What is GDPR and why is it so important?
From 2013, The EU spent years working diligently on updating and modernising their data protection law to bring antiquated and irrelevant laws slap bang into the 21st century. What existed previously was 1998 Data Protection Act in the UK, which was brought as a measure to implement the EU’s 1995 Data Protection Directive. The GDPR goes way further to provide more protection for individuals by putting stress on organisations to manage and safeguard private data, so “What is GDPR?”
The GDPR – A Digital Blueprint
Two reasons why the GDPR was brought into existence:
- Ensure that organisations are more aware that data needs protecting, especially concerning how data is managed. The inherent dangers which have come to light in recent years of hacking and cybercrime have, without a doubt, justified the aims of the GDPR.
- More control is what European Union desires, to facilitate organisations with increased clarity and uniformity and how they should be acting in the whole area of data control.
Are you GDPR Compliant?
The GDPR was brought in with overwhelming support in May 2016 and applicable to all member states of the EU as of 25 May 2018. As the GDPR is a regulation, it provides for an automatic legal obligation on the member states, so no new legislation is required to be drawn up. Regardless of the immense hype and publicity surrounding the new regulation, many organisations are yet not compliant, DSAR despite the consequences for failing to comply with the GDPR. Many businesses do not know “What is GDPR?” or to whom does GDPR apply?
A survey by IDC has unleased that 20% of small businesses in the UK and Germany didn’t know what GDPR is, just months before the legislation date. Medium-sized businesses were recorded for not having much awareness, up to 90% across the EU, but only 41% had taken any steps to prepare for the GDPR. Outside the EU, the numbers are quite lower. An important thing to bear in mind that there are no borders for the GDPR. It affects globally for companies processing European data, and with fines up to €20 Million or 4% of annual global turnover for non-compliance, this poses a significant issue for many organisations. Giants like Facebook and Google are facing fines due to non-compliance. Businesses need to understand what is GDPR and make sure their business is compliant. It is never too late to be compliant; it is essential to take the necessary actions.
Within any organisation, designated controllers and processors of data will need to adhere and abide by the GDPR.
- Data controllers will be required to understand what is GDPR entirely and to provide information in a precise manner, and reason data is being processed within and outside of their organisation.
- A data processor is concerned with the actual processing.
- A “controller” refers to any organisation. It can be a profit-making business to a non-profit charity or government organisation.
- A “processor” could be an outsourced or third party company such as an IT organisation marketing service provider who will be carrying out the data processing on behalf of the data controller.
It does not matter, where controllers or processors are based, whether the EU or elsewhere worldwide, the GDPR will still be relevant provided the data they are handling belongs to EU individuals. The main difference which GDPR brings regarding the relationship between controllers and processors. Controllers have ultimate processing control over data even if it is outsourced. The emphasis of GDPR is that controllers are required to choose carefully and diligently the processors of the personal data held by the controller. Processors themselves are also under a strict duty to comply with the GDPR and are far more subject to strict liability than previously under the old Data Protection Act.
When may Businesses be Permitted to Process Data
Controllers have to ensure that all data of a personal nature is processed under GDPR.
Principal duties to keep in mind and ensure that, as a business, you adhere to the GDPR are:
Further information regarding the right of individuals can be located in the informative ICO information texts, Lawful Basis for Processing Data and the Rights of Individuals.
What is the Significance of “Personal Data” under the GDPR?
There are many definitions of personal data under GDPR. There is a wide range that it will only depend on individual organisations to closely view at what type of data is collected to provide a clear and applicable definition. Besides the common type of personal data, GDPR has some special categories such as names, addresses, email addresses, age, and date of birth.
- IP address
- Health information
Pseudonymised and cryptonised data, depending on how this data is easily reversed to enable personal data to be identified, also accountable under the GDPR.
Can an Individual Access their Data?
An individual has the right to request, from an organisation, information that is held about them. This right is effective under the Data Protection Act, but Article 15 of the GDPR provides for an amended right for more information.
The extra is the right to know
- What is the purpose of the data processing of personal information?
- The categories of data affected.
- To whom the data is being transferred to or disclosed to.
- The likely retention periods.
- Rights that exist related to that data, including rights to have inaccurate data corrected or demolished.
Further information that can be requested is whether the individual’s data is being utilised for automated decision making and profiling. Organisations are now obliged to explain how this type of processing will impact the individual, especially about direct marketing where explicit consent should be obtained. Organisations can disclose requested information free of charge unless such requests are excessive or unfounded. For example, repeated requests for the same data may be seen as unreasonable. Data controllers are required, where possible, to provide a method to present in a secure way for those individuals to access and review what personal information an organisation holds about them. Timescales for responding to requests by data controllers are stipulated as “undue delay” under the GDPR or at the latest one month. To have a checklist in place would be a great move to ensure your organisation stays focused in the coming times with regards to this critical aspect of the GDPR as follows:
- Go through and update current policies and procedures and make required changes, necessary to ensure that they are applicable under the new regime.
- If necessary, train appropriate personnel for GDPR to deal with the requests correctly.
- Consider having more information available to data subjects securely by way of, for example, a secure online portal.
- Stay abreast and on top of future guidance and publications by the GDPR with regards to access requests.
The Right to Access and the Right to be Forgotten are the latest advancements in the privacy regulations laid down by the GDPR. The Right to be Forgotten (the right to erasure) provides that an individual in the EU can request an organisation that they delete personal information about that individual. This area of the GDPR is stipulated under Article 17, specifically the first two paragraphs which provide details on what grounds this right takes effect. Any data that is accessed publicly may be deleted upon request, including search engine results and logs entered onto social networking media websites. If an organisation is requested to remove personal information by the relevant individual, then this organisation has a further obligation also to delete the links to the data information.
The interesting thing is the GDPR’s stance on when there is no right to be forgotten, and there are some exceptions as to when personal data will not be deleted:
- Where the processing of such data is required for legitimate, legal or compliance obligations in the realm of public interest or official situations where t