As is the case for data processors, data controllers will also
find themselves subject to more stringent rules under the new EU
General Data Protection Regulation (GDPR), which is due to
come into force in May 2018.
Just to brush up on the data protection lingo, the term
"data controller" is used to describe any entity that
determines the purposes and manner of data processing. This
captures a huge number of organisations and companies operating in
the United Kingdom – most businesses will be data controllers
because of the customer and employee personal data they hold and
collect. Most data controllers should be registered with the
Information Commissioner's Office (ICO) so if the above has set
off any alarm bells, we'd encourage you to pay a visit to the
ICO website post-haste. They also have a very useful online tool that you can use to self-assess
whether your organisation needs to be registered or not.
Under the current law, data controllers have had to bear the
brunt of data protection compliance. It's the controllers who
have had to evidence compliance with the legal requirements, make
sure that processors maintain adequate organisational security
measures and ultimately deal with the consequences where the ICO
has ruled that any processing activities have fallen short of the
requirements under the Data Protection Act. We recently wrote about
duties of data processors, which mean that processors will have
separate liabilities under the GDPR, but data controllers will also
find themselves subject to more stringent rules under the new
Under the GDPR, the duties of data controllers are described in
more detail than previously. The most noteworthy developments
the general requirement for greater transparency towards the
data subjects all the way from the content of
privacy notices to the manner of processing itself, such as
being more forthcoming about the rights of data subjects;
increased requirements for consent to data processing,
particularly in relation to data of a sensitive nature;
being more mindful of the age of the data subject and
potentially obtaining consent to the processing of a child's
data from an adult, particularly where a child's personal
information is being processed for the purposes of providing
information society services (such as social media accounts)
directly to the child;
tighter timelines to respond to data subject access
carrying out privacy impact assessments and appointing data
notifying data breaches to the ICO and also to individuals in
the case of severe breaches;
complying with the new rights that individuals have under the
GDPR, including the right to be forgotten, the right to restricted
processing, the right to data portability and the right to object
to automated decision-making and profiling;
the obligation to pseudonymise or encrypt personal data as an
additional security measure in certain circumstances; and
maintaining records of data processing activities, such as the
purposes of the processing and details of third parties to whom the
data has been or will be disclosed (although, thankfully for data
controllers, the requirement to register their data processing
activities with the ICO will disappear).
Looking at the above list, data controllers will be affected by
the majority of the changes implemented by the GDPR in one way or
another. We will discuss most of these topics further in future
Data protection policy
What should be flagged up, though, is the requirement to
implement a data protection policy, where this is proportionate to
the controller's data processing activities. This is part of
the overarching requirement to ensure that the data
controller's technical and organisational measures are on par
with the extent and risks of the relevant data processing
activities as well as the rights and freedoms of individuals. For
example, where data processing activities are extensive, a data
protection policy should be put in place (and of course enforced)
to ensure the processing will be considered lawful under GDPR.
A data protection policy helps to ensure that your employees are
aware of the requirements you are faced with as a data controller
and will provide practical tips (such as dos and don'ts) when
it comes to their daily tasks. A data protection policy can also be
incorporated into your agreements with data processors to ensure
they are required to comply with the same standards that apply
within your organisation.
The material contained in this article is of the nature of
general comment only and does not give advice on any particular
matter. Recipients should not act on the basis of the information
in this e-update without taking appropriate professional advice
upon their own particular circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).