On May 25th, 2018, a new EU law was ushered in that impacted how we process personal data. This law is known as the General Data Protection Regulation or GDPR.
The GDPR is an update to a previous directive that was enacted in 1995 known as the Data Protection Directive 95/46/EC or DPA. You may be asking, why did the EU decide to change an existing law on data protection? It’s a good question. The answer lies in change. Both technological and consumer expectations have changed massively in the decades since the DPA came into force. In 1995, there were 23,500 websites, today there are almost 2 billion. Along with those websites, there has been an explosion of data – much of it being personal data. The importance of being privacy respectful towards personal data has also been given a high profile because of privacy violations, such as the Facebook/Cambridge Analytica scandal, that have hit the headlines.
The old DPA became the new GDPR to ensure the secure and privacy-respectful use of our personal data.
In this article, we will take a look at the general requirements of the GDPR.
What type of business does the GDPR affect?
The GDPR sets out a series of requirements that are used to create a framework of privacy-respectful data processing. If you collect, store, share, in fact, do anything with data that can represent an individual from an EU state, you have to abide by the rules of GDPR. This is true for companies that are based within the EU as well as those outside of it.
It also applies to companies of any size and any type. There are, however, some derogation of requirements for companies that employ under 250 employees (more on that later).
It’s all about the data
First things first – what does the GDPR mean by “personal data”? The GDPR has created two classifications around personal data and these are important to differentiate in your business as they also relate back to the levels of expected protection. The two classes of data are:
Personal Data (GDPR Article 4/1)
If you can identify an individual from any piece of data, it is deemed to be personal. Data that can be used to do this is known as an ‘identifier’. So, for example, this would include, a name, address, date of birth, etc., but it also includes an online identifier like IP address. Personal data also covers economic, cultural or physiological information. It is what makes you identifiable.
Sensitive Personal Data (GDPR Article 9)
It is important to differentiate between the personal data described above and “sensitive” personal data, as the GDPR has set out stringent rules to protect it. Sensitive personal data includes genetic data, biometric data, and data that describes life preferences, e.g., religion, racial or ethnic origin, trade union membership, etc.
The “consent” question
Consent is often seen as a confusing term in the GDPR requirements. But consent is really about applying rules to the collection and use of personal data. Consent is about putting the user central to the processing of their own data – aka making the whole system of data use, user-centric. The GDPR states that consent is taken as a “clear affirmative act”. This means that those ‘opt-out’ buttons you use on your website when you collect personal data to use in marketing, are no longer allowed. When you collect consent to use someone’s personal data for any reason, including marketing, storing, or sharing with other parties, you need to, in simple to understand language, collect permission. The GDPR also strongly advocates for “granular consent”, that is, the various parts of how the user data is going to be used, are broken up, and the user gets to clearly choose which they wish to consent to, and those they don’t wish to consent to. The GDPR also states that the use of a service should not be detrimentally affected if a user refuses to consent. So, no punishing users who do not consent to receive marketing emails.
There also has to be some mechanism for managing a user’s revocation of consent. This can be verbal, over the phone for example, or a digital mechanism like an email.
Basic data subject rights in brief
The individual who the data refers to is known as a “data subject”. Under GDPR there are eight “data subject rights”. These are, in brief:
- Right to be informed (about your data);
- Right to access (to data);
- Right to data rectification;
- Right to data erasure (data deletion);
- Right to request the restriction of data processing;
- Right to data portability;
- Right to object to the use of data; and
- Right to say no to automated decision-making including profiling.
Smaller organizations and the GDPR
GDPR applies to companies of all sizes, including sole traders. GDPR is about how much and what type of data you process, not the size of your organization. Fortunately, companies with fewer than 250 employees are offered derogations, such as reduced record keeping, but only if the data processing will not affect individual rights and is occasional processing.
What if my company is not in the EU?
The GDPR jurisdiction extends outside the EU if your company deals with EU citizens within an EU state. So, for example, if your organization is based outside the EU but you market to and sell goods and services to, EU citizens in the EU, you will need to abide by GDPR rules.
The GDPR and fines
One of the reasons that the acronym GDPR has struck fear into many, is that the fines for non-compliance are big, as in, really big. There are two levels of fines enforced through the GDPR and their supervisory authorities, these are:
|Level||Fine||Reasons for the fine|
|Level 1||2% of annual global revenue or 10 million Euros whichever is higher|| |
|Level 2||4% of annual global revenue or 20 million Euros|| |
Do I need a Data Protection Officer (DPO)?
A Data Protection Officer is an individual that can be employed by your organization as an employee or external consultant to advise and carry out some of the duties around the GDPR. For example, under certain conditions, the GDPR specifies that a Data Protection Impact Assessment (DPIA) must be carried out. A DPO can advise and help with this.
The GDPR stipulates that you MUST use a DPO if you are a:
- Public authority or body, or
- Process data on a large scale, or
- Process “special category” data
Even if you don’t fall into any of the categories above, having the advice of a privacy specialist, like a DPO, can be useful in helping with how to apply the GDPR requirements
GDPR or bust
GDPR should not be thought of as a one-off tick box exercise. Instead, it is a process of understanding the how’s and why’s of personal data processing in your business. A large part of GDPR is around documenting those processes and mapping/classifying data. This can be a useful thing to do as a general security awareness exercise, as well as complying with the GDPR. In looking into meeting the requirements of GDPR, you may also spot security vulnerabilities that fixing will benefit your organization as well as your customers and clients. Ultimately, coming into compliance with GDPR may take some effort but it will be worth it to avoid hefty fines and to show that your organization is respectful of your customer and wider user-base data privacy.
If you are in doubt about compliance with the GDPR you should always seek expert advice.