What is the GDPR?
The EU’s General Data Protection Regulation (GDPR) is the culmination of four years of efforts to update data protection for the 21st century, in which people regularly grant permissions to use their personal information for a variety of reasons in exchange for ‘free’ services.
In the UK, GDPR will replace the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data, and introduced hefty penalties for organisations that fail to comply with the rules, and for those that suffer data breaches. It also ensures data protection law is almost identical across the EU.
Why was the GDPR drafted?
There are two main factors behind the introduction of GDPR. The biggest one is the EU’s desire to bring data protection law in line with how people’s data is being used, especially considering that firms like Amazon, Google, Twitter and Facebook offer their services for free, as long as people offer their data to these tech giants. The dangers of granting such vast permissions can be illustrated by the ongoing Cambridge Analytica scandal, where 50 million Facebook profiles were harvested to influence the 2016 US election.
Basically, the internet and the cloud allowed organisations to invent numerous methods to use (and abuse) people’s data, and GDPR aims to rectify this.
The second driver is the EU’s desire to give organisations more clarity over the legal environment that dictates how they can behave.
When will the GDPR apply?
The GDPR will apply in all EU member states from 25 May 2018. Because GDPR is a regulation, not a directive, the UK does not need to draw up new legislation – instead, it will apply automatically. While it came into force on 24 May 2016, after all parts of the EU agreed to the final text, businesses and organisations have until 25 May 2018 until the law actually applies to them.
So who does the GDPR apply to?
‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.
Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU residents.
It’s the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
When can I process data under the GDPR?
Once the legislation comes into effect, controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
What counts as personal data under the GDPR?
The EU has substantially expanded the definition of personal data under the GDPR. To reflect the types of data organisations now collect about people, online identifiers such as IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, are also considered personally identifiable information.
Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.
Anything that counted as personal data under the Data Protection Act also qualifies as personal data under the GDPR.
When can people access the data we store on them?
Under the aim of giving people more control over their information, GDPR ensures people can ask to access their data at “reasonable intervals”, with controllers having a month to comply with these requests. Both controllers and processors must make clear how they collect people’s information, what purposes they use it for, and the ways in which they process the data. The legislation also says that firms must use plain language to convey these things clearly and coherently to people: it’s time to wave goodbye to those confusing, dense terms and conditions.
People have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it. Where possible, data controllers should provide secure, direct access for people to review what information a controller stores about them.
They can also ask for that data, if incorrect or incomplete, to be rectified whenever they want.
What’s the ‘right to be forgotten’?
GDPR makes it clear that people can have their data deleted at any time if it’s not relevant anymore – i.e. the company storing it no longer needs it for the purpose they collected it for. If the data was collected under the consent model, a citizen can withdraw this consent whenever they like. They might do so because they object to how an organisation is processing their information, or simply don’t want it collected anymore.
The controller is responsible for telling other organisations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.
What if they want to move their data elsewhere?
Then you have to let them – and swiftly: the legislation means citizens can expect you to honour such a request within four weeks. Controllers must ensure people’s data is in an open, common format like CSV, meaning that when it moves to another provider it can still be read.
What if we suffer a data breach?
It’s your responsibility to inform your data protection authority of any data breach that risks people’s rights and freedoms within 72 hours of your organisation becoming aware of it.
But even before you call the data protection authority, you should tell the people affected by the data breach. Those who fail to meet the 72-hour deadline could face a penalty of up to 2% of their annual worldwide revenue, or €10 million, whichever is higher.
However, it’s important to note that while the maximum fines that can be issued will become much higher under GDPR, the legislation stipulates that they must remain “proportionate” to the breach. Also, if you can demonstrate that you work hard to ensure your organisation is compliant with GDPR, the ICO would likely not issue as high a fine in the event of a breach as it would otherwise.