What is GDPR?
The General Data Protection Regulation (GDPR) is an extensive new law regulating the collection and use of personal data of individuals in the European Union, which comes into effect on May 25, 2018.
GDPR replaces the Data Protection Directive of 1995, which was the EU’s first legal framework covering data security. In the 20 years since then, the explosion in the use of computers and the internet has contributed to a huge rise in the collection and processing of personal data. Unfortunately, this has also increased the potential for data theft and misuse. GDPR is therefore an attempt to deal with these threats, and update the law for the modern world.
What does GDPR cover?
GDPR is concerned with all kinds of personal data, which is any information relating to an identifiable individual. This could for example include names, addresses, contact details, online usernames or demographic information.
Although created by the EU, GDPR applies to any organization (or person) with a European presence, or which deals with the personal data of individuals within the EU (Article 3). It applies to organizations which act as data controllers and/or data processors:
Data controllers decide the purposes and methods of processing personal data – they coordinate processing.
Data processors are responsible for directly processing personal data based on the instructions of data controllers. This could for example include subcontractors.
There are potentially severe penalties for non-compliance (see below), which means that if your business has any dealings with this sort of data, it is vital for you to understand what GDPR means and what action to take.
Here are the main areas it covers:
The grounds for processing personal data (Article 6).
In order to be lawful, collection and processing of personal data must be justified under one of six possible grounds. For most organizations, the two crucial grounds are (i) that the individual consented to the processing (see below), or (ii) that the processing is necessary to the performance of a contract with the individual (or to steps requested by them in the lead up to entering such a contract). There are stronger requirements covering sensitive information such as an individual’s ethnic origin, religious beliefs or criminal convictions (Articles 9 & 10).
The type of consent needed to collect personal data (Article 7)
In order to rely on an individual’s consent to processing (see above), the request for consent must be clear and unambiguous, and it should be clear what their personal data will be used for (e.g. marketing). Consent must be freely given (so avoid making it a requirement of entering a contract unless it is really necessary), and the individual has the right to withdraw their consent at any time. For children under 16, consent must be given or authorized by a parent or guardian (Article 8).
The manner in which personal data must be processed (Articles 5 & 32).
Personal data must be collected and processed in a manner which takes data security seriously, using processes designed with security in mind - this is known as “data protection by design and by default” (Article 25). This includes collecting the minimum information necessary, keeping it for no longer than is necessary, taking steps to keep it accurate and up to date, and protecting it from unauthorized access or accidental loss. It is also important to keep records of the sort of data being kept, the purposes of keeping it and the processes used to keep it secure (Article 30).
The rights of individuals over their personal data (Articles 12 to 22).
Individuals have a number of rights regarding their personal data, including the right to access the data, or to have it corrected, deleted or transferred. They also have the right to be given information about the data controller and its processes when the personal data is obtained (whether it is directly collected from them or otherwise), and the right to object to processing in certain situations.
The obligations when there has been a data breach (Articles 33 & 34).
If a data breach does occur, data processors are required to notify data controllers, and data controllers must notify the individuals affected, as soon as possible. In addition, data controllers must, within 72 hours where possible, notify the relevant data protection supervisory body in the EU country in which they have their “main establishment” (for example, the Information Commissioner’s Office in the UK).
The relationship between data controllers and data processors (Article 28).
It is the data controller’s responsibility to ensure that the data processor can implement sufficient measures to keep the data secure and otherwise comply with GDPR. Data controllers must have a contract with their data processors setting out the types of data being processed and the nature of the processing, and requiring (among other things) that processing only be done according to written instructions.
The penalties for failing to comply (Article 83)
In contrast to the previous regime, GDPR authorizes fines for breaching its provisions which are potentially extremely severe. The maximum fine for more serious breaches is €20,000,000 or 4% of global turnover (whichever is higher), which means that making sure that your business complies with GDPR is a serious matter.
This is the first in a series of posts about GDPR, analyzing its requirements and the steps organizations will need to take to avoid breaching them. We will be going into detail about each of the areas above, as well as who will be affected and the responsibilities of data controllers and processors. Our aim is to provide you with enough knowledge and understanding to avoid potential pitfalls and prepare your business for the major changes coming this May.
If you like to be alerted when new posts are added to this series, add your email to our mailing list. If you are wondering how to make your company's application, data warehouse or product GDPR compliant, feel free to reach out to us.