General Data Protection Regulations
The General Data Protection Regulations (GDPR) is not Just a European version of the UK’s Data Protection Act. The GDPR represents a major shakeup of data protection and has already passed into UK law, being enacted on the 25th May 2018.
This much-needed update takes into account the digital age and the higher risks ordinary people face when companies play fast and loose with their data, which is lost or used for purposes they didn’t agree to; or their bank accounts raided using their data that has been hacked from poorly protected systems.
It is a legal set of rules that must be adhered to by organisations that ‘process’ – harvest, store, or make use of personal information. The focus is on people as they are the ones who have the information, thus, the GDPR grants people rights and puts obligations on organisations that hold their data. It is aimed at protecting personally identifiable information when it is in the hands of organisations.
The GDPR aims to prevent security breaches and the loss of personal data by organisations that hold or process Personally Identifiable Information (PII) and it affects any organisation that offers goods or services (even free ones) or monitors the behaviour of EU citizens.
The scope of the GDPR is much wider than the Data Protection Act (DPA). Whilst the DPA was concerned with data subjects within the UK, the GDPR protects the data of EU citizens regardless of whether the company is EU based or not; so, Brexit is irrelevant. Data controllers and data processors can be jointly held responsible for data breaches and incur fines. Whilst on the subject of fines, and to keep your interest, the fines for contravention of the regulations are tiered. The top tier offences carry a fine of 20m Euros or 4% of the previous year’s annual turnover!
Data has a much broader definition than currently and acknowledges the digital age and the value personal data has. The GDPR defines personally identifiable data as ‘any information relating to an identified or identifiable natural person (Data Subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to a identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, genetic, mental economic, cultural or social identity of that person’ (GDPR Article 4(1)). Important to note that the GDPR does not apply to processing “by a natural person in the course of a purely personal or household activity” (Article 2)
This is not just for big organisations and there are many ‘Alternative Facts’ circulating in relation to who this regulation applies to. Early drafts of the GDPR mentioned exclusion for organisations with less than 250 employees but this did not make it to the final draft! The litmus test for any organisation, big or small is, do you process (including just storing or using) information that can be used to identify a ‘natural’ living person, and do you have a lawful basis to process that information? Taken to an extreme, do you have just a CV or two sitting on your laptop which you might just retain or share commercially with other parties? If so, this is for you.
To ensure you get on the pathway to compliance, you should make sure that decision makers and key people in your organisation are aware that the law is changing and the impact the GDPR is likely to have. You should document what personal data you hold, where it came from and who you share it with. You will need to be absolutely clear you have a lawful right to collect and process the data and you will also need to update your privacy policies. Remember, the default position under GDPR is that data subjects have to ‘opt in’, not ‘opt out’
Data Protection Officers can assist you with many aspects of ensuring compliance with the GDPR. If you would like an initial discussion, then please get in touch with Derek Mann at firstname.lastname@example.org