In the last 20 years, the collection and processing of data has grown exponentially. The practice has been undertaken by businesses worldwide, in order to help improve efficiency, gain insight and understanding and increase profits. The General Data Protection Regulation (GDPR) is aimed at bringing EU data protection law up to speed with the changes that have occurred in the 20+ years since the 1995 Data Protection Directive (95/46/EC) was passed.
The GDPR has been enacted into UK law – with slight amendments (known as derogations) provided for within the Regulation – via the Data Protection Act 2018, which replaced the UK the Data Protection Act 1998.
Data controllers– The person or organisation who, solely or jointly, determines the purpose and means of processing personal data.
Data processors– Third-party individual or organisation who processes data on behalf of the Data Controller e.g. an accountancy company running the Data Controller’s payroll.
Data Controllers are responsible for ensuring that the Data Processor processes the data lawfully.
Article 5 of the GDPR sets out the 7 key principles of the GDPR:
Increased Territorial Scope–The GDPR clarifies that companies not established within the EU are subject to the GDPR if their activities relate to offering goods and/or services to EU residents or monitoring their behavior. Those falling into this category must now appoint a representative within the EU.
Increased Data Scope– The widened definition of what constitutes ‘personal data’ within GDPR means that more information is included in its remit, including for example IP addresses and website cookiesn. Furthermore, the widened definition of ‘special category’ means that more data is subject to stricter controls e.g. ethnic origin, religious beliefs, genetic and biometric data and political views.
Penalties – GDPR now provides for penalties to be handed down for infringements, with the maximum penalty being 4% of annual worldwide turnover or €20 million, whichever is greater.
Consent– The request for consent to process personal data must be clear and distinguishable from other matters, with details given of the purpose of the processing. Consent must be as easy to withdraw as it was to give.
Data Protection Officers– DPOs must be appointed by controllers or processors whose data processing consists of large scale monitoring of data subjects; of special categories of data; data relating to criminal convictions or offences.
Data Subjects’ Rights – Data subjects now have the right to have their data erased (the right to be forgotten), the right to see what their data is being used for and by whom (right to access) and the right to receive the personal data held regarding them and to transmit the data to another controller (right to data portability).
Breach Notification– Data Controllers must notify the supervisory authority of any data breaches that are likely to ‘result in a risk for the rights and freedoms of individuals’ within 72 hours of the breach being identified. Data Controllers are subject to obligations to notify their customers of a breach.
In summary, the GDPR insists on transparency and honesty from companies allowing individuals to be more informed, as well as giving individuals increased control over what happens to their personal data. This does depend on organisations taking the necessary steps to comply with the regulation. However, with supervisory bodies able to impose heavy fines, this should encourage compliance and allow individuals to benefit from the GDPR.
If you would like some help with your GDPR compliance, please contact us.