The new General Data Protection Regulation (GDPR) comes into force on 25 May 2018. GDPR is a stronger data protection regulation which will supersede the existing Data Protection Act.
GDPR covers information about any living individual held by any organisation. It therefore applies to PCCs (and to the DBF).
The Regulation sets out two key objectives:
- Protection of the fundamental rights and freedoms of individual persons, in particular, the protection of personal data
- Protection of the principle of free movement of personal data within the EU
The principles set out in the GDPR are similar to existing legislation. However, there are a number of changes, for example:
- There are more prescriptive rules on what constitutes consent to hold data. Consent “must be freely given, specific , informed and unambiguous”.
- PCCs (and the DBF) will have to be more accountable about the data they hold and the purposes for which they hold it. “Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
- The requirement to have documentary evidence of your legal basis for processing is significantly enhanced
- Enhanced Data Subject Rights- data subjects will have the “right to be forgotten”.
- Mandatory data breach notification requirement
- New rules on transferring data overseas.
Further guidance is available on the Parish Resources website.
Should you have any queries, please contact Peter Evans, Assistant Diocesan Secretary.