In the last 20 years, the collection and processing of data has grown exponentially. The practice has been undertaken by businesses worldwide, in order to help improve efficiency, gain insight and understanding and increase profits. The General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) is aimed at bringing EU data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of Personal Data. up to speed with the changes that have occurred in the 20+ years since the 1995 Data Protection Directive (95/46/EC) was passed.
The GDPR has been enacted into UK law – with slight amendments (known as derogations) provided for within the Regulation – via the Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998)., which replaced the UK the Data Protection Act 1998.
Data controllers– The person or organisation who, solely or jointly, determines the purpose and means of processing personal dataInformation which relates to an identified or identifiable natural person..
Data processors– Third-party individual or organisation who processes data on behalf of the Data ControllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data. e.g. an accountancy company running the Data Controller’s payroll.
Data Controllers are responsible for ensuring that the Data ProcessorA third party processing personal data on behalf of a data controller. processes the data lawfullyIn data protection terms, it must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations..
Article 5 of the GDPR sets out the 7 key principles of the GDPR:
1. Lawfulness, fairness and transparencyThe first principle of the GDPR, requiring organisations to document a lawful basis for collecting and using personal data, to avoid processing personal data in a way that is unduly detrimental, unexpected or misleading to data subjects, and to be clear and honest about how they use personal data.
2. Purpose limitationThe second principle of the GDPR, requiring organisations to only process personal data for the specific purpose for which it was collected.
3. Data minimisationThe third GDPR principle, requiring organisations to only collect the personal data that is truly necessary to fulfill each purpose for data processing.
4. AccuracyIn data protection terms, the concept of ensuring data is not incorrect or misleading.
5. Storage limitationThe fifth GDPR principle which requires organisations to only store data for as long as it is needed.
6. Integrity and confidentialityThe sixth GDPR principle, also know as the security principle. This requires organisations to implement the appropriate security measures to protect personal data.
7. AccountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance.
Increased Territorial Scope–The GDPR clarifies that companies not established within the EU are subject to the GDPR if their activities relate to offering goods and/or services to EU residents or monitoring their behaviour. Those falling into this category must now appoint a representative within the EU.
Increased Data Scope– The widened definition of what constitutes ‘personal data’ within GDPR means that more information is included in its remit, including for example IP addresses and website cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences.. Furthermore, the widened definition of ‘special category’ means that more data is subject to stricter controls e.g. ethnic origin, religious beliefs, genetic and bio-metric data and political views.
Penalties – GDPR now provides for penalties to be handed down for infringements, with the maximum penalty being 4% of annual worldwide turnover or €20 million, whichever is greater.
Consent– The request for consent to processA series of actions or steps taken in order to achieve a particular end. personal data must be clear and distinguishable from other matters, with details given of the purpose of the processing. Consent must be as easy to withdraw as it was to give.
Data Protection Officers– DPOs must be appointed by controllers or processors whose data processing consists of large scale monitoring of data subjects; of special categories of data; data relating to criminal convictions or offences.
Data Subjects’ RightsUnder UK data protection regulation, data subjects have a number of rights available to them – to be informed, access, rectification, erasure, restrict processing, data portability, to object and further rights in relation to automated decision making and profiling. – Data subjects now have the right to have their data erased (the right to be forgotten), the right to see what their data is being used for and by whom (right to access) and the right to receive the personal data held regarding them and to transmit the data to another controller (right to data portability).
Breach Notification– Data Controllers must notify the supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation. of any data breaches that are likely to ‘result in a risk for the rights and freedoms of individuals’ within 72 hours of the breach being identified. Data Controllers are subject to obligations to notify their customers of a breach.
In summary, the GDPR insists on transparency and honesty from companies allowing individuals to be more informed, as well as giving individuals increased control over what happens to their personal data. This does depend on organisations taking the necessary steps to comply with the regulation. However, with supervisory bodies able to impose heavy fines, this should encourage compliance and allow individuals to benefit from the GDPR.
If you would like some help with your GDPR compliance, please contact us.