What is the General Data Protection Regulation (GDPR)?
12 July 2017
The EU’s General Data Protection Regulation (GDPR) will standardise data protection across the EU, and strengthen current regulations in line with the new and previously unseen ways companies use personal data.
In short, the GDPR will give people more say over how companies can use their personal data and introduces tougher fines for those who fail to comply or who suffer a data breach. It also makes data protection regulations more or less identical across Europe. Any company who processes EU citizens’ data needs to comply, even if they’re outside of the EU. So UK businesses will still need to comply even after Brexit.
Why is the EU introducing the GDPR?
The GDPR has been four years in the making, and one of the main reasons for introducing it is due to the changing ways companies now use personal data. For example, many companies like Facebook and Google swap access to people’s data for use of their services. Although the UK currently relies on the 1998 Data Protection Act, this new regulation takes into account the new ways companies utilise personal data, which weren’t foreseen when the original legislation was enacted. Another driver behind the GDPR is to give businesses a simpler, clearer legal environment to operate in.
Who does the GDPR apply to?
This new legislation will apply to both “controllers” and “processors” of personal data. A “controller” states how and why personal data is processed. Whereas a “processor” is the one who processes the data. It is the responsibility of the controller to make sure that their processor abides data protection law. However, the processors themselves have a responsibility to maintain records of their processing activity.
What do I need to be aware of?
The GDPR expands the definition of personal data considerably, in line with the types of data organisations collect about individuals.
Organisations must ensure that they process personal data lawfully, transparently and for a specified purpose. Consent from an individual must come in the form of an active opt-in, and there must be a record of how and when an individual gave consent. That individual can withdraw their consent at any time, at which point you should delete the data.
Individuals have the right to ask for access to their data at “reasonable intervals”, and the controller must respond to this request within one month. Controllers can no longer charge individuals for this request unless it becomes excessive or repetitive.
They also have “the right to be forgotten”. Individuals can demand that their data is deleted if it is no longer necessary for the original purpose it was collected. Furthermore, individuals can also demand the erasure of their data if they withdraw consent for data collection or if they object to processing activities.
Controllers must store the personal data is a common format, such as a CSV file, which is easily transferred another organisation – at the request of the individual. If an individual makes such a request under this rule the controller has one month to comply.
What if I don’t comply?
Penalties under the GDPR are much tougher than any data protection regulations we’ve seen before, so, if you haven’t done so already, you will want to prioritise preparations.
If you fail to obtain proper consent, ignore individuals’ rights over their personal data, transfer data to another country or ignore any of the other principles for processing data then your data protection authority could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is higher.
There are also financial penalties for those who fail to report a data breach within the specified time period. If upon discovering a data breach, you do not notify your data protection authority within 72 hours then you could face a fine of up to 2% of your global annual revenue or €10 million, whichever is higher.
Currently, the maximum fine for a data breach, under the Data Protection Act, is £500,000. Although, to date, the highest penalty issued has been £400,000 – which was levied on TalkTalk following their breach in 2016. However, under the GDPR that fine would increase to £59 million – a considerable jump!
This is just meant as a high-level overview of the key point of the new GDPR. Organisations should carry out their own research and seek consultative advice on the steps they need to take to comply.
The official “go live” date for the GDPR is growing ever closer. With a number of actions required, organisations should start their preparations soon to avoid potential multi-million-pound fines.