You may have heard people across many industries talking about the General Data Protection Regulation, or GDPR. While those four letters might not mean much to you right now, there’s a huge amount of chatter taking place around them, and for good reason. As of May 2018, the GDPR will be enforceable in the UK, and it aims to protect individuals within the European Union. The primary objectives of the GDPR are to give citizens control over their personal data and to unify regulations for businesses within the EU to simplify the process. It supersedes the 1998 Data Protection Act (DPA).
Who Does It Apply To?
The GDPR applies to ‘controllers’ and ‘processors’ and the definitions are broadly the same as under the Data Protection Act. As a processor, you will be legally obliged to maintain records of processing activities and personal data. For controllers, you must ensure that your contracts with processors comply with the new regulations. As well as affecting organisations within the EU, organisations outside of the EU that trade within it or export data out of it are also required to comply.
Which Information Does The GDPR Relate To?
The GDPR applies to personal data, but unlike the DPA, the definition is more clear. For example, under the new regulations, an IP address can be considered personal data, to reflect the changes in technology and how data is collected. Generally speaking, if the information was covered by the DPA, it will also be included in the GDPR. Both automated personal data and manual filing systems are affected, including data that is encrypted, depending on how easy it would be for it to be attributed to a person.
According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
As with the DPA, the GDPR also includes sensitive personal data, but some minor changes have been put into place for specific categories. These include genetic data and biometric data which have been processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
What Does It Mean For The Consumer?
Organisations will start to become more transparent with their customers, with upfront and clear privacy notices. Consent needs to be obtained with clarity, and hidden tick boxes and silence will no longer suffice as permission from a consumer.
Data controllers must now put a focus on consumer rights when putting new processes in place, and an appointed Data Protection Officer will need to champion consumer rights within the business. The GDPR also facilitates consumers wishing to switch suppliers by requiring data controllers to provide “data portability” when accounts are closed. Objecting to marketing will be simplified for consumers, as organisations have to be public and obvious about their intentions upon the first contact.
Consumers will be informed of data breaches more quickly, as data controllers are required by law to notify the supervising authority without undue delay (within 72 hours). Tougher penalties have been put in place for data abusers, so those responsible for nuisance calls and bombarding consumers with unnecessary contact will now face stricter fines. Generally speaking, more power is placed in the hands of citizens when it comes to decisions with their data.
Steps To Take Now
Do the key people involved in your business understand the importance of the changes? They’re likely to have a profound impact, and cannot be ignored.
It’s time to get organised. Document the data you currently hold, its origins and who the information is shared with. An audit may be necessary to ensure nothing is missed.
You should check over your current privacy notices and put a plan in place to make any necessary changes.
Focus on the individual
The individual’s rights are at the centre of the changes, so your procedures need to reflect that. Be prepared to delete personal data and provide data electronically.
Your procedures need to reflect the new timescales, and how your business will handle requests once the changes take place.
Look at the types of data processing that goes on within your business, and make certain your legal reasoning for carrying it out is solid.
Focusing on the consumer. You should revisit the ways you gain access to, record and obtain consent.
Gaining parental consent is key when the GDPR comes into play, so you’ll need to outline the ways in which you identify a person’s age.
Given the speed of which data breaches now have to be reported, getting a system and process in place will allow you to act accordingly if that situation should occur.
Data Protection Officers
Someone within the company needs to take responsibility for compliance with the new rules, and they should be factored into employment strategies and your organisational structure.
Continue learning about the GDPR through our written series, and how it affects your business.
This is the first part in an ongoing series about the GDPR. Sign up to our email updates to receive the rest straight into your inbox.