Print

This is a freeview 'At a glance' guide to the General Data Protection Regulation (GDPR).

What is GDPR? Who does it apply to? What obligations does it impose and what are the consequences of a breach of the rules?

At a Glance

On 25 May 2018 the General Data Protection Regulation (GDPR) came into effect.

We have produced a Sample template for a Statement on GDPR Compliance.

What's new?

In April 2019 the ICO issued enforcement notices to HMRC for breaches by the use of voice authentication (Voice ID) for customer verification on some of their helplines. HMRC are required to delete some 5 million taxpayer records where taxpayers were not given the chance to give or withhold their consent for their data to be held, or given sufficient details about how their data would be processed. 

In January 2018 the European Commission published guidance on the new rules, together with an online tool for small and medium sized enterprises.

Overview and examples

GDPR post Brexit

From 31 December 2020, the end of the Brexit transitional period, the EU GDPR ceases to apply in the UK, except where organisations provide goods and services to EU residents. Instead, the EU GDPR’s requirements have been enacted into UK law by the Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019, and, with effect from 1 January 2021, a new UK specific data protection regime ‘the UK GDPR’ applies.

ICO have said that data collected before 31 December 2020 about people who were located outside the UK at that date remains subject to the EU GDPR as it stood on 31 December 2020. This is now known as the ‘frozen GDPR’.

The UK is now a 'third country' under the EU GDPR. The European Commission has the power to decide whether a third country has an adequate level of data protection. The effect of an adequacy decision is that personal data can be sent from an EEA state to a third country without any further safeguards being necessary.

On 28 June 2021, the European Commission adopted two adequacy decisions for the UK: one under the GDRP and one under the Law Enforcement Directive. This means that personal data can flow freely between the UK and EU with equivalent protection in both jurisdictions. 

The adequacy decisions are limited in length to four years. After that period, the adequacy decisions may be renewed, where the UK ensures an adequate level of data protection. 

The key definitions and terminology in the UK GDPR are the same as those in the EU GDPR. However, there are some areas where the UK GDPR differs. Transfer restrictions for EEA to UK data transfers were delayed to 30 June 2021 whilst an adequacy decision was being sought. Businesses and organisations that receive data from EEA contacts should review their GDPR documentation to check whether any amendments are required to meet the requirements of the new UK GDPR.

New Powers and obligations: 2018

The Information Commissioners Office (ICO) regulates data protection and information rights in the UK. Under the GDPR from May 2018 they have increased enforcement powers in respect of:

There are new obligations for businesses in respect of consent and the reporting of data breaches:

Penalties and fines

There are two levels of fine. The maximum fines are:

To 31 December 2020:

From 1 January 2021:

Prior to GDPR, fines were limited to £500,000.

The standard level of fine (£8,700,000 or 2% of global turnover) will be considered for breaches relating to:

The higher level of fine, (£17,500,000 or 4% of global turnover) will be considered for breaches relating to:

Who does the GDPR apply to?

The GDPR applies to ‘controllers' and ‘processors’. The controller says how and why personal data is processed and the processor acts on the controller’s behalf.

What information does the GDPR apply to?

Personal data: 

Like the DPA, the GDPR applies to ‘personal data’ but the definition is clearer:

Sensitive personal data

How does the GDPR work?

For processing to be lawful under the GDPR, it is necessary to identify a lawful basis for it and to document that basis before the personal data is processed. These are often referred to as the conditions for processing and include:

For example, processing credit card details in respect of payments for online purchases of goods or services or taking personal details to respond to an enquiry about services offered.

At least one lawful basis must apply.

Consent

For consent to be a lawful basis for processing data the consent must be:

What constitutes a personal data breach?

A personal data breach means:

What breaches must be notified to the relevant supervisory authority?

The relevant supervisory authority (ICO in the UK) must be notified of a breach:

When do individuals have to be notified of a breach?

Individuals must be notified:

Should an individual ask for a copy of their record (a subject access request):

How and when should breaches be notified?

What exemptions are permitted?

Member States can introduce exemptions from the GDPR’s transparency obligations and individual rights in certain situations; these are similar to the existing exemptions from rights and duties in the DPA.

These only apply:

Can penalties be appealed or mitigated?

