The British Psychological Society
  • My BPS
    • BPS Generic Image
    Regulation

    The General Data Protection Regulation (GDPR) – FAQs

    Information about GDPR, who it affects, how the society manages this and where you can find further guidance.

    04 April 2018

    1. What is the GDPR?

    • The GDPR is an EU regulation that replaces the Data Protection Act 1998
    • It came into force on 25 May 2018
    • The aim of the GDPR is to protect and empower all EU citizen's data privacy and harmonize data privacy laws across Europe
    • The Data Protection Act 2018 has now received Royal Assent and its main provisions have commenced. This should be read side by side with the GDPR

    More information can be found on the ICO website.

    2. Who does the GDPR affect?

    • Anyone that processes personal data within the EU
    • Any organisations outside of the EU that offer goods or services to EU data subjects
    • The GDPR will apply to all persons and organisations that control or process personal data
    • The GDPR does not apply to the use of data for a purely personal or household activity

    3. What's new?

    The following outlines some of the bigger changes that the GDPR brings. You can find more detailed information on the ICO website.

    Penalties

    The maximum fine has increased from £500,000 to 4% of annual turnover or €20 Million, whichever is greater.

    Consent

    The standards for consent have been strengthened. There must be a specific 'opt in' that is not hidden amongst other information and T&C's.

    There must also be a clear process for individuals to withdraw consent.

    Rights of the individual

    These have been strengthened with new rights in relationship to:

    • Right to access - the right of the individual to be given information about how their data is being processed and why. Organisations can no longer charge for subject access requests and the information must be provided within one month

    • Right to erasure - the right to have personal data deleted

    • Data portability - the right of the individual to have their data transferred to another data controller

    Breach notification

    The ICO must be informed of a data breach within 72 hours. If necessary, individuals whose data may be affected by the breach must be informed 'without undue delay'.

    Data protection by design

    This calls for data protection to be considered at the start of designing a new system. It has always been a concept of data protection; however, there is now a general legal obligation. In some cases, there is now a legal obligation to conduct Data Protection Impact Assessments (DPIA), also known as Privacy Impact Assessments (PIA).

    Data protection officers

    Public authorities will have to appoint a Data Protection Officer. Organisations whose core activities include large scale monitoring, or large scale processing of special category data, will also have to appoint a DPO.

    Data protection principles

    The DPA 1998 requires compliance to eight principles. This remains the same under the GDPR, but consolidates the principles to six. The six principles that underpin the GDPR are that data is:

    • processed lawfully, fairly and transparently
    • only collected and used for particular lawful purposes
    • adequate, relevant and not used excessively for that purpose
    • accurate and up to date
    • stored no longer than necessary
    • kept secure, and its integrity and confidentiality are protected

    Accountability

    The principle of accountability has been elevated under the GDPR. It is now necessary to demonstrate compliance by:

    • implementing appropriate technical and organisational measures
    • maintaining relevant documents on processing activities
    • meeting the principle of data protection by design and using data protection impact assessments, where appropriate

    4. What does 'personal data' mean?

    Personal data refers to any information that can identify a living individual - either on its own, or if it is combined with other information you hold, or if it is combined with other information that is likely to come into your possession.

    5. What does 'data subject' mean?

    The data subject is the individual that can be identified by the personal data.

    6. What does 'processing' mean?

    If you hold, record or obtain personal data on a computer system or in a structured paper filing system, you will normally be considered to be processing personal data.

    7. What does 'data controller' mean?

    A data controller decides how and why data is used.

    8. What does 'data processor' mean?

    A data processor is any person that processes data on behalf of the data controller (other than an employee of the data controller).

    9. What is the society doing to prepare?

    • The society is continuing to protect the personal data of our members, staff and stakeholders
    • We are currently reviewing all of the data we hold and ensuring it is GDPR compliant
    • We have put processes in place to make sure data protection is a key consideration of any future projects

    10. Where can I find further guidance?