What is the General Data Protection Regulation (GDPR)?
12 July 2017
The EU’s General Data Protection Regulation (GDPR) is designed to standardise data protection across the EU, and strengthen current regulations in line with the new and previously unseen ways personal data is now used.
In short, the GDPR will give people more say over how companies can use their personal data and introduces tougher fines for those who fail to comply or who suffer a data breach. It also makes data protection regulations more or less identical across Europe. Any company who processes data belonging to EU citizens will need to comply with the GDPR, even if they are based outside of the EU, meaning UK businesses will still need to comply even after Brexit.
Why is it being introduced?
The GDPR has been four years in the making, and one of the main reasons for introducing it is due to the changing ways companies now use personal data. For example, many companies like Facebook and Google swap access to people’s data for use of their services. Although the UK currently relies on the 1998 Data Protection Act, this new regulation takes into account the new ways companies utilise personal data, which weren’t foreseen when the original legislation was enacted. Another driver behind the GDPR is that the EU wants to give businesses a simpler, clearer legal environment to operate in.
Who does it apply to?
This new legislation will apply to both “controllers” and “processors” of personal data. A “controller” states how and why personal data is processed, and a “processor” is the one who processes the data. It is the responsibility of the controller to make sure that their processor abides data protection law, and the processors themselves have a responsibility to maintain records of their processing activity.
What do I need to be aware of?
The definition of personal data has been expanded considerably by the GDPR, in line with the different types of data organisations now collect about individuals.
Under the GDPR organisations must ensure that personal data is processed lawfully, transparently and for a specified purpose. Consent from an individual must come in the form of a positive and active opt-in, and controllers must keep records of how and when an individual gave consent. That individual can withdraw their consent at any time, at which point the data should be deleted.
Individuals have the right to ask for access to their data at “reasonable intervals”, and the controller must respond to this request within one month. Controllers can no longer individuals for this request unless it becomes excessive or repetitive.
They also have “the right to be forgotten”, allowing them to demand that their personal data is deleted if it is no longer necessary to the purpose for which it was collected. This rule also allows individuals to demand that their personal data is erased if they have withdrawn their consent for data to be collected, or if they object to the way it is being processed.
Controllers must store the personal data is a commonly used format, such as a CSV file, so it can be easily transferred to another organisation – at the request of the individual. If an individual makes such a request under this rule the controller has one month to comply.
What if I don’t comply?
Penalties under the GDPR are much tougher than any data protection regulations we’ve seen before, so, if you haven’t done so already, you will want to prioritise preparations.
If you fail to obtain proper consent, ignore individuals’ rights over their personal data, transfer data to another country or ignore any of the other principles for processing data then your data protection authority could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is higher.
There are also financial penalties for those who fail to report a data breach within the specified time period. If upon discovering a data breach, you do not notify the individuals affected by the breach and your data protection authority within 72 hours then you could face a fine of up to 2% of your global annual revenue or €10 million, whichever is higher.
Currently, the maximum fine for a data breach, under the Data Protection Act, is £500,000. Although, to date, the highest penalty issued has been £400,000 – which was levied on TalkTalk following their breach in 2016. However, if the company were to have the same breach under the GDPR they would be looking at a fine of £59 million – a considerable jump!
This is just meant as a high-level overview of the key point of the new GDPR, and organisations should carry out their own research and seek consultative advice on the steps they need to take to achieve compliance.
The official “go live” date for the GDPR is growing ever closer, and with a number of actions required beforehand, organisations should start their preparations sooner rather than later to avoid potential multi-million-pound fines in their future.