A violation can be caused by the act of a third party, i.e. by the organisation being hacked. There will be no automatic exemption or relief where the breach is the result of a cyber-attack. ICO will not treat a data controller as a victim of a cyber-attack; they will instead be treated as negligent and responsible.

However, the following will be taken into consideration for each individual case in deciding whether to impose a fine and the level of fine; in minor cases, a reprimand can be given instead.

It is not clear from the regulations what, if any, course of appeal will be open to organisations receiving fines. It is assumed that the ability to appeal ICO decisions which was available prior to the introduction of GDPR will continue to be available.

There are fears that the level of fines under GDPR will lead to specifically targeted cyber-attacks and extortion with threats to send hacked data to ICO if organisations do not pay up.

Professional standards and GDPR

The CCAB draft money laundering standards published in August 2017 require that member businesses must have systems and controls capable of keeping appropriate records. Such systems will need to be reviewed and updated if necessary to meet GDPR requirements.

The Money Laundering Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 also cover data protection stating that personal information obtained in accordance with the regulations must be deleted after 5 years from the point that the business relationship ends unless statutory obligations or legal proceedings require it to be retained or the relevant individual consent to it being retained.

What now?

ICO produced a document titled  ‘Preparing for General Data Protection Regulation: 12 steps to take now’ to help business prepare ahead of the May 2018 deadline. The 12 steps are:

  1. Awareness
  2. Information you hold
  3. Communicating privacy information
  4. Individuals rights
  5. Subject access requests
  6. Lawful basis for processing personal data
  7. Consent
  8. Children
  9. Data Breaches
  10. Data Protection by Design and Data Protection Impact Assessments
  11. Data Protection Officers
  12. International

Comparison of individual rights: GDPR v DPA

The rights of individuals under GDPR

The GDPR creates new rights for individuals and strengthens some rights already provided for within the DPA.  

Rights under GDPR 

Rights under DPA

The right to basic information

This right is the same under the DPA as for the GDPR

The right of access; controllers are obliged to provide data subjects with access to their own personal data

The DPA list of mandatory information which must be provided is much narrower than that for the GDPR.

The right to rectification; data subjects are entitled to require a controller to rectify any errors in their personal data

The position is the same as under the GDPR.

The right to erasure; data subjects have the right to erasure of personal data (the "right to be forgotten") if:

  • the data are no longer needed for their original purpose (and no new lawful purpose exists);
  • the lawful basis for the processing is the data subject's consent, the data subject withdraws that consent, and no other lawful ground exists;
  • the data subject objects, and the controller has no overriding grounds for continuing the processing;
  • the data have been processed unlawfully; or
  • erasure is necessary for compliance with EU law or the national law of the relevant Member State.

This ‘right to be forgotten’ is narrower under the DPA

The right to restrict processing; meaning that the data may only be held by the controller, and may only be used for limited purposes) if:

  • the accuracy of the data is contested (and only for as long as it takes to verify that accuracy);
  • the processing is unlawful and the data subject requests restriction (as opposed to asking for erasure);
  • the controller no longer needs the data for their original purpose, but the data are still required by the controller to establish, exercise or defend legal rights; or
  • if verification of overriding grounds is pending, in the context of an erasure request.

The DPA does not directly cover the right to restrict processing although it does provide for the right to request the blocking of data. This means that the controller must refrain from using the data during the period for which that right applies, even though the data have not yet been deleted.

The right to data portability

This is not included at all under the DPA and it may require investment in new systems and processes

The right to object

The DPA permits an organisation to continue processing the relevant data unless the data subject can show that the objection is justified. The GDPR reverses this burden; the organisation must demonstrate that it either has compelling grounds for continuing the processing, or that the processing is necessary in connection with its legal rights. If it cannot demonstrate this it must cease the processing activity.

Rights in relation to automated decision making and profiling such as the right to object to processing for scientific, historical or statistical purposes

The GDPR gives individuals more specific rights than the DPA

Mr Scruff does GDPR

We like this alternative version of GDPR


Squirrel ad


Are you enjoying our content? 

Thousands of accountants and advisers and their clients use www.rossmartin.co.uk as their primary TAX resource.

Register with us now to receive our unique FREE Tax Planning Tips and Advice Guide & our FREE OMB Newsletter.