What is the General Data Protection Regulation (GDPR)?
July 12th, 2017
The General Data Protection Regulation (GDPR) is a piece of EU legislation introduced on the 25th of May, 2018. It changed the way companies are allowed to collect and process data about citizens within the EU, providing more rights to the consumer and introducing stricter penalties for businesses who fail to comply.
Do companies outside the EU need to comply with GDPR?
Any company that processes data of any EU citizens needs to comply with GDPR, even if the company is located outside of the EU. This means that UK businesses will still need to comply post-Brexit and companies in the Americas, Asia, Africa, Australia and even Antarctica will need to comply with GDPR if they process the data of any EU citizen.
Why did the EU introduce GDPR?
The GDPR has been four years in the making, and one of the main reasons for its introduction is the changing ways companies are using personal data. Many companies such as Facebook, Google and other social networks swap access to people’s data for use of their services.
GDPR acted as a modernisation of the 1998 Data Protection Act which didn’t account for the new ways companies were utilising personal data. Another driver behind GDPR was to give businesses a simpler, clearer legal environment to operate in.
Who does GDPR apply to?
This new legislation will apply to both “controllers” and “processors” of personal data. A “controller” states how and why personal data is processed. Whereas a “processor” is the one who processes the data. It is the responsibility of the controller to make sure that their processor abides by data protection law. However, the processors themselves have a responsibility to maintain records of their processing activity.
What do businesses need to be aware of regarding GDPR?
The GDPR expands the definition of personal data considerably, in line with the types of data organisations collect about individuals.
Organisations must ensure that they process personal data lawfully, transparently and for a specified purpose. Consent from an individual must come in the form of an active opt-in, and there must be a record of how and when an individual gave consent. That individual can withdraw their consent at any time, at which point you must delete the data.
Individuals have the right to ask for access to their data at “reasonable intervals”, and the controller must respond to this request within one month. Controllers can no longer charge individuals for this request unless it becomes excessive or repetitive.
They also have “the right to be forgotten”. Individuals can demand that their data is deleted if it is no longer necessary for the original purpose it was collected. Furthermore, individuals can also demand the erasure of their data if they withdraw consent for data collection or if they object to processing activities.
Controllers must store the personal data in a common format, such as a CSV file, which is easily transferred to another organisation – at the request of the individual. If an individual makes such a request under this rule the controller has one month to comply.
What if I don’t comply with GDPR?
Penalties under the GDPR are much tougher than any data protection regulations we’ve seen before, so, if you haven’t done so already, you will want to prioritise preparations.
If you fail to obtain proper consent, ignore individuals’ rights over their personal data, transfer data to another country or ignore any of the other principles for processing data then your data protection authority could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is higher.
There are also financial penalties for those who fail to report a data breach within the specified time period. If upon discovering a data breach, you do not notify your data protection authority within 72 hours then you could face a fine of up to 2% of your global annual revenue or €10 million, whichever is higher.
Currently, the maximum fine for a data breach, under the Data Protection Act, is £500,000. Although, to date, the highest penalty issued has been £400,000 – which was levied on TalkTalk following their breach in 2016. However, if that breach had occurred under GDPR legislation. That fine would have increased to £59 million – a considerable jump!
This is just meant as a high-level overview of the key point of the new GDPR. Organisations should carry out their own research and seek consultative advice on the steps they need to take to comply.