The General Data Protection Regulation (GDPR) is the biggest change to data protection law in a generation
Data protection is changing, and soon.
From 25 May 2018, EU citizens will have greater control over how businesses collect and use their personal data, in a new set of regulations called General Data Protection Regulation (GDPR).
We want to help you understand what GDPR is, how it impacts your business and what steps you can take to get compliant, but also to get inspired about the business opportunity it poses.
In this article, we'll look at the fundamentals of GDPR and what the impact on your business could be.
What is GDPR?
GDPR is a new piece of EU legislation which strengthens data protection for all individuals within the EU. It replaces the existing Data Protection Directive from 1995.
The goal of GDPR is to give individuals more control over their personal data and to simplify the rules for businesses using that data.
GDPR was adopted on 27th April 2016 and becomes legally enforceable from 25 May 2018.
Failure to comply with GDPR by this deadline could result in strict financial penalties of a maximum of €20 million or 4% or annual global turnover – whichever is higher.
It’s important to note here that the current Brexit discussions will not impact on the implementation of GDPR. The 2018 deadline will arrive before Brexit can take place, and any future UK data regulations will likely mirror GDPR very closely.
What is Personal Data?
Personal data is any type of data that could be used to identify an individual.
Under GDPR, the definition of personal data has been expanded to include a wide range of personal identifiers, to reflect how technology has changed and how people use their data.
GDPR extends personal data to cover:
“Any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
Practically speaking, this refers to:
- Email addresses
- Telephone numbers
- Any type of reference number
It will also now refer to online personal identifiers, such as:
- IP addresses
- Cookie identifiers
Some example systems applicable may include:
- Health records
- HR files
- CRM records
- Email marketing lists
Remember, these rules will apply to both automated or written files and records.
GDPR will now apply also to special categories of personal data which could reveal sensitive information about an individual that would indicate their:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade-union membership
- Data concerning health or sex life
Biometric and genetic data is also covered.
Who Does GDPR Apply To?
GDPR will be applicable to any type or size of business which handles the personal data of citizens based in the EU.
If you use or gather the personal data of your customers or clients, you will fall into one or both of these categories; data controller or data processor.
- A data controller is a person or organisation that determines the purposes for which, and the manner in which, any type of personal data is processed.
- A data processor is a person or organisation which processes data on behalf of a data controller.
The reality is, virtually all businesses use or handle personal data, whether customer or employee.
If you currently observe Data Protection laws, then GDPR applies to your business.
To meet the key principles of GDPR compliance, you must:
- Demonstrate the technical and organisational measures you have taken to ensure compliance.
- Keep written documentation of your data processing activity.
- Move to ‘privacy by design’ and ‘privacy by default’ principles - embedding data protection at the heart of your activities, rather than ‘bolting on’ measures.
- Appoint a Data Protection Officer; if you are a public body, involved in large-scale monitoring of individuals or large scale processing of the new special categories of data, or data relating to criminal convictions or offences.
- Be prepared to use data protection impact assessments where appropriate.
Remembering the Goals of GDPR
It’s important to bear in mind the overarching goals of GDPR when planning for compliance.
The goal is to give citizens control over their personal data, not to punish businesses.
The expansion of digital technology expansion is leading to a proliferation of data generation, and we need a framework to manage it.
With high profile data breaches occurring almost weekly, people are understandably nervous about how and where their data is used.
GDPR should help businesses and the people who use them develop a more trusting relationship built on transparency and respect, one that actually helps businesses find and retain customers.
"Building trusted relationships with the public will enable you to sustainably build your use of data and gain more value. Through changing their data handling culture, organisations can derive new value from customer relationships."