General Data Protection Regulation Summary

What is GDPR all about?

General Data Protection Regulation – or GDPR for short – replaced the old Data Protection Act in the UK in 2018.

GDPR applies across the European Union but, crucially, it applies to anyone who stores and processes data relating to EU citizens. GDPR therefore affects a whole range of eCommerce and other companies around the world, regardless as to whether they’re based in an EU member state.

General Data Protection Regulation summary – Why?

All the member states of the EU currently have their own data protection rules. In the UK this is in the form of the Data Protection Act which in its current form dates from 1998. That’s over 20 years ago and an awful lot changes in the technology world over that sort of timescale. In 1998, for example, broadband was in its infancy and we were doing much less online than we do today, so it’s easy to see why there’s the need for something new.

The legislation is aimed at protecting the rights of the individual or the ‘natural person’ in the EU-speak of the GDPR. As anyone who has seen Life of Brian will know – all together now – “We are all individuals!” so this legislation is meant to protect all of us. It aims to do this by ensuring that any data held about us by organisations is looked after in such a way as to protect our rights and privacy.

GDPR is therefore aimed at bringing data protection into the 21st century, whether it likes it or not. You might think that Brexit would put the brakes on this but the UK Government has confirmed that it will remain committed to implementing GDPR.

Ultimately, while the implementation phase may be a bit fraught, GDPR should make life easier by ensuring consistency of data protection laws and of rights across the EU. This is important for businesses and other organisations such as charities and government bodies, as well as for individuals.

General Data Protection Regulation summary – Who?

So, that’s why we need GDPR, but who will it apply to? The wording of the legislation talks about ‘controllers’ and ‘processors’ but what do these terms mean in practice?

In fact, they are quite similar to the way existing legislation operates. The controller deals with how and why personal data needs to be handled; the processor does the actual processing on their behalf. If your operation already needs to comply with the Data Protection Act then you can be pretty sure that you’ll need to comply with GDPR too.
If you’re a processor then that are certain things that you must do under GDPR. For starters, you are required to keep records of any personal data and processing activities. GDPR imposes much greater penalties if there’s a breach than existing legislation does – we’ll come to these later.

If you’re a controller, the fact that someone else may be processing your data doesn’t let you off the hook. GDPR places an obligation on you to ensure that your dealings with processors are in accordance with the requirements of the act. Although it’s European Union legislation, being outside the EU doesn’t necessarily let you off the hook either. As you might expect, GDPR applies to data processing carried out by organisations that operate within the EU. However, it also applies to organisations that supply goods and services to EU citizens, even if the organisation itself is located outside the EU.

There are a few exceptions to GDPR. These cover data used for law enforcement purposes, national security purposes, and processing done by individuals purely for their household or personal use.

Of course in the sense that we are all individuals, GDPR applies to all of us. It’s important to know too that it extends the definition of personal data beyond that already given in the Data Protection Act. GDPR covers things like IP addresses, for example, which could be used to identify an individual online. As a business, therefore, you will need to review what information you hold and see if it falls within the scope of the legislation.

General Data Protection Regulation summary – What?

Okay, now we know why it’s being introduced and who it covers, but what will GDPR actually entail?
The first thing to note is that it’s about information that can identify you personally. This means that while your medical records and your online shopping account are covered, things like anonymous survey results and statistics relating to overall shopping patterns, for example, won’t be.

For organisations that hold data, therefore, a good first step is to identify what you hold that is covered. Having done that, it might be worth considering whether all the data you hold is strictly necessary, you may be able to lighten your compliance workload by getting rid of some.

Once you’ve identified the personal information you hold about individuals, you need to think about how to protect it. This might involve, for example, using encryption so that the information cannot be read by anyone who isn’t authorised to see it.

We’ve already seen that GDPR separates out controllers and processors. This means that the controller and the processor need to work together to come up with a secure way of handling who gets to look at the data. Of course, it’s possible that the controller and processor could be two different parts of the same organisation. On the other hand, the processing may be contracted out to another company. In the latter case, it’s vital that both parties understand what is required of them under GDPR.

