You’ve probably heard about the GDPR by now, even if it’s just scrolling past a boring government article about it. It’s not the most exciting topic in the world but it’s really important.
The GDPR is essentially an updated, modernised version of the Directive – a set of European privacy regulations. It’s a binding act which must be followed throughout the whole of the EU (and other countries, but more on that later).
What’s the point of the GDPR?
We’re glad you asked. Why did the Directive need updating, anyway? Well, like any law, there’s bound to be necessary changes made in its lifetime. However, the main reason for updating European privacy law is mostly due to the advances in technology we’re seeing. The EU is keen to set the highest standard possible for global privacy rights. So, there are lots of additions to these new regulations which fit better into a modern, digital world.
How is it different from the Directive?
Many of the same principles exist, but there are some important new ones in the mix, including:
- Increase in scope (affecting more people/locations)
- Extension of personal data definitions
- Expansion of individual rights
- Tougher consent requirements
- Stricter processing requirements
If that all went over your head, don’t worry, we’ll delve into more detail now.
Who is affected by it?
The GDPR, first and foremost, aims to ensure the privacy of EU citizens. If you’re part of the EU, you should know about these regulations as they exist to look after your data. Along with citizens, organisations residing within the EU are set to follow and be protected by the new guidelines.
However, don’t think that because Brexit is looming, British people won’t have to worry about it anymore! Firstly, we’ll still be a member of the EU when the law comes into effect – May 2018. Secondly, the GDPR also affects businesses and organisations who are involved with the personal data of EU citizens and companies. It will affect companies in countries across the world, in all industries and sectors.
What counts as ‘personal data’?
Personal data, according to these new regulations, is information relating to an identified or unidentified individual. Sounds vague, right? Well, basically, its any information that can be used to identify an individual. In the past, personal data would refer to things like names and physical addresses. However, we’re now required to consider personal data as any of the following: names, addresses, bank details, email addresses, IP addresses, medical information, social media posts, photos and location details. There’s quite a lot to think about there.
How do I know if I’m ‘involved’ with personal data?
If you’re processing personal data in any way, shape or form, you’re involved with it. So what does processing mean? We could copy out the boring jargon from the GDPR itself, but we’ll just put it into our own words. Processing includes collecting, recording, storing, organizing, managing and using any personal data of EU citizens. If you’re not sure that the data you own is actually ‘processed’ by yourselves, we’d say bet on the safe side and assume it is.
Rights an individual has under the GDPR
As a citizen of the EU, protected by the GDPR, you have the right to:
- Access your personal data and ask how it’s used by a company
- Be forgotten (you can withdraw your consent for a company to use your data and have your data deleted)
- Data portability (you can transfer your data between providers)
- Be informed (you should be informed before your data is collected and be able to provide clear consent)
- Have information corrected & updated
- To object (you can stop the processing of your data at any time and process must be stopped as soon as your request is received)
- To be notified if a data breach compromises your data (you must be informed within 72 hours)
What do I need to do?
As an individual, you should make sure you know your rights. If you are part of an organization, you should prepare for adhering to these rights for your clients. Make sure that you get clear consent for different processing activities. Just because a client has given consent for you to use their data in one way, doesn’t automatically allow another process to be carried out with that data.
This considered it’s best to keep proof of consent when you receive it and map all personal data your company uses. However, to make things easier, don’t keep any more data than is necessary. You should remove data that isn’t used or needed. Put security measures in place to guard against data breaches and have a quick response time to notify clients if this does happen. Alongside this, you should establish procedures for making sure clients are aware of their new rights.
Are there any sanctions for not complying?
In a word, yes. Your company can be placed under sanctions of up to €20 million or 4% of your global annual turnover – whichever is higher. The idea is that a higher sanction will result in higher compliance. So, make sure you keep on top of your data protection!
It’s recommended that you appoint a Data Protection Officer who can be in charge of all this stuff. Ideally, choose someone who is suitably trained or has expert knowledge – if possible. You could also outsource an officer if you don’t have the resources in-house.