GDPR – What is it all about?

In the last 20 years, the collection and processing of data has grown exponentially. The practice has been undertaken by businesses worldwide, in order to help improve efficiency, gain insight and understanding and increase profits.  The General Data Protection Regulation (GDPR) is aimed at bringing EU data protection law up to speed with the changes that have occurred in the 20+ years since the 1995 Data Protection Directive (95/46/EC) was passed.

The GDPR has been enacted into UK law – with slight amendments (known as derogations) provided for within the Regulation – via the Data Protection Act 2018, which replaced the UK the Data Protection Act 1998.

Who does GDPR apply to?

Data controllers– The person or organisation who, solely or jointly, determines the purpose and means of processing personal data.

Data processors– Third-party individual or organisation who processes data on behalf of the Data Controller e.g. an accountancy company running the Data Controller’s payroll.

Data Controllers are responsible for ensuring that the Data Processor processes the data lawfully.

What are the principles of the GDPR regulation?

Article 5 of the GDPR sets out the 7 key principles of the GDPR:

1. Lawfulness, fairness and transparency

• There must be a lawful basis for collecting and using personal data.
• Data must not be processed in a way that is unduly detrimental, unexpected or misleading to the individual concerned
• Companies must be clear and honest about how they will use personal data

2. Purpose limitation

• The purpose of data processing must clearly be specified
• Personal data can only be used for a new purpose if compatible with the original purpose of processing, new consent is gained, or there is a clear legal basis

3. Data minimisation

• Only the minimum amount of data needed to fulfil the purpose of the data processing should be identified and stored

4. Accuracy

• Reasonable steps should be taken to ensure incorrect data is erased or corrected as soon as possible

5. Storage limitation

• Data should only be stored for as long as it is needed and is justifiable

6. Integrity and confidentiality

• There must be appropriate security measures in place to protect the data held

7. Accountability

• Data controllers or processors must take responsibility for how they handle personal data and comply with the above principles
• Records must be created and retained, so as to enable a company to demonstrate their compliance

What is the Scope of the GDPR?

Increased Territorial Scope–The GDPR clarifies that companies not established within the EU are subject to the GDPR if their activities relate to offering goods and/or services to EU residents or monitoring their behavior. Those falling into this category must now appoint a representative within the EU.

Increased Data Scope– The widened definition of what constitutes ‘personal data’ within GDPR means that more information is included in its remit, including for example IP addresses and website cookiesn. Furthermore, the widened definition of ‘special category’ means that more data is subject to stricter controls e.g. ethnic origin, religious beliefs, genetic and biometric data and political views.

Penalties – GDPR now provides for penalties to be handed down for infringements, with the maximum penalty being 4% of annual worldwide turnover or €20 million, whichever is greater.

Consent– The request for consent to process personal data must be clear and distinguishable from other matters, with details given of the purpose of the processing. Consent must be as easy to withdraw as it was to give.

Data Protection Officers– DPOs must be appointed by controllers or processors whose data processing consists of large scale monitoring of data subjects; of special categories of data; data relating to criminal convictions or offences.

Data Subjects’ Rights – Data subjects now have the right to have their data erased (the right to be forgotten), the right to see what their data is being used for and by whom (right to access) and the right to receive the personal data held regarding them and to transmit the data to another controller (right to data portability).

Breach Notification– Data Controllers must notify the supervisory authority of any data breaches that are likely to ‘result in a risk for the rights and freedoms of individuals’ within 72 hours of the breach being identified. Data Controllers are subject to obligations to notify their customers of a breach.

Summary

In summary, the GDPR insists on transparency and honesty from companies allowing individuals to be more informed, as well as giving individuals increased control over what happens to their personal data. This does depend on organisations taking the necessary steps to comply with the regulation. However, with supervisory bodies able to impose heavy fines, this should encourage compliance and allow individuals to benefit from the GDPR.

If you would like some help with your GDPR compliance, please contact us.