GDPR is regulated by the Information Commissioner ' s Office ( ICO ). It has introduced more rights for individuals , including the right to see the data held about them , to be informed about the data , and to request rectification and erasure . An employee , for example , can request access to information about them held by their employer , and the employer must respond swiftly .

In most cases , GDPR requires businesses to seek consent from individuals to hold data about them . The ICO gives detailed advice on how consent should be obtained and managed . Although it is not always necessary to seek consent , it is good practice for a business to do so before holding anyone ' s personal information , including that of employees or customers .

What is personal data ?

If you can identify a particular individual from the data a business holds ( their name and address , for example ), this is considered to be personal data . Financial details and date of birth are also personal data . ( Full details can be found in UK GDPR Article 4 ( 1 )).

‘ Special categories ’ of data include racial or ethnic origin , political opinions , religious or philosophical beliefs , trade union membership , genetic and biometric data , sexual relationships or sexual orientation , and health data .

Who is responsible for data protection ?

Many businesses appoint a data protection officer ( DPO ) to manage their data protection responsibilities . Some companies use the services of an external provider to oversee their data protection responsibilities .

DPOs may be assisted by data controllers and data processors . A data processor processes data , and a data controller has the authority to determine what data is processed , why and how .

Although appointing a DPO isn ' t always a statutory requirement , it is sensible for a business to appoint one unless it can demonstrate it has no need – in which case , it must record its reasons . The ICO can request to see this reasoning , so the record will enable the business to defend its decision not to appoint a DPO , if necessary .

With or without a DPO , a business must meet all of its data protection responsibilities under GDPR , so many businesses find it reassuring to appoint a DPO . The DPO is responsible for ensuring the business is , and remains , compliant by monitoring its ongoing data responsibilities ( and staying up to date with the regulation ), advising staff and increasing awareness within the business of all relevant data security issues .

A DPO ' s duties take time and resources . This consideration , together with the risk of a potential data breach , can be a reason why a business may outsource its DPO responsibilities to a specialist company .

In these circumstances , it is important to remember that liability for a breach will still be with the business owner . An external DPO works to reduce the risk of a breach , encourages best practice and mitigates any breach , just as an internal DPO would be expected to do .

The size of a business or the number of employees it has does not affect its GDPR responsibilities or requirement to appoint a DPO . There is no exemption for small and medium-sized enterprises in this regard ; what matters is the nature and amount of data that is processed .

A veterinary practice may be required to appoint a DPO if its core activities require large-scale , regular and systematic monitoring of individuals . However , the guidance does not extend to a precise definition of ' large-scale ', so a risk-based approach is generally taken by businesses , based on the amount and nature of the data they hold and the duration for which data are held .

12 Veterinary Nursing Journal