Rely on the most comprehensive, up-to-date legal content designed and curated by lawyers for lawyers
Work faster and smarter to improve your drafting productivity without increasing risk
Accelerate the creation and use of high quality and trusted legal documents and forms
Streamline how you manage your legal business with proven tools and processes
Manage risk and compliance in your organisation to reduce your risk profile
Stay up to date and informed with insights from our trusted experts, news and information sources
Access the best content in the industry, effortlessly — confident that your news is trustworthy and up to date.
With over 30 practice areas, we have all bases covered. Find out how we can help
Our trusted tax intelligence solutions, highly-regarded exam training and education materials help guide and tutor Tax professionals
Regulatory, business information and analytics solutions that help professionals make better decisions
A leading provider of software platforms for professional services firms
In-depth analysis, commentary and practical information to help you protect your business
LexisNexis Blogs shed light on topics affecting the legal profession and the issues you're facing
Legal professionals trust us to help navigate change. Find out how we help ensure they exceed expectations
Lex Chat is a LexisNexis current affairs podcast sharing insights on topics for the legal profession
Printer Friendly Version
Laura Johnson, a Technology, Outsourcing and Privacy solicitor at Fieldfisher LLP, joined our recent LexisNexis Aspire networking and professional group facilitated by Sophie Gould, to share her expertise in an engaging and interesting presentation covering the low-down on the GDPR one-year post-implementation.
Key GDPR concepts
Laura started off by giving us a quick overview of the GDPR. This legislation applied from 25 May 2018 and replaced the Data Protection Act 1998 in the UK. It was implemented to modernise and harmonise the laws around data protection in order to better protect the personal information of individuals. However, as Laura reminded us, there is still more work to be done to catch up with the evolving technology in this area.
Personal data can be defined as any information relating to a data subject which leads to direct or indirect identification. Or, to put it simply, any information which identifies us as individuals e.g. IP addresses and device IDs.
There are a few other key terms under the GDPR, including:
Scope of the GDPR
The material scope of the GDPR includes when data is processed by automated means or where there is a hard copy which forms part of the relevant filing system.
The territorial scope of the GDPR is that it applies to any controller or processor which is:
There are six lawful bases for processing personal data:
Note, special category data requires a different set of lawful bases.
GDPR in review
Laura went on to explain the discrepancy between what was thought would happen post-implementation and what actually occurred.
The initial reaction to the GDPR was one of fear. There was a lot of misunderstanding and misinformation on the internet, and everyone seemed to be calling themselves an expert. Even minor breaches were being reported. Laura explained that, in one early case, a nursery was reported for accidentally sending a Father’s Day card with photos of a child on the front to the wrong parent of the child. This was obviously well below the threshold for reporting a breach.
Since its implementation, even data protection professionals are still learning. Those in private practice generally try to inform an industrial standard across all the deals they are involved with. It is sometimes more efficient to decide between the parties and individually assess the approach based on the situation.
Laura continues to explain more on GDPR developments and delves deeper into the types of breaches we've seen in the past year as well as what we can expect going forward - Read more in part two
Join Aspire today
Aspire is free to join and open to all in-house lawyers in the early stages of their legal career. Join today.
Additional recommended reading:
compliance—regulatory regime—overview - The Practice Note
provides an overview of the conceptual changes and the changes in regulatory
oversight and additional obligations for organisations which were implemented
by the GDPR
GDPR—Frequently Asked Questions (FAQs)
- This Practice Note is an archive that consolidates some of the most popular
or useful general Q&As (FAQs) on the General Data Protection Regulation
(the GDPR), Regulation (EU) 2016/679 and the Data Protection Act 2018 that have
been raised with the Lexis Ask service (GDPR FAQs)
compliance self-audit - This Precedent is based on a GDPR self-assessment
checklist published by the Information Commissioner's Office (ICO). It is
designed to help you check and assess your high-level compliance with the
General Data Protection Regulation (GDPR) e.g. including new rights of
individuals, handling subject access requests, managing consent and conducting
data protection impact assessment
protection principles under the GDPR - This Practice Note covers the
principles for handling personal data that form the core of the General Data
Protection Regulation, Regulation (EU) 2016/679 (the GDPR) and which are set
out in Article 5 of the GDPR
definitions under the GDPR - This Practice Note provides a background to
the definitions used in the General Data Protection Regulation (the GDPR),
Regulation (EU) 2016/679. Where applicable, this Practice Note also highlights
further details and terms provided under the Data Protection Act 2018 (DPA
2018), which contains supplementary definitions throughout its provisions and
0330 161 1234