What is the General Data Protection Regulation?
General Data Protection Regulation (GDPR) is the new legal framework in the EU which will come into force on 25 May 2018. There will also be a new Data Protection Act, which is currently going through Parliament. This new Act will add to the GDPR and provide new rights to individuals concerning their personal data. They are not in force yet so this page is to provide information in advance of the law changing.
GDPR puts a greater weight of responsibility on individuals and organisations whose work involves the collection of personal data, and requires those businesses and organisations to give individuals greater visibility into, and control over, the data they provide to those businesses and organisations.
Why is the law changing?
When the European Data Protection Directive was introduced in 1995, the law makers were addressing the risks posed to personal data that existed during the formation and early years of the Internet. In order to ensure that the protection of personal data remains a fundamental right for EU citizens the aim of GDPR is to modernise outdated and unfit-for-purpose privacy laws.
What will this new law mean for me?
The rights that individuals have about how their personal data is handled and stored are being changed and enhanced. You can find out about the GDPR rights on the ICO website. You will have the right to know how the data has been processed and make requests, in certain circumstances. These are outlined below.
To request information we hold about you – subject access requests
Under the new law, like now, everyone can make a written request to the OPCC for the information it holds about them. Please only ask for the information you actually need, to save time and allow us to be more efficient. When the new law comes into force, there will be no fee. You will need to provide proof of your identity and address. Once we have a valid request we will have a calendar month to provide the information requested which we can extend in some circumstances. We will be allowed (as we are now) to remove (redact) information; for example, legal advice or information about other people. You will be able to make a subject access request under the new law with the contact details provided on our website.
If we are relying on consent to process your data, you can request to withdraw consent or restrict/object to some elements of the processing. The OPCC does not rely on consent in most cases because it has legal duties to do certain tasks. For example, the handling of complaints from the general public, the processing of grants and commissioned services or the administration of Police Appeals Tribunals are based on legal duties, not on consent.
We will need to consider appropriate lawful grounds for processing your data if you have consented to the processing and decide later to withdraw your consent.
To comply with the new law we must provide detailed information on why and how we are processing the data.
To transfer personal data from our electronic processing system to and into another organisation’s electronic processing system.
Where we rely on your consent as your legal basis to process your personal data, you have the right to withdraw your consent and ask for your data to be deleted. As explained above we will not rely on consent in many cases.
After 25 May 2018, you will have the right to make changes to inaccurate data.
Automated decisions and profiling
After 25 May 2018, if we process your personal data based on automated decisions, and this will have a legal or similarly significant effect on you, then you can request a written explanation of the decision made and you can contest the results of the decision. Warwickshire OPCC does not carry out automated decision making or profiling that come under this definition.
When it comes into force, we will have to be able to demonstrate how we comply with the new law when collecting and processing your personal data.
We appreciate that these new rights might seem complicated. You can find more information on the ICO website. If you need help in exercising your new rights when the new law comes into force in May 2018 we will have a web page with contact details so you can ask for more information.
Personal data and ‘special categories of personal data’
The new law will apply only to ‘personal data’. You can find out more about personal data and the new GDPR regulations on the Information Commissioner’s website. Special category personal data will be personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or is about their health, sex life or sexual orientation and includes genetic and biometric data. The OPCC will need to comply with more safeguards when processing special personal data.
Data Protection Officer
Under the new law, the Office of the Police and Crime Commissioner (OPCC) must have a Data Protection Officer who is responsible for data protection matters and available to contact by members of the public.
Warwickshire OPCC’s Data Protection Officer is Warwickshire Legal Services – (Data Protection Officer). Warwickshire Legal Services (DPO) has been appointed to oversee the OPCC’s data protection strategy and implementation, to ensure compliance with GDPR requirements. They can be contacted by email at email@example.com.
Warwickshire OPCC’s commitments under GDPR
Our commitment will be to ensure that the data is:
- Processed lawfully, fairly and in a transparent manner.
- Collected for a specific and legitimate purpose. It will not be used for anything other than this stated purpose.
- Relevant and limited to whatever the requirements are for which they are processed.
- Accurate, and where necessary, kept up to date. Any inaccuracies will be amended or removed without undue delay.
- Stored for as long as required, as specified on our records retention policy.
- Secured with appropriate solutions, which protect the data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Warwickshire OPCC will demonstrate its compliance with these principles.
What we are doing to prepare for GDPR compliance
In order to comply with the provisions of GDPR, the Warwickshire OPCC has:
- Raised awareness of GDPR among senior stakeholders and key staff;
- Appointed a Data Protection Officer;
- Begun an audit of the data it holds, how it was obtained, with what level of consent and the lawful basis for processing it;
- Begun reviewing policies and procedures in light of GDPR requirements;
- Begun revision of privacy notices ready for publishing on the OPCC website and drafting communications for ensuring the consent of data held by the OPCC.