What is GDPR?
The General Data Protection Regulation is an extensive new law regulating the collection and use of personal data of individuals in the European Union, which comes into effect on 25 May 2018.
GDPR replaces the Data Protection Directive of 1995, which was the EU’s first legal framework covering data security. In the 20 years since then, the explosion in the use of computers and the internet has contributed to a huge rise in the collection and processing of personal data. Unfortunately, this has also increased the potential for data theft and misuse. GDPR is therefore an attempt to deal with these threats, and update the law for the modern world.
What does GDPR cover?
GDPR is concerned with all kinds of personal data, which is any information relating to an identifiable individual (a data subject). This could for example include names, addresses, contact details, online usernames or demographic information.
Although created by the EU, GDPR applies to any organization (or person) with a European presence, or which deals with the personal data of data subjects within the EU (Article 3). It applies to organizations which act as data controllers and/or data processors:
Data controllers decide the purposes and methods of processing personal data – they coordinate processing.
Data processors are responsible for directly processing personal data based on the instructions of data controllers. This could for example include subcontractors.
There are potentially severe penalties for non-compliance (see below), which means that if your business has any dealings with this sort of data, it is vital for you to understand what GDPR means and what action to take.
Here are the main areas it covers:
The grounds for processing personal data (Article 6).
In order to be lawful, collection and processing of personal data must be justified under one of six possible grounds. For most organizations, the crucial grounds are (i) that the data subject consented to the processing (see below), (ii) that the processing is necessary to the performance of a contract with the data subject (or to steps requested by them in the lead up to entering such a contract), or (iii) that the processing is necessary for the organization to pursue its legitimate interests. There are stronger requirements covering sensitive information such as a data subject’s ethnic origin, religious beliefs or criminal convictions (Articles 9 & 10), as well as processing related to automated decision-making (Article 22).
The type of consent needed to collect personal data (Article 7)
In order to rely on a data subjects consent to processing (see above), the request for consent must be clear and unambiguous, and it should be clear what their personal data will be used for (e.g. marketing). Consent must be freely given (so avoid making it a requirement of entering a contract unless it is really necessary), and the data subject has the right to withdraw their consent at any time. For children under 16, consent must be given or authorized by a parent or guardian (Article 8).
The manner in which personal data must be processed (Articles 5 & 32).
Data subjects should be informed of what will be done with their data and their rights over the data (Articles 13 and 14). Personal data must be collected and processed in a manner which takes data security seriously, using processes designed with security in mind — this is known as “data protection by design and by default” (Article 25). This includes collecting the minimum information necessary, keeping it for no longer than is necessary, taking steps to keep it accurate and up to date, and protecting it from unauthorized access or accidental loss. It is also important to keep records of the sort of data being kept, the purposes of keeping it and the processes used to keep it secure (Article 30).
The rights of data subjects over their personal data (Articles 15 to 21).
Data subjects have a number of rights regarding their personal data, including the right to access the data, or to have it corrected, deleted or transferred. They also have the right to object to processing in certain situations. You will need to be prepared to action these requests in a helpful and timely manner.
The obligations when there has been a data breach (Articles 33 & 34).
If a data breach does occur, data processors are required to notify data controllers, and data controllers must notify the data subjects affected, as soon as possible. In addition, data controllers must, within 72 hours where possible, notify the relevant data protection supervisory body in the EU country in which they have their “main establishment” (for example, the Information Commissioner’s Office in the UK).
The relationship between data controllers and data processors (Article 28).
It is the data controller’s responsibility to ensure that the data processor can implement sufficient measures to keep the data secure and otherwise comply with GDPR. Data controllers must have a contract with their data processors setting out the types of data being processed and the nature of the processing and requiring (among other things) that processing only be done according to written instructions.
Other miscellaneous requirements
In certain circumstances, data controllers and processors must appoint data protection officers to advise on GDPR and other data protection requirements (Articles 37 to 39). Where proposed processing is high risk, controllers will have to undertake a data protection impact assessment and may need to send details to the supervisory authority (Articles 35 and 36). Personal data can only be sent outside of the EU under certain circumstances, to ensure that it remains safe (Articles 44 to 50).
The penalties for failing to comply (Article 83)
In contrast to the previous regime, GDPR authorizes fines for breaching its provisions which are potentially extremely severe. The maximum fine for more serious breaches is €20,000,000 or 4% of global turnover (whichever is higher), which means that making sure that your business complies with GDPR is a serious matter.
Get all 10 articles in our series about GDPR in our e-book for free by clicking the link below: