What is GDPR?
The General Data Protection Regulation and the Data Protection Act 2018 replace the UK Data Protection Act 1998 and the EU Directive 95/46/EC.
Importantly, the GDPR will apply fully in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR; the Data Protection Act 2018 confirms this.
In simple terms, GDPR aims to protect the personal data of any EU citizen from breaches of security or loss by any organisation that controls and/or processes personal data. That includes any business that offers goods or services to EU citizens – even if they are free – or any organisation that monitors the behaviour of EU citizens (eg tracking or profiling).
What is Personal Data?
The Regulation refers to PII (personally identifiable information), which includes any information about a (living) individual that can be used to identify them – interestingly the GDPR even includes IP addresses in its definition of personal data. It is not limited to electronically held information, manual filing systems are also included.
The focus is on people because, of course, they are the ones with personal data; GDPR is seeking to shift the balance of power away from organisations and back to people by providing certain rights to individuals over the organisations that hold their data, ensuring companies protect and do not misuse PII when it is in their hands.
There are additional rules for processing special categories of data, for example “sensitive data”, which includes: racial or ethnic origin, political opinion/affiliation, religious beliefs, trade union membership, genetic/ biometric data, health data or sexual orientation.
GDPR refers to people with PII as “Data Subjects”. It is important to note that Data Subjects include your employees and co-workers.
Data Subjects’ Rights
These new laws offer many more rights to individuals than the previous Data Protection Act:
The implications of these rights are far reaching for business owners’ systems, security and administration.
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Data Processors and Data Controllers
GDPR defines processing as “obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data”.
The law refers to two types of organisations for the purposes of processing personal information:
- “Data Controllers” who determine the purpose and means of the processing of personal data and
- “Data Processors” who process personal data on behalf of Data Controllers.
In some circumstances an organisation may be both Controller and Processor; both Controllers and Processors are scrutinised under GDPR and both could be subject to heavy penalties if there is a breach, (ie they have joint liability).
The ICO has stated that Directors will be personally responsible for compliance failures.
The law states that “The Controller shall be responsible for, and be able to demonstrate, compliance with the Principles” (this is often referred to as the 7th principle).
There are also 6 Principles that guide GDPR:
- Legality, transparency and fairness
- Purpose limitation
- Storage limitation
- Integrity and confidentiality
- Accountability – see above
What are the consequences of a breach?
- Data subjects have the right to sue for material and non-material damage
- The Supervising Authority (ICO in UK) can level administrative fines
- Which are “effective, proportionate and dissuasive”
- Max fine €20m or 4% previous year’s global turnover for tier 1 breaches
- Max fine €10m or 2% previous year’s global turnover for tier 2 breaches
Importantly, these fines can be mitigated by demonstrating that an effective and robust framework is in place to protect personal data.
Further information can be found on the Information Commissioner’s Office site: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/