General FAQs About GDPR

September 5, 2017

The following FAQs will attempt to clarify some of the key issues surrounding GDPR.

This page is intended to be continually edited and updated as and when new questions are received. The date on which the page was last amended is included for ease of reference.

 

 

What is the GDPR regulation?

The European Union (EU) General Data Protection Regulation (GDPR) is a new regulation that replaces the existing 1995 Data Protection Directive. GDPR is the largest overhaul to data protection and privacy laws in Europe. The new directive imposes a more robust and harmonised data protection regime for member states. The new framework seeks to remedy the diverging levels of protection afforded for personal data across the EU arising from inconsistent implementation.

The key principle of data privacy still holds true to the previous directive, but many changes have been made to take into account the digital age. New provisions address the requirement for affirmative consent, increased sanctions for data protection breaches and the notification requirements when a breach occurs; and the right to access. Furthermore, the definition of ‘personal data’ has been widened so that more information is brought within the regulated perimeter of the GDPR regime.

GDPR sets out enhanced rights for data subjects and additional obligations for data controllers and processors. It gives significant powers to regulators to investigate and enforce compliance; non-compliance could result in a fine. The reforms will also strengthen individuals’ existing rights to data protection and will give individuals more control over their personal data.

The regulation will come into force across all member states on 25 May 2018.

Why is there a new legislation?

The aim of the regulation is to update and modernise the principles enshrined in the 1995 Data Protection Directive to protect all EU citizens from privacy and data breaches in an increasingly data driven world (i.e. the proliferation of the internet, new technology, mobile data devices, the rise of social media and cloud computing). GDPR also seeks to harmonise data protection laws across the EU. The revisions to the existing directive are also designed to increase public trust and to ensure that people's personal information will be protected, no matter where it is sent, processed or stored, even outside the EU.

To whom does it apply?

GDPR impacts all organisations that process EU customer, client or employee personal data, wherever these organisations are based. As a result, the regulation has an extra territorial reach as it applies to non-EU based data controllers and data processors whenever an EU resident’s personal data is processed in connection with services offered to the person; or the behaviour of the individuals within the EU is monitored. It also affects systems and international data transfers including intra-group personal data transfers.

What is the timeline for the legislation?

GDPR will take effect across all member states from 25 May 2018.

Q3:2015 GDPR negotiations took place
Q4:2015 EU Parliament and Council finalise GDPR text
April 2016 GDPR text adopted by the Council of the EU and the European Parliament
May 2016 Regulation published in Official Journal and entered into force
Q2: 2017 Pershing initiated our GDPR project
Q2:2017 Information Commissioner’s Office (ICO) release a statement stating UK should continue to prepare for GDPR despite Brexit
7 August 2017 UK Parliament announced they will enact a Data Protection Bill
25 May 2018 GDPR will come into force across all member states

What are the core objectives of GDPR?

  • One continent, one law: clear, modern rules unifying Europe's rules on data protection, creating business opportunities and encouraging innovation. The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU
  • Reinforcing and enhancing individuals' rights
  • Greater scrutiny on businesses to protect data and demonstrate compliance
  • Strengthening the EU internal market, by ensuring the free flow of data
  • Ensuring stronger enforcement of the rules. Non-compliance could result in fines of €20m or 4% of worldwide annual turnover, whichever is greater
  • GDPR requirements apply to data processors as well as data controllers
  • Streamlining international transfers of personal data
  • Setting global data protection standards

What is Pershing doing to prepare for the new legislation?

The Pershing’s GDPR programme, launched in Q2:2017, is part of the wider BNY Mellon programme. The aim is to address Pershing’s GDPR obligations and its impact to clients, in preparation for 25 May 2018.

What do firms need to be doing to prepare for GDPR?

The general orientations of the reform are now clear therefore over the coming months, you should consider GDPR in light of the following:

Review: Get to grips with guidance set by the ICO and the European commission regulators and look out for any further guidance issued by the data protection financial regulators. Organisations can start by understanding their IT systems and security infrastructure and update where necessary. Assess your current data handling practices. Review your basis for processing personal information, for example, if organisations decide to use consent as the basis of processing the GDPR makes it clear that businesses must obtain explicit consent to collect, process, and share personal data. Pre-ticked boxes or inactivity does not constitute consent. Firms should therefore ensure they verify how their clients consent was provided.

Plan: Establish an internal programme that reviews and assesses the privacy risks within the organisation get the right people involved. Commence high level planning to help gauge key timings and “must do now” activities. Commence creation of staff training plans. Consider appointing a Data Protection Officer (Under GDPR, certain companies may need a DPO).

Take Action: Examine your current data collection and handling practices. Do you know what you store? Where it comes from and why you store it?

What does Brexit mean for GDPR?

Pershing will continue to implement measures and comply with the GDPR requirements irrespective of the implications of Brexit. The Information Commissioner’s Office has stated that:

“The UK will still be part of the EU by 25 May 2018, therefore, GDPR will have the force of law the in the UK, until at least the date on which Brexit takes effect”.

The UK is planning on enacting a new data protection bill https://www.gov.uk/government/news/government-to-strengthen-uk-data-protection-law.

What does personal information mean?

Personal information is any information relating to a living, identifiable individual. It includes names, unique identifiers (i.e. employee number or national insurance number) and any other information that on its own or in combination with other available information could be used to identify individuals.

What does sensitive personal information mean in the GDPR?

Special categories of personal data are identified in the GDPR for which additional safeguards are required, including information relating to race or ethnic origin, political opinions, religion or philosophical beliefs, trade union memberships and the processing of biometric, genetic data or data concerning health.

Where do I find further information?

Additional information on GDPR can also be found under the following websites:

Information Commissioner’s Office: https://ico.org.uk/

Article 29 Working Party (European Commission): http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083

Irish Data Protection Commissioner: https://www.dataprotection.ie/docs/Home/4.htm

Jersey Office of the Information Commissioner: https://dataci.je/