General Data Protection Regulation

Background

The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and repealed and replace the UK's Data Protection Act, 1998 (DPA). In the UK, it sits alongside an updated Data Protection Act, the DPA 2018.

Why change?

The GDPR was introduced to:

  • better reflect the data protection challenges arising in the digital age;
  • address globalisation and harmonise data protection practice across Europe;
  • afford individuals greater control over their own personal data;
  • modernise existing data protection arrangements.

Key changes

Despite sharing many similarities with the 1998 Act, the GDPR introduced a number of changes to data protection practices. Key changes include: 

  • tougher financial penalties - fines of up to 4% of annual global turnover or €20 million (whichever is greater);
  • a more stringent data breach notification process;
  • a requirement for larger organisations to appoint a Data Protection Officer;
  • a broader definition of personal data;
  • more restrictive rules around the use of child data;
  • a new approach to consent;
  • new and expanded rights including a right to erasure and data portability;
  • mandatory privacy impact assessments for projects where risks are high;
  • a reduced timeframe for handling subject access requests;
  • slightly revised processes for international data transfers; 
  • stronger rules around recordkeeping.  

Scope of the Regulation

The Regulation relates to: 

Personal data

any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular in reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

Special categories of personal data 

i.e. personal data, revealing:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union-membership;
  • data concerning health; 
  • sex life and sexual orientation;
  • genetic data; 
  • biometric data.

Note: Data relating to criminal offences and convictions does not fall within the definition above despite being classified as 'sensitive personal data' under the Data Protection Act, 1998. Rules around the use of this type of personal data are covered in Article 10 of the GDPR and sections 10, 11 and Schedule 1 of the DPA 2018. 

For further information contact, dataprotection@york.ac.uk.