and engage positively with data subjects about the personal data they hold. As a Regulation, it will have direct effect in the UK. It will also be supplemented by the UK Data Protection Act which is still passing through Parliament – but will be in place by 25 May 2018.
Personal Data: the starting point when considering the impact of the GDPR is to determine whether the GDPR applies to the data held. The GDPR only applies to data relating to an identified or identifiable living person, either directly or indirectly, and does not apply to corporate entities.
Organisations should then consider whether:
Special categories of personal data: the processing of special categories of personal data is prohibited unless the data controller can show that explicit consent has been obtained or one of the other nine exceptions applies. Organisations should consider whether they require these categories of personal data as it may be possible to elicit the information required without encroaching in to these categories. It will be necessary to take a long hard look at the data that is currently held and to determine whether it is really necessary at all and, if it is, whether it can be anonymised. Much data is just as useful in anonymised form as it would be otherwise.
Consent: if it is necessary to process personal data, one way to ensure that this is legal will be to obtain the consent of the data subject. It may be preferable to rely another legal basis other than consent as consent can be withdrawn, preventing processing.
Consent must be clear and unambiguous with data subjects being provided with the requisite information to make an informed decision whether to provide consent to their personal data being processed.
The implementation of the GDPR will not necessarily mean that organisations have to seek fresh consent from data subjects, if they are satisfied that the current consent they have obtained complies with the GDPR requirements and is clearly documented. However, in practice, until now, few organisations are likely to have obtained consent which meets the GDPR standards.
Data Subject Rights: the GDPR gives a data subject a number of rights including rights to request that an organisation:
The presumption under the GDPR is that data subjects will be afforded these rights, unless there is an exemption under the GDPR or Data Protection Act 2018 permitting the organisation to refuse the request.
Fraud prevention: the GDPR does not expressly address the use of data for fraud prevention; such use would need to be considered like any other processing purpose. This can present particular challenges where special categories of data are processed as there is a limited number of legal grounds which can be relied upon. The Data Protection Bill, currently moving from the House of Lords to the House of Commons, provides additional legal grounds for processing which may be relevant to fraud prevention including (i) preventing fraud (only applicable where such processing is carried out as a member of an anti-fraud organisation); (ii) insurance purposes; and (ii) preventing or detecting unlawful actions (Schedule 1, Part 2 of the Bill). It is anticipated that these grounds will, in certain circumstances, allow organisations to process personal data in order to prevent fraud.
It is important that the information to be processed is restricted to that which is necessary for fraud prevention purposes. The organisation will also need to set out in a policy document why it is processing this personal data so that it can justify its position, if challenged. It is advisable to alert users in a privacy notice that the organisation intends to share personal data with third parties to prevent and detect fraud. Organisations will need to think hard about what data should be processed for fraud detection purposes.
Preparation: it is important to comply with the requirements of the GDPR, it is equally as important that an organisation can demonstrate to the ICO, if required to do so, the processes it has in place for handling data. This can be achieved by ensuring that organisations have clear and easily understandable policies and privacy notices. Organisations should review their:
The Data Protection Act 2018 and subsequent guidance from the ICO should help to clarify the full impact of the GDPR but organisations cannot delay preparations until the Act is implemented.
 Organisations will not be permitted to charge for initial access requests.
London - Walbrook
+44 (0)20 7894 6350
+44(0)20 7894 6744
Gary Rice, Aideen Ryan, Aidan Healy, Brian Ormond, Niall Sexton
Mary Mundy, Sophie Devlin
Hans Allnutt, Rhiannon Webster
Gary Rice, Brian Ormond, Aidan Healy
Rhiannon Webster, Hans Allnutt