What is the General Data Protection Regulation (GDPR)
The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. The UK Information Commissioners Office (ICO) is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Whilst there may still be questions about how the GDPR would apply in the UK on leaving the EU, this should not distract from the important task of compliance with the GDPR.
Like the UK Data Protection Act 1998 (DPA), the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR. With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to individuals.
To support the IT industry, cloud suppliers and vendors, the Cloud Industry Forum has developed its Code of Practice to enable suppliers and customers to be better prepared for GDPR. The Code of Practice has integrated key elements of the GDPR in to the self-certification process, so whilst being certified does not ensure compliance to GDPR it is intended to offer greater visibility and transparency of the processes from suppliers on for customers.
More information on the GDPR is available from the ICO website.
GDPR enhancement to the Code of Practice
Whilst the GDPR additions to the Code cannot ensure complete compliance to the Regulation they will offer both providers and customers much greater confidence that they are proceeding appropriately towards GDPR. The bulk of additions that have been made to the Code fall in to Transparency: Section A.2, entitled contracting disclosure.
There are two main types of information for pre-contract disclosure:
- Information needed by potential customers so that they can make informed decisions about relevant criteria except for capability.
- Information potentially needed during contract execution for operational purposes
Pre-contract disclosure is highly flexible, if all required information is ultimately disclosed prior to contract close. It is not the purpose of pre-contract disclosure to provide the information for an assessment of capability. The pre-contract disclosure also includes areas of transparency such as the roles of the controller and processor, geographical focus, data location and transfer of data, guarantees and remedies, complaint and dispute resolution.
Under the Capability section there are additions to personal data protection capabilities and information security management which are required to comply with personal data protection legislation/regulation and principles.