The GDPR is Europe’s new framework for data protection laws – it replaces the previous 1995 data protection directive. Previous UK law was based upon this directive.
The EU’s GDPR website says the legislation is designed to “harmonise” data privacy laws across Europe as well as give greater protection and rights to individuals. Within the GDPR there are large changes for the public as well as businesses and bodies that handle personal information, which we’ll explain in more detail later.
After more than four years of discussion and negotiation, GDPR was adopted by both the European Parliament and the European Council in April 2016. The underpinning regulation and directive were published at the end of that month.
After publication of GDPR in the EU Official Journal in May 2016, it will come into force on May 25, 2018. The two year preparation period has given businesses and public bodies covered by the regulation to prepare for the changes.
GDPR applies across the entirety of Europe but each individual country has the ability to make its own small changes. In the UK, the government has created a new Data Protection Act (2018) which replaces the 1998 Data Protection Act.
The new UK Data Protection Act was passed just before GDPR came into force, after spending several months in draft formats and passing its way through the House of Commons and House of Lords. The Data Protection Act 2018 can be found here.
As the law was passed there were some controversies. It was amended to protect cybersecurity researchers who work to uncover abuses of personal data, after critics said the law could see their research be criminalised. Politicians also attempted to say there should be a second Leveson inquiry into press standards in the UK but this was dropped at the last minute.
In short, yes. Individuals, organisations, and companies that are either ‘controllers’ or ‘processors’ of personal data will be covered by the GDPR. “If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR,” the ICO says on its website.
Both personal data and sensitive personal data are covered by GDPR. Personal data, a complex category of information, broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address… you name it. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.
The definitions are largely the same as those that were previously included in data protection laws. Where GDPR differentiates from current data protection laws is that pseudonymised personal data can fall under the law – if it’s possible that a person could be identified by a pseudonym.
In the full text of GDPR there are 99 articles setting out the rights of individuals and obligations placed on organisations covered by the regulation.
There are eight rights for individuals. These include allowing people to have easier access to the data companies hold about them, a new fines regime and a clear responsibility for organisations to obtain the consent of people they collect information about.
Helen Dixon, the data protection commissioner for Ireland, who has major technology company offices under her jurisdiction, says the new regulation was needed and is a positive move. In the build-up to GDPR, she said startups need to have more awareness of the rules.
“One of the issues with startups is that when they’re going through all the formalities new businesses go through, there’s no data protection hook at that stage,” Dixon said.
Companies covered by the GDPR are accountable for their handling of people’s personal information. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed.
In recent years, there have been a score of massive data breaches, including millions of Yahoo, LinkedIn, and MySpace account details. Under GDPR, the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data has to be reported to a country’s data protection regulator where it could have a detrimental impact on those who it is about. This can include, but isn’t limited to, financial loss, confidentiality breaches, damage to reputation and more. The ICO has to be told about a breach 72 hours after an organisation finds out about it and the people it impacts also need to be told.
For companies that have more than 250 employees, there’s a need to have documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place.
Additionally, companies that have “regular and systematic monitoring” of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer (DPO). For many organisations covered by GDPR, this may mean having to hire a new member of staff – although larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers. “It means the data protection will be a boardroom issue in a way it hasn’t in the past combined,” Denham says.
There’s also a requirement for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person’s information they have to clearly explain that consent is being given and there has to be a “positive opt-in”. A blog post from Denham explains there are multiple ways for organisations to process people’s data that doesn’t rely upon consent.
A Subject Access Request (SAR) allows an individual the ability to ask a company or organisation to provide data about them. Previously, these requests cost £10 but GDPR scraps the cost and makes it free to ask for your information. When someone makes a SAR businesses must stump up the information within one month. Everyone will have the right to get confirmation that an organisation has information about them, access to this information and any other supplementary information. As Dixon points out, big technology companies, as well as smaller startups, will have to give users more control over their data.
As well as this the GDPR bolsters a person’s rights around automated processing of data. The ICO says individuals “have the right not to be subject to a decision” if it is automatic and it produces a significant effect on a person. There are certain exceptions but generally people must be provided with an explanation of a decision made about them.
The regulation also gives individuals the power to get their personal data erased in some circumstances. This includes where it is no longer necessary for the purpose it was collected, if consent is withdrawn, there’s no legitimate interest, and if it was unlawfully processed.
In the UK, these monetary penalties will be decided upon by Denham’s office and the GDPR states smaller offences could result in fines of up to €10 million or two per cent of a firm’s global turnover (whichever is greater). Those with more serious consequences can have fines of up to €20 million or four per cent of a firm’s global turnover (whichever is greater). These are larger than the £500,000 penalty the ICO could previously issue.
Denham says speculation that her office will try to make examples of companies by issuing large business-crippling fines isn’t correct. “We will have the possibility of using larger fines when we are unsuccessful in getting compliance in other ways,” she says. “But we’ve always preferred the carrot to the stick”.
Denham says there is “no intention” for overhauling how her office hands out fines and regulates data protection across the UK. She adds that the ICO prefers to work with organisations to improve their practices and sometimes a “stern letter” can be enough for this to happen.
“Having larger fines is useful but I think fundamentally what I’m saying is it’s scaremongering to suggest that we’re going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm.” She adds that her office will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven’t made any effort.
The enforcement date for GDPR may have already passed but data protection is an evolving beast. It will never be completely possible for businesses to be fully “GDPR compliant”.
Keeping on top of data can be a tricky thing – especially when businesses are evolving the services that are offered to customers. The ICO’s guide to GDPR sets out all of the different rights and principles of GDPR.
It also has a starter guide, which is available here, that includes advice on steps such as making senior business leaders aware of the regulation, determining which info is held, updating procedures around subject access requests, and what should happen in the event of a data breach. In Ireland, the regulator has also setup a separate website explaining what should change within companies.
Businesses and organisations impacted by GDPR have had two years to get their systems ready. But things don’t always go to plan. It’s likely that many firms were not ready for GDPR. The UK information commissioner has stated she won’t be looking to make examples of companies by issuing large fines when they’re not deserved.
The ICO largely takes a collaborative approach to enforcement. Denham has said her office will look to engage with companies rather than issue them with punishments straight away. Companies who have shown awareness and taken steps to comply with GDPR are likely to be treated better than those who haven’t done any work around it.
We don’t claim to have all the answers. In between a lot of GDPR hype there has also been some incredibly useful resources that have been published on the regulation. Here’s where to go if you’re looking for more in-depth reading:
– The full regulation. It’s 88 pages long and has 99 articles.
– The ICO’s guide to GDPR is essential for both consumers and those working within businesses.
– EU GDPR is full with information on the regulation. It details all you need to know and has a handy countdown clock for when GDPR will come into force.
– The EU’s Article 29 data protection group is publishing guidelines on data breach notifications, transparency, and subject access requests.