As well as looking after stored personal data properly, there are some other things that you’ll need to do under GDPR. The first of these is dealing with subject access requests. In a similar way to the Data Protection Act, GDPR gives individuals rights to find out what data is being stored about them. This may be an overview or it may be something more detailed.

Access requests have to be responded to ‘without undue delay’ so you’ll need to have a mechanism in place to deal with them. Failure to do so could lead to you becoming ‘non-compliant’ at which point bad things can happen as we’ll see later.

When does GDPR apply to my business?

One of the things you may have seen in the press about GDPR surrounds the ‘right to be forgotten’ or ‘right to erasure’ (not to be confused with the ’80s synth-pop duo). What this means is that an individual can request the removal of their personal data from your systems.

It’s not quite that simple, however, GDPR doesn’t offer an absolute right to be forgotten, it only applies in certain circumstances. These are:
* Where the data is no longer needed for its original purpose.
* Where the individual withdraws their consent for you to hold the data.
* When an individual objects to the processing and there is no legitimate reason to continue it.
* Where the data is unlawfully processed – that is to say in breach of GDPR.
* Where the data has to be removed for legal reasons.
* Where the data is processed in offering services to a child. There are special provisions for processing data related to children.

There was a right to removal under the old Data Protection Act, but it only applied where the data was processed in such a way as to cause ‘damage or distress’. GDPR does not apply this caveat but if distress or damage is caused there is likely to be a stronger case for removal.

In some circumstances, removal of data can be refused. These cover freedom of expression, public interest or legal obligation, public health, archiving in the public interest, and research and statistical purposes.
If you have shared data with another organisation and are subsequently asked to delete it, then you have to inform the third parties that you have disclosed it to. It’s therefore important to keep accurate records of when, why and to whom you disclose information to others.

GDPR also covers what you need to do in the event that you suffer a breach in which personal data is exposed. You will need to notify a regulator within 72 hours. In the UK this is the Information Commissioner’s Office (ICO). Before doing this you’ll need to have a handle on how the breach occurred, how the hackers got in, what data was, or may have been exposed, and who the hackers may have been. It’s, therefore, a good idea to have a plan in place to respond to a breach so that you don’t get caught out trying to find all of this detail. Again, there are potentially nasty penalties for failure to comply.

General Data Protection Regulation summary – How much?

As we mentioned above, the GDPR does have teeth in the form of some pretty eye-watering penalties. Not complying with the legislation can result in a fine of up to four percent of annual revenue (global revenue, not just EU) or €20,000,000, whichever happens to be higher.

It’s also worth bearing in mind that fines will be levied to reflect the severity of the breach and how well – or how badly – the organisation has dealt with it. If you can prove that you have made suitable provisions to safeguard the integrity, confidentiality and accessibility of personal data then the fine will take that into account.
Non-compliance with GDPR on 26th May won’t lead to an automatic fine. As yet there’s no mechanism for anyone to check up, or indeed any certified standard to comply with. However, if a breach occurs, the likelihood of a fine, increases dramatically.

Summary

So, like it or not GDPR is hurtling towards us with frightening speed, backed by some equally frightening penalties for failure to comply with its rules. Businesses, therefore, need to take it seriously.

There are some key takeaways; firstly that GDPR applies to companies that provide goods and services to EU citizens even if the company itself is outside the EU.

Secondly, it extends the definition of personal data, so you will need to review the data you hold and decide if it’s covered. Third, it confers rights on individuals to be able to see the data you hold about them and, in certain circumstances, gives them the right to have that data erased. Fourth, it obliges you to take certain actions in the event of a data breach where personal data gets exposed. Finally, there are some heavy penalties for non-compliance.

Got all that? If you’re already complying with the Data Protection Act, then GDPR isn’t as scary as it might appear, but it is something you can’t afford to ignore.

According to EUGDPR.org, GDPR is the most important change in data privacy regulation in 20 years. Read more about GDPR here.

Go online to compare various leased line options.