What will be new
Under GDPR, there is a new accountability principle, which means we must be able to demonstrate compliance with the principles.
In practice this means all uses of personal data need to be recorded in asset registers. These registers should include:
- the purpose
- the legal basis for processing
- the retention period
- Personal Data
Includes online identifiers, location data and online identifiers. Here is the full definition:
‘any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
- Codes of Conduct
No new Codes have been published for the GDPR yet.
Under GDPR consent means:
‘…any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to personal data relating to him or her being processed.’
- Sensitive Personal Data
Under GDPR sensitive personal data is now called special category personal data and has been expanded to also include:
- biometric personal data
- Breach notification
There is a new obligation to report breaches of personal data security to the ICO within 72 hours.
An obligation to encrypt high risk personal data and use pseudonymisation techniques to minimise exposure. All staff that handle personal data must take the data protection and information security training.
- Fair Processing Notices (FPNs)
- Data protection by design and default
Data protection by design and default is a new approach to privacy that encourages consideration of data protection at an early stage of development.
- Privacy Impact Assessment (PIA)
Under GDPR, PIAs are mandatory for high risk processing on a large scale or for new projects.
- Subject access
The time for response has been reduced to 30 days.
- Data portability
Under GDPR, data portability gives individuals the right to ask for their personal data to be provided to them in a commonly used and machine-readable format so they can reuse in other products and services.
It only applies to personal data that has been provided by the individual under contract or under consent.
This is different to the right of subject access.
Rectification - individuals are entitled to have personal data rectified if it is inaccurate or incomplete within a month.
- Right to erasure (to be forgotten (RTBF))
Under GDPR, RTBF is a much broader right that allows individuals to request the deletion or removal of personal data in certain circumstances without concern for the threshold of damage or distress..
- Other individual rights
- right to be informed
- automated decision making, including profiling
- restricting processing
- Data Protection Officer (DPO)
Under GDPR, a DPO is mandatory for UCL as a public authority and is given a much wider role, including:
- to inform and advise of their data protection obligations
- to monitor compliance with the GDPR
- to provide advice on PIAs
- to cooperate with the ICO
- Contracts with processors and contractors
Under GDPR, agreements containing data protection clauses will need to be updated.