This is an essential introduction regarding the General Data Protection Regulation (GDPR) set in place for 25th May 2018.

Insight into GDPR

The General Data Protection Regulation (GDPR) is a binding legislative act from the European Union for the protection of personal data. Currently the UK relies on the Data Protection Act (DPA) 1998. The aim of GDPR is to give control back to ordinary people when it comes to their personal data and how it is collected and used.

It has been seven years in the making and will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

The focus is on personal identifiable information, moving beyond commonly held data like name and email address, including information related to economic, cultural or mental health information, identification numbers, location data, IP addresses, cookies, mobile IP’s or IMEI numbers on devices. All qualifying ‘personal data’ on the DPA still counts. Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.

Any data controller or processor that fails to comply will face fines of up to 4% of previous global annual turnover or €20 million, whichever is greater, and company reputation damaged. This is a seismic shift – the highest fine a regulator can currently impose is £500,000.

Who does it apply to?

Any company in the world, whether located in the EU or not, that controls or processes personal identifiable information of EU citizens. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.

In detail:

It applies to ‘controllers’ and ‘processors’ of data. Definitions are broadly the same as under the DPA. The controller states how and why personal data is processed. This could be any organisation, from profit-seeking to government to charity. A processor acts on the controller’s behalf, for example an IT company doing actual data processing. Data controllers and data processors are now equally liable for data breaches, so it is crucial that both parties work together and become fully compliant. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR. GDPR gives much more responsibility to data processors than the DPA, and both controllers and processors are now liable to the protection of personal data they collect or hold. Processors are now required to maintain records of personal data and processing activities as a legal obligation.

Data protection principles relating to processing personal