A brief GDPR Overview for those who need a bit of clarity on the basics of GDPR.
The GDPR (General Data Protection Regulation) will be replacing the current 1998 Data Protection Act.
When Does The New Regulation Start?
25th May, 2018.
What Is Personal Data?
The Key Terms:
GDPR and other data protection laws rely on the term ‘personal data’ to discuss information about individuals. There are two key types of personal data in the UK and they cover different categories of information.
Personal data can be anything that allows a living person to be directly or indirectly identified. This may be a name, an address, or even an IP address. It includes automated personal data or any type of data that a person can be identified from it.
Sensitive Personal Data
GDPR calls sensitive personal data as being in ‘special categories’ of information. These include trade union membership, religious beliefs, political opinions, racial information, and sexual orientation.
When personal data is processed or collected by a company, it must be:
- Processed lawfully, fairly and transparently.
- Adequate, relevant and limited to what is necessary for processing.
- Accurate and kept up to date.
- Kept in a form such that the data subject can be identified only as long as is necessary for processing.
- Processed in a manner that ensures its security.
And can only:
- Be collected for specified, explicit and legitimate purposes.
So, what’s different?
- In the full text of GDPR there are 99 articles setting out the rights of individuals and obligations placed on organisations covered by the regulation. These include allowing people to have easier access to the data companies hold about them, a new fines regime and a clear responsibility for organisations to obtain the consent of people they collect information about.
- The regulation itself is a long document (118 pages of legalese), and failure to meet the requirements could turn out to be expensive – up to 4% of annual global turnover or €20 million, whichever is greater.
Who Will Enforce It In The UK?
Who Is In Charge Of GDPR In The UK?
The Department for Culture, Media and Sport is the government arm responsible for ensuring that UK law complies with the requirements of GDPR. The government body is responsible for creating the UK’s Data Protection Bill but won’t have control of the day-to-day elements of GDPR once it is enforced.
Once the provisions of GDPR become law in the UK, the Information Commissioner’s Office (ICO) will be responsible for enforcing them. The ICO has the power to conduct criminal investigations and issue fines. It is also providing organisations with huge amounts of guidance about how to comply with GDPR.
Accountability and compliance
Companies covered by the GDPR will be more accountable for their handling of people’s personal information. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed.
For companies that have more than 250 employees, there’s a need to have documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place.
Additionally, companies that have “regular and systematic monitoring” of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer (DPO). For many organisations covered by GDPR, this may mean having to hire a new member of staff – although larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers.
There’s also a requirement for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person’s information they have to clearly explain that consent is being given and there has to be a “positive opt-in”.
How are business’s preparing for GDPR?
When implemented, GDPR will have a varying impact on businesses and organisations: for instance, not every company will require a data protection officer.
Companies will be taking steps to ensure all angles are covered and by May 25th, all if not most of the requirements of GDPR should have been met. Steps such as making senior business leaders aware of the regulation, updating procedures around access requests, determining which info is held and what should happen in the event of a data breach.
The ICO (Information Commissioner’s Office) says that “many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA)”. It adds for businesses already complying with the current data protection law, its highly likely they will be meeting many of the GDPR principles.
As well as this guidance, the ICO created a phone service to help small businesses prepare for GDPR, a tool that a lot of companies will have undoubtedly taken advantage of. The service provides answers about how small companies can implement GDPR procedures.
Over the course of the next 4 weeks prior to the new regulations taking effect, companies will be sending mass email campaigns to customers, clients, partners and employees throughout Europe. So don’t be surprised to see a few show up in your inbox. These emails are compulsory, to adhere to the new GDPR regulations. You may be asked to actively opt in or manually opt to stay subscribed to mailing lists, effectively giving said company the permission to hold your data.
Despite the overwhelming amount of information and paperwork that comes with the new regulations, not to mention the importance of compliance, there will be no overnight witch hunt come May 25th. There are still many grey areas that the ICO haven’t nailed down. That said, the basics of this new regime should still be actioned and companies will be required to abide by the new laws, however, it will take a bit of trial and error, time and many discussions to make GDPR effective and watertight moving forward.
Hope that helps with your concerns about GDPR and what it means.