Insight into GDPR
The General Data Protection Regulation (GDPR) is a binding legislative act from the European Union for the protection of personal data. Currently the UK relies on the Data Protection Act (DPA) 1998. The aim of GDPR is to give control back to ordinary people when it comes to their personal data and how it is collected and used.
It has been seven years in the making and will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
The focus is on personal identifiable information, moving beyond commonly held data like name and email address, including information related to economic, cultural or mental health information, identification numbers, location data, IP addresses, cookies, mobile IP’s or IMEI numbers on devices. All qualifying ‘personal data’ on the DPA still counts. Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.
Any data controller or processor that fails to comply will face fines of up to 4% of previous global annual turnover or €20 million, whichever is greater, and company reputation damaged. This is a seismic shift – the highest fine a regulator can currently impose is £500,000.
Who does it apply to?
Any company in the world, whether located in the EU or not, that controls or processes personal identifiable information of EU citizens. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
It applies to ‘controllers’ and ‘processors’ of data. Definitions are broadly the same as under the DPA. The controller states how and why personal data is processed. This could be any organisation, from profit-seeking to government to charity. A processor acts on the controller’s behalf, for example an IT company doing actual data processing. Data controllers and data processors are now equally liable for data breaches, so it is crucial that both parties work together and become fully compliant. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR. GDPR gives much more responsibility to data processors than the DPA, and both controllers and processors are now liable to the protection of personal data they collect or hold. Processors are now required to maintain records of personal data and processing activities as a legal obligation.
Data protection principles relating to processing personal data
Article 5 of the GDPR sets out 6 main principles. The same principles apply to companies from all sectors that deal with personal identifiable information of EU citizens and need to comply. Article 5 of the GDPR requires that personal data shall be:
So whether it’s a fitness app where users submit their dietary and exercise habits into their own account which was created with their personal details, or retail companies collecting data online through ecommerce or loyalty cards. All are treated equally when it comes to personal data and must comply.
It is important that you determine your lawful basis for processing personal data and document this. GDPR gives 6 scenarios for the lawful processing of personal data:
- Legal Obligation
- Public Interest
- Vital Interests
- Legitimate Interests
Of these, the marketer will chiefly be interested in the grounds of legitimate interests, contractual and consent, i.e. for direct/email marketing.
Any business that holds data will need to document what personal data they hold, when and where it came from, and who it has been shared with.
GDPR requires you to:
- identify a lawful basis for processing the personal data or the “conditions for processing”;
- state your data retention periods;
- state that individuals have the right to complain to the ICO.
Disclaimer: The information in this article is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an adviser or solicitor, or consult the Information Commissioner’s Office (ICO – https://ico.org.uk/)