What is GDPR?
GDPR was adopted in April 2016 by the European Parliament, the Council of the European Union and the European Commission to strengthen regulations revolved around data protection. The UK currently relies on the Data Protection Act (DPA) 1998, but with GDPR making an introduction to UK Law – individuals and businesses will face tougher fines for breaches and non-compliance. Unlike a directive, it doesn’t require any enabling of the legislation to be passed by the government – meaning this regulation will take immediate effect as of May 2018.
GDPR affects those not only operating in the EU, but also applies to trades outside of the EU offering goods and services. Any company holding information from people and businesses inside of the EU are expected to comply, regardless of the host’s location.
How does it differ to the Data Protection Act (DPA)?
GDPR will be replacing the DPA on the 25th May 2018. GDPR will be introducing some substantial differences and newer policies on business processing, use of technology and will determine how data can be used and stored.
We can explore the differences between GDPR and DPA on a variety of regulations:
The Information Commissioner’s Office (ICO) is able to issue fines up to £500k to any UK organisation that ‘seriously breaches’ the current DPA act. When GDPR comes into place the fines will raise exponentially. If an organisation fails to comply then fines can be up to €20 million (approx £175 million), or up to 4% of the business’s annual turnover (whichever is greater).
The GDPR regulation will contain an accountability principle which requires businesses to demonstrate how they comply through a series of audits – including the implementation of “appropriate technical and organisational measures”
Businesses are also required to produce and maintain documentation that clearly demonstrates actions taken to comply with GDPR. This can include notices for employees and customers that explain upcoming and continuing changes to data processing.
This is a new requirement introduced by the GDPR regulation that implements pressure on organisations to reveal any breaches at the earliest opportunity. The DPA on the other hand, does not specifically require organisations to report this.
GDPR states you must “notify the supervisory authority without undue delay and, where feasible, no later than 72 hours after having become aware of it”. This requirement also extends to alerting individuals involved should there be a risk to their rights and freedoms.
GDPR Individuals rights to be aware of
Right to be forgotten
“The right to be forgotten” is built upon even further with the new GDPR regulation – by giving data subjects’ direct control over their personal details.
Customers and employees now have the power to request deletion or full removal of personal data. Organisations are obligated to comply (in certain circumstances this can be disputed – such as an on-going investigation). This extends to backed up, archived and third-party data.
Right to portability
A new introduction to EU law allows individuals to obtain their own personal data for their own reuse as they see fit. Organisations are obliged to comply with these data portability requests as long as the information in question meets a specific set of criteria. Data being issued must be done so within a month of agreeing to the request and presented in a machine-readable format such as a CSV file.
The right to be informed
This entails an obligation to provide “fair processing information” and emphasises the need for transparency over how personal data is handled.
GDPR has established the information you should supply when individuals concerned, should be informed. Much of what you provide that complies with the DPA is much of the same, however there is now further information you absolutely must provide.
Information you supply about the processing of data must be:
- Transparent, concise and easily accessible.
- Written in clear and plain language, particularly if addressed to a child
- Free of charge
The right of access
Individuals will have the right to obtain the following under GDPR:
- Access to their personal data
- Confirmation that their data is being processed
- Any other information that coincides what they are already privy to.
The right of rectification
If data is inaccurate or incomplete, an individual is entitled to have their personal data rectified.
In the event you’ve disclosed any personal data to third parties then you must alert them of any rectification where feasible. Third parties where data has been disclosed to must be reported to the individual where appropriate and necessary.
A request for rectification of personal data must be responded to within a month the request was made. Should the request be of a complex nature then a response can be extended by a further two months.
If you are not taking steps to respond to a rectification claim, as an organisation you must explain your reasoning behind not doing so, and inform the individual of their right to complain to a higher member of authority.
The right to erasure
Also known as the right to be forgotten – individuals have the right to get their personal data erased in order to prevent processing in the following circumstances:
- When the personal data stored is no longer necessary for the purpose it was originally collected for.
- If the individual withdraws consent to their personal data being stored
- The personal data was unlawfully processed (and therefore in breach of GDPR)
- If a legal obligation deems the personal data must be removed
- If the personal data is processed in relation to “the offer of information society services to a child”.
Should there be a case of the right to erasure causing distress – it’s likely to make the case for erasure stronger, especially under the GDPR act where this threshold is not present.
The right to restrict processing
Restrictions on the processing of personal data can take place in the following circumstances:
- If an individual challenges the accuracy of personal data – processing should be restricted until data accuracy has been verified
- If the individual expresses refusal to the processing and considering whether the organisations legitimate grounds don’t coincide with the individual in question.
- If it’s needed for a legal claim.
You may need to review your organisations own procedures in order to determine where you may be required to restrict processing of personal data.
How does this affect compliance post-Brexit?
GDPR will come into effect from the 25th May 2018. The UK is still likely to be in the EU around this time. The legislation does not require domestic UK legislation to approve its implementation across the nation so it’s advised to still uphold GDPR in your organisation despite the unknown certainty of its presence post-Brexit. If your organisation operates with businesses in the EU then GDPR will still need to be complied with regardless.
Who does GDPR apply to?
Controllers and processors
The controller is responsible for how and why personal data is processed and the processor acts on behalf of the controller. If you are subject to and currently complying with the DPA then you will also be subject to the GDPR.
Processors will have specific legal obligations placed upon them. They must maintain and process data and activities; leaving them more susceptible to legal liability should there be a breach of legislation. The controller on the other hand will have legal obligation to ensure contractors, as well as their own organisation, are complying with GDPR.
Should there be a process being covered by Law Enforcement the GDPR doesn’t apply.
What information does GDPR apply to?
Sensitive personal data
This is a new addition made by GDPR – it refers to sensitive personal data as “special categories of personal data” such as genetic and biometric data, or any form of data that is unique enough to identify a specific person.
The GDPR has made more specific amendments as to what constitutes as personal data. Information such as ones’ IP address can be classified as someone’s personal data, along with any other information that is stored and accessible according to specific criteria. This definition is wider than the current DPA as it could also ascertain chronologically ordered sets of manual records containing personal data.
Key-coded data or information that has been pseudonymised can also fall under GDPR, depending on how difficult it is to associate the pseudonym to the specific individual in question.