September 5, 2017
The following FAQs will attempt to clarify some of the key issues surrounding GDPR.
This page is intended to be continually edited and updated as and when new questions are received. The date on which the page was last amended is included for ease of reference.
The European Union (EU) General Data Protection Regulation (GDPR) is a new regulation that replaces the existing 1995 Data Protection Directive. GDPR is the largest overhaul to data protection and privacy laws in Europe. The new directive imposes a more robust and harmonised data protection regime for member states. The new framework seeks to remedy the diverging levels of protection afforded for personal data across the EU arising from inconsistent implementation.
The key principle of data privacy still holds true to the previous directive, but many changes have been made to take into account the digital age. New provisions address the requirement for affirmative consent, increased sanctions for data protection breaches and the notification requirements when a breach occurs; and the right to access. Furthermore, the definition of ‘personal data’ has been widened so that more information is brought within the regulated perimeter of the GDPR regime.
GDPR sets out enhanced rights for data subjects and additional obligations for data controllers and processors. It gives significant powers to regulators to investigate and enforce compliance; non-compliance could result in a fine. The reforms will also strengthen individuals’ existing rights to data protection and will give individuals more control over their personal data.
The regulation will come into force across all member states on 25 May 2018.
The aim of the regulation is to update and modernise the principles enshrined in the 1995 Data Protection Directive to protect all EU citizens from privacy and data breaches in an increasingly data driven world (i.e. the proliferation of the internet, new technology, mobile data devices, the rise of social media and cloud computing). GDPR also seeks to harmonise data protection laws across the EU. The revisions to the existing directive are also designed to increase public trust and to ensure that people's personal information will be protected, no matter where it is sent, processed or stored, even outside the EU.
GDPR impacts all organisations that process EU customer, client or employee personal data, wherever these organisations are based. As a result, the regulation has an extra territorial reach as it applies to non-EU based data controllers and data processors whenever an EU resident’s personal data is processed in connection with services offered to the person; or the behaviour of the individuals within the EU is monitored. It also affects systems and international data transfers including intra-group personal data transfers.
GDPR will take effect across all member states from 25 May 2018.
|Q3:2015||GDPR negotiations took place|
|Q4:2015||EU Parliament and Council finalise GDPR text|
|April 2016||GDPR text adopted by the Council of the EU and the European Parliament|
|May 2016||Regulation published in Official Journal and entered into force|
|Q2: 2017||Pershing initiated our GDPR project|
|Q2:2017||Information Commissioner’s Office (ICO) release a statement stating UK should continue to prepare for GDPR despite Brexit|
|7 August 2017||UK Parliament announced they will enact a Data Protection Bill|
|25 May 2018||GDPR will come into force across all member states|
The Pershing’s GDPR programme, launched in Q2:2017, is part of the wider BNY Mellon programme. The aim is to address Pershing’s GDPR obligations and its impact to clients, in preparation for 25 May 2018.
The general orientations of the reform are now clear therefore over the coming months, you should consider GDPR in light of the following:
Review: Get to grips with guidance set by the ICO and the European commission regulators and look out for any further guidance issued by the data protection financial regulators. Organisations can start by understanding their IT systems and security infrastructure and update where necessary. Assess your current data handling practices. Review your basis for processing personal information, for example, if organisations decide to use consent as the basis of processing the GDPR makes it clear that businesses must obtain explicit consent to collect, process, and share personal data. Pre-ticked boxes or inactivity does not constitute consent. Firms should therefore ensure they verify how their clients consent was provided.
Plan: Establish an internal programme that reviews and assesses the privacy risks within the organisation get the right people involved. Commence high level planning to help gauge key timings and “must do now” activities. Commence creation of staff training plans. Consider appointing a Data Protection Officer (Under GDPR, certain companies may need a DPO).
Take Action: Examine your current data collection and handling practices. Do you know what you store? Where it comes from and why you store it?
Pershing will continue to implement measures and comply with the GDPR requirements irrespective of the implications of Brexit. The Information Commissioner’s Office has stated that:
“The UK will still be part of the EU by 25 May 2018, therefore, GDPR will have the force of law the in the UK, until at least the date on which Brexit takes effect”.
The UK is planning on enacting a new data protection bill https://www.gov.uk/government/news/government-to-strengthen-uk-data-protection-law.
Personal information is any information relating to a living, identifiable individual. It includes names, unique identifiers (i.e. employee number or national insurance number) and any other information that on its own or in combination with other available information could be used to identify individuals.
Special categories of personal data are identified in the GDPR for which additional safeguards are required, including information relating to race or ethnic origin, political opinions, religion or philosophical beliefs, trade union memberships and the processing of biometric, genetic data or data concerning health.
Additional information on GDPR can also be found under the following websites:
Information Commissioner’s Office: https://ico.org.uk/
Article 29 Working Party (European Commission): http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083
Irish Data Protection Commissioner: https://www.dataprotection.ie/docs/Home/4.htm
Jersey Office of the Information Commissioner: https://dataci.je/