General Data Protection Regulation
25 January 2018
Return to: www.slc.co.uk
25 January 2018
The EU General Data Protection Regulation (“GDPR”) is European legislation that has been designed to try and harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the EU approach data privacy.
The GDPR comes into force on 25 May 2018 and introduces an enhanced EU-wide data protection regime that will have direct effect in member states and affect companies established outside the EU who wish to trade with EU partners or within the EU.
SLC is currently reviewing and, where necessary, updating, its data protection practices to meet the enhanced requirements of the GDPR.
This Statement is intended to provide information relating to the steps that SLC is taking to ensure compliance with the GDPR.
If you are currently subject to the DPA, you will be impacted by GDPR. The GDPR applies to both ‘data controllers’ and ‘data processors’. The definitions of both terms are broadly the same as under the Data protection Act 1998 (DPA) – i.e. the data controller says how and why personal data is processed and the data processor acts on the controller’s behalf. Both data controllers and data processors will have significantly more legal liability if they are responsible for a breach. If you are a data processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. However, if you are a data controller, you are not relieved of your obligations where a data processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
What does this mean for SLC? This means that we have to investigate our own systems, procedures, working practices, polices etc. to ensure that internally we meet the requirements expected under GDPR. It also means that SLC will map their data and information flows in order to assess their privacy risks. Once these activities are completed SLC will put additional security and technological safeguards in place as necessary.
It also means that we have to ensure our third parties with whom we share Personal Identifying Information data are also carrying out the required work towards compliance. We aim to achieve this by actively speaking with our suppliers, carrying out audits where applicable, and to provide assistance if required.
SLC can perform two roles:
As a data controller, SLC has the statutory responsibility for the processing of personal data. However, as a data processor, SLC has a contractual responsibility to the relevant data controller or data processor in addition to specific GDPR requirements mainly focussed on security. Generally, regulatory responsibility for use of personal data remains the responsibility of the data controller. SLC is not a joint data controller unless agreed elsewhere separately.
SLC has a Data Protection Officer (DPO) to meet requirements the DPA, and following consideration will determine the extent of support the DPO requires to support them in their duties to meet requirements under GDPR.
Under the GDPR, the data protection principles set out the main responsibilities for organisations.
SLC shall comply with the GDPR principles for processing personal data, which require that personal data is:
SLC will also respect the rights of data subjects which are enshrined in the GDPR.
For general GDPR related questions, contact GDPR_Responses@slc.co.uk.