What is GDPR?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation which will bring data protection legislation up to date and will cover the new ways in which data is now used. The UK is currently covered by the Data Protection Act 1998, but this will be superseded by the new legislation. It will introduce tougher fines for data breaches and will give consumers more control over how their data is used.
When will it come into force?
The GDPR regulation was first proposed in January 2012 by the European commission and was approved by the European Parliament in April 2016. It will come into force on the 25th May 2018 after a two year transition period, across the 28 EU Member states. From this date, all organisation who deal with personally identifiable information will be required to abide by the regulation.
What does GDPR mean for businesses?
Under the GDPR the principles are similar to those in the Data Protection Act, with additional detail in certain points, with the most significant addition being the accountability principle which will require you to show how you comply with the principles by documenting the decisions you take.
Article 5 of the GDPR requires that personal data must be:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject
- Collected for specified, explicit and legitimate purposes and not further processed for purposes incompatible with the original purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed.
- Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure inaccurate personal date are rectified or erased without delay.
- Kept in a form which permits identification of data subject for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods as long as the personal data is processed solely for archiving purposes in the public interest such as scientific, historical research or statistical purposes.
- Processed in a manner which ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.
The key differences between the DPA and GDPR are:
The definition of personal data will become broader and will include more data in the regulated perimeter. Under the current directive, personal data has been defined as data which relates to a living individual who can be identified (a) from those data, or (b) from those data and other information which is the possession of, or is likely to come into the possession of. The new regulation will include data privacy for other factors such as their genetic, economic, cultural or social identity.
As per the DPA, the GDPR will require data controllers to have a legitimate reason for processing personal data, but under the new regulation the data held must be documented and include where it has come from and who it has been shared with. If personal data held is inaccurate and has been shared with other organisations, it is your responsibility to inform the other organisation about the inaccuracy. If an organisation relies on the consent of the data subject, they must be able to demonstrate that it was freely given. Consent can include written, including electronic statements, which could include the data subject ticking a box or choosing technical settings for social network accounts, but pre ticked boxes or inactivity will no longer constitute consent.
The guidance to the GDPR states: ‘Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data’. So the regulation will introduce special protection for children’s personal data and if information is collected about children (anyone under 13 years old in the UK) then parental consent will be required in order to lawfully process their data.
Incorporated in the GDPR is a strong focus on citizen rights. Organisations will now have to disclose the intended use of individual’s data, how it will be stored and the duration of storage. In addition it will introduce a ‘right to be forgotten’ which means data subjects will be able to request their personal data is erased by the data controller.
Under the Data Protection Act, even in the most serious data breaches, there is no requirement to inform the Information Commissioners Office (ICO) but under the GDPR legislation, if an organisation suffers a data breach they must notify the ICO within 72 hours of them becoming aware of it. Where this cannot be achieved within 72 hours, an explanation of the reasons for the delay should accompany the notification to the ICO, if there is no explanation for not meeting the 72 hour deadline, the outcome could result a fine of up to €10 million or 2% of your global annual turnover
Currently the ICO can issue penalties of up to £500,000 for serious breaches of the DPA but to ensure compliance with the new regulation, steep fines are being put in place. If violations do occur organisations could be fined up to €20 million or 4% of global turnover for serious breaches.
Will Brexit affect GDPR in the UK?
The government has not yet triggered Article 50, so for the immediate future, the UK must still comply with the same data protection regime as the rest of the EU. In February 2016, , minister of state for digital and culture, Matt Hancock MP said “because the UK will have adopted GDPR by the time Brexit takes place, and replacement legislation is likely to be based on the EU’s, rather than trying to force the EU to accommodate for UK legislation drafted from scratch.
Crucially GDPR will apply to every business which offers good and services to EU Citizens or those that monitor EU citizen’s behaviour, so it’s still paramount that all UK businesses focus on getting their GDPR strategy in place.