This post was last updated 15 August 2018
Disclaimer: This post is not legal advice. So ensure you check your specific GDPR circumstances with a lawyer.
TL;DR: The GDPR is a regulation that activated and became applicable on 25 May 2018. It changes how businesses globally handle the personal data of European individuals (whether online, digitally, or with hard-copy). This affects non EU-based sites and businesses too. You need to make your business and websites GDPR compliant, otherwise, you could be facing some serious fines!
Why should I care about GDPR?
To be honest, small, medium, big or huge businesses – it doesn’t really matter; all sizes of businesses should be scared. The reality is that bigger businesses are more likely to be able to tolerate any fines levied if they fall foul of the GDPR (and they can be huge).
But I’m getting ahead of myself.
So, what’s the big deal?
Well, to answer that we need to know what the GDPR is. This next bit of background adds a little necessary context, but bear with me.
GDPR stands for General Data Protection Regulation. And the GDPR will replace the Data Protection Directive (DPD) of 1995.
A brief history lesson is this:
- The Data Protection Directive (DPD) came into being in 1995
- The DPD became law in 1998 as the Data Protection Act (DPA)
- Eighteen years on, the GDPR came into force on 24 May 2016
The GDPR allowed for a two-year transition to allow businesses to get ready for it. This means it became applicable on 25 May 2018.
For those that care, unlike the DPD, which was a Directive, GDPR is a Regulation. Which means it’s already law. It doesn’t require national governments to pass any enabling legislation (as was necessary to make the DPD law, by passing the DPA). In other words, and like it or not, it’s live now.
The GDPR is an EU law made up of a bunch of Articles. They cover things like scope, definitions, liabilities, remediation’s, penalties etc. All of the member states of Europe have a Supervising Authority (SA) that will advise and enforce the GDPR in their region. In the UK, the SA is the ICO.
Whilst all member states have agreed to the GDPR, each member state can add to it if they wish for their region. Germany is one such member state. The GDPR is tough as it stands but Germany is adding a bunch of extra rules, making it even tougher. So if you have data stored and / or processed in Germany, you may have even more hoops to jump through.
The full 88-page Regulation can be read by all and sundry by visiting the Europa website.
There’s also lots of other helpful (and easier to read) information surrounding GDPR on the ICO website. Definitely worth checking out.
So why would the ICO come knocking at your door? Well, if you have been wronged (from a data perspective), the ICO are the organisation you complain to. For example, you’re still getting emails after unsubscribing from a list. Or you have asked an organisation what data they hold about you – and you get no response. The ICO has stated that they intend to process 100% of all complaints made.
It is worth noting that it matters not whether the UK is in or out of the EU. The GDPR will still apply. That said, post Brexit there will likely need to be some tweaks to how it is applied.
Yeah, okay. So what is the GDPR already?
The GDPR is not too dissimilar to its predecessor, the DPA. The DPA concerned itself with how organisations, businesses or the government use personal information. Under the DPA, those responsible for using data of this type are required to adhere to strict rules (known as data protection principals).
Ok, fair enough.
The GDPR takes those principals further and wider. Meaning the ICO
If businesses ignore this law, they can be fined up to €20m (Euros) or 4% of their global annual turnover (whichever is greater). In some cases, a business can actually be shut down!
Compliance will need a lot of time and effort from businesses. Many, many businesses are only now just beginning to realise what a mammoth exercise this is. And time is running out…
Of course, that all sounds like doom and gloom – and for businesses, it isn’t going to be
funor a cheap exercise. Yet, we mustn’t overlook the huge positives that the GDPR will bring to us as individuals. For us, the GDPR is actually an immensely good thing indeed. And very long overdue.
So what does the GDPR cover?
The rules are pretty complex, and it is easy to find them overwhelming. It’s mostly common sense really. The rules fall into six main principles.
