³ÉÈËÓ°Òô

Laura Johnson, a Technology, Outsourcing and Privacy solicitor at Fieldfisher LLP, joined our recent facilitated by Sophie Gould, to share her expertise in an engaging and interesting presentation covering the low-down on the GDPR one-year post-implementation.

Key GDPR concepts

Laura started off by giving us a quick overview of the GDPR. This legislation applied from 25 May 2018 and replaced the Data Protection Act 1998 in the UK. It was implemented to modernise and harmonise the laws around data protection in order to better protect the personal information of individuals. However, as Laura reminded us, there is still more work to be done to catch up with the evolving technology in this area.

Personal data can be defined as any information relating to a data subject which leads to direct or indirect identification. Or, to put it simply, any information which identifies us as individuals e.g. IP addresses and device IDs.

There are a few other key terms under the GDPR, including:

• Special category data – this is personal data which is especially sensitive and is therefore in need of greater protection
• Criminal conviction data – to process personal data about criminal convictions or offences, you must have both a lawful basis under Article 6 and authority for it under Article 10
• Anonymous data – data which must be truly anonymous
• Pseudonymous data – where the means of storing the data stops it from being classified as personal data per se e.g. where the identifying element is stored elsewhere

Scope of the GDPR

The material scope of the GDPR includes when data is processed by automated means or where there is a hard copy which forms part of the relevant filing system.

The territorial scope of the GDPR is that it applies to any controller or processor which is:

• established in the EU
• located outside the EU:
• offers goods and services to data subjects in the EU
• monitors the behaviour of data subjects in the EU to the extent it takes place in the EU

Lawful processing

There are six lawful bases for processing personal data:

•  Consent – the most well-known one, not enough to just consent to processing
• Contractual necessity
• Legal obligation (under EU law)
• Vital interests
• Public interests (under EU law)
• Legitimate interests (unless public authority)

Note, special category data requires a different set of lawful bases.

GDPR in review

Laura went on to explain the discrepancy between what was thought would happen post-implementation and what actually occurred.

The initial reaction to the GDPR was one of fear. There was a lot of misunderstanding and misinformation on the internet, and everyone seemed to be calling themselves an expert. Even minor breaches were being reported. Laura explained that, in one early case, a nursery was reported for accidentally sending a Father’s Day card with photos of a child on the front to the wrong parent of the child. This was obviously well below the threshold for reporting a breach.

Since its implementation, even data protection professionals are still learning. Those in private practice generally try to inform an industrial standard across all the deals they are involved with. It is sometimes more efficient to decide between the parties and individually assess the approach based on the situation.

Laura continues to explain more on GDPR developments and delves deeper into the types of breaches we've seen in the past year as well as what we can expect going forward -  Read more in part two  

Join Aspire today

is free to join and open to all in-house lawyers in the early stages of their legal career. . 

Additional recommended reading:

- The Practice Note provides an overview of the conceptual changes and the changes in regulatory oversight and additional obligations for organisations which were implemented by the GDPR

- This Practice Note is an archive that consolidates some of the most popular or useful general Q&As (FAQs) on the General Data Protection Regulation (the GDPR), Regulation (EU) 2016/679 and the Data Protection Act 2018 that have been raised with the Lexis Ask service (GDPR FAQs)

- This Precedent is based on a GDPR self-assessment checklist published by the Information Commissioner's Office (ICO). It is designed to help you check and assess your high-level compliance with the General Data Protection Regulation (GDPR) e.g. including new rights of individuals, handling subject access requests, managing consent and conducting data protection impact assessment

- This Practice Note covers the principles for handling personal data that form the core of the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR) and which are set out in Article 5 of the GDPR

- This Practice Note provides a background to the definitions used in the General Data Protection Regulation (the GDPR), Regulation (EU) 2016/679. Where applicable, this Practice Note also highlights further details and terms provided under the Data Protection Act 2018 (DPA 2018), which contains supplementary definitions throughout its provisions and schedules