One year from today, GDPR, an EU regulation, will become enforceable in the UK and the rest of the European Union. Here we look at what it is, and why it matters for business.
What is GDPR?
General Data Protection Regulation (GDPR) is designed to replace the current Data Protection Directive, which dates back to 1995. Since then of course, the growth in internet usage has changed the way in which we share and use information.
There’s also a key distinction here. The previous data protection framework was a directive, meaning that individual EU member states could adapt the measures as they saw fit. This also led to a variety of approaches to data protection.
GDPR is a regulation, which means that the UK and the other EU member states do not need to draw up legislation – instead it will automatically become law on the enforcement date. This will have the effect of unifying approaches to data protection across the continent.
The key theme is that companies now have to be very careful about gaining active consent when using data, and to document the processes far more thoroughly than before.
Individual’s Rights Under GDPR
The GDPR creates some new rights for individuals in relation to their own data, and strengthens those that already exist under the Data Protection Directive.
The ICO site has more detailed information on these rights, but here’s a summary.
- The right to be informed. This refers to the need for companies to be transparent about their use of data.
- The right of access. Similar to existing access rights, users have the right to access their personal data.
- The right to rectification. Individuals are entitled to correct inaccurate data.
- The right to erasure. Individuals can request the removal of data when there is no legitimate reason to use it.
- The right to restrict processing. Under certain circumstances, individuals have a right to ‘block’ or suppress processing of personal data.
- The right to data portability. This allows individuals to obtain and use their data across different services.
- The right to object. Users can refuse to have their data used for direct marketing.
- Rights related to automated decision-making and profiling. Individuals have the right not to be subject to a decision when it is based on automated processing.
Key Considerations Around GDPR
Here are some of the key areas to be aware of around GDPR:
Enforcement and fines
Breaches of personal data will be punished more severely than before. The most serious offences, such as obtaining customer data without consent, carry a maximum fine of 4% of annual global turnover or €20 million, whichever is highest.
The definition of what constitutes personal data has now been expanded and now includes ‘online identifiers’ such as IP addresses.
Data Protection Officers
The regulation requires companies to hire a Data Protection Officer (DPO) if:
- You are a public authority.
- Carry out large scale systematic monitoring of individuals, online behaviour tracking for example.
- Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
This DPO must report to board level, be able to operate independently without fear of dismissal or penalty, and be given adequate resources to meet their obligations.
It Doesn’t Just Apply to EU Companies
Any company doing business with EU residents will be subject to GDPR rules, whether based in the EU or not.
Data Breaches Must Be Reported
Certain types of data breach, which for example, leave customers open to identify fraud, must be reported to the ICO within 72 hours of an organisation becoming aware of it.
Failure to do so may result in a fine.
Data Protection by Design
Essentially, GDPR requires companies to build data and privacy protection into systems and processes from the beginning, rather than as an add-on.
As Information Commissioner Elizabeth Denham explains,
“The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”
GDPR places the onus on organisations to make significant changes to culture and processes, and this requires buy-in at board level.
This article looks at some of the challenges in securing senior-level support, and how these can be addressed.
Steps to Take Now
The ICO has published a useful guide, which outlines 12 steps to take towards compliance before the 2018 deadline.