Personal data must be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified legitimate reasons. And then used only in ways the individual concerned is clearly aware of and agrees to;
- limited to only what is necessary, in relation to its use;
- accurate. Where necessary, you must take every reasonable step to ensure that such data stays accurate
- regularly reviewed to confirm it remains necessary to have the data. Erase it without delay if it is no longer necessary;
- stored and processed in a secure manner through appropriate technical or organisational measures.
Personal data under the GDPR is defined as data that can be used to identify a European individual. This is regardless of where – globally – that data resides. Personally identifiable data includes obvious things things like:
- email address,
- photos / video etc
Perhaps less obvious (but now well and truly in scope) are things like:
- IP address,
- biometric data,
- genetic data
- CCTV footage
The list is pretty extensive should you go look at the regulation. Pretty much anything is fair game as personal data if a European individual can be identified by it.
Three other key definitions that crop up throughout the GDPR that you will need to be familiar with are:
- Data Subject – a European individual identified through some personal data
- Controller – an entity (a natural or legal person, public authority, agency or any other body) that determines the purposes, conditions and means of the processing of personal data. They are responsible for:
- implementing appropriate technical and organisational measures,
- implementing data protection policies,
- and adhering to codes of conduct that demonstrate compliance.
- Processor – an entity (a natural or legal person, public authority, agency or any other body) that processes data on behalf of the Data Controller
Bear in mind that a person, organisation, or agency can be both a Controller and a Processor.
The scope of the GDPR is defined in two ways – Material and Territorial:
Material – In scope:
Personal data that is:
- processed wholly or partly by automated means
- part of a filing system, or intended to be (includes hardcopy)
Material – Out of scope:
Using personal data:
- in the course of an activity outside of EU Law
- for such things as border checks, asylum and immigration status
- in relation to a purely personal activity (e.g. your Christmas card list. However, something like Neighbourhood Watch would fall in scope)
- for the purpose of crime prevention etc.
- The Regulation applies to controllers and processors in the EU, irrespective of where processing takes place
- It applies to processing activities around goods or services (whether paid for or not), or the monitoring of a European individual’s behaviour within the EU (e.g. CCTV)
As you can see, the definition of what is personal data is much broader than before. And the GDPR has a much greater territorial reach. A global company that has EU personal data stored in the US, for example, is in scope and is liable!
What about Public Domain data?
The GDPR still applies when the source of the data was public domain (and so was freely available). Largely, the rules here are to do with the use of the data, and whether explicit consent becomes necessary. Using such data for profiling is an example where the GDPR has a greater effect than before.
Just a few of the key rules that fall out of the six main principles, described earlier, you’ll need to get to grips with are:
- Whatever country in the world does the processing, if it is European data then it is subject to the GDPR
- The data subject, if giving consent (when necessary) must be able to do so via an intelligible, unambiguous, and easily accessible form. Opt-in should not be the default
- Consent must be as easy to withdraw as it was to give
- You must be able to demonstrate fair and lawful processing of data
- You can only use the data in the manner for which it was agreed
- Understand the right for data subjects to:
- access their data
- have their data rectified if incorrect
- be forgotten, i.e. “to be erased”
- data portability – the right for a data subject to move their data in a machine-readable format
- Breach Notification procedures must be in place
- Appropriate transparent privacy policies need to be available
- Put in place agreements between data controllers and processors. These must describe the data that is being supplied. As well as the processors’ responsibilities for processing and safeguarding that data. This is a biggie. Without this, if one of your processors gets hacked, you’re likely to be liable for 100% of any fine issued! With these agreements properly in place the processor is likely to be liable to most or all of any fine.
So what do I do now?
If you haven’t started to act then you need to start now.
This is an immense undertaking for the majority of businesses. It will require many (if not all) existing business and IT processes to be reviewed and changed. It will affect business websites and how they collect and / or process data. It also affects all agreements / contracts where personal EU data is shared. This is whether it’s just for consumption or for onward processing.
And finally, businesses will need to have agreements drawn up with entities within their own organisation if such data crosses country borders. And those agreements will actually need to be logged with the SA for that country.
Below this post you can download our check list on how to go about getting compliant for the GDPR.