The General Data Protection Regulation 2016/679 (GDPR) replaces the existing data protection regimes in place throughout the European Union (EU), including the UK. It introduces a number of new obligations on controllers1 and processors2. Compliance with the new regulations will be of even greater importance following the enforcement date of 25 May 2018, because the GDPR substantially increases the fines that can be imposed by the relevant regulatory bodies in the event of a breach – now up to a maximum of € 20 million or 4% of annual global turnover, whichever is the higher.
Our first, second and third articles in this series covered steps 1, 2 and 3 in your journey towards GDPR compliance:
One of the most important obligations under the GDPR is the overarching and ongoing requirement for transparency in relation to every facet of the processing of personal data. The following is not an exhaustive list but your data subjects must be fully and effectively informed about:
- who you are as the data controller;
- how you obtained their personal data;
- precisely what personal data you are or will be processing;
- what further information will be required to ensure fair and transparent processing;
- why you process their personal data (i.e. why was is collected and why is it being used);
- their rights as data subjects in respect of obtaining confirmation and communication of the personal data being processed; and
- who is involved in the processing (i.e. do you or do you intend to share the personal data with any third parties).
Ahead of the GDPR’s enforcement date of the 25th May it is important to consider how you will comply with the GDPR’s obligations on transparency for your existing data subjects as well as those whose data you collect or obtain following the implementation of your new GDPR-compliant practices.
For new data subjects
For existing data subjects
It will be necessary to revisit what information has already been provided to these data subjects regarding the processing of their personal data in order to confirm whether these details meet the requirements of the GDPR. Where you are making changes or additions to the information provided. The Working Party 29 recommends that these be actively brought to the attention of the data subjects, but at the very least (in the case of minor changes and updates) made publically available, such as visibly on your website).
You can find more information about communicating with your data subjects and the transparency requirements under the GDPR staff training and improving awareness about data protection principles on our webpage and the following helpful Information Commissioner’s Office (ICO) webpages:
- The ICO’s toolkit of information rights resources
- Guidelines on transparency under Regulation 2016/679
- The ICO’s guidance on Privacy notices, transparency and control
- The text of the GDPR
- The ICO’s guide to the GDPR
- The ICO’s self-assessment resources
If you have any questions, or need any assistance with preparing your privacy notice or developing your communication strategy, please do get in touch.
1 A ‘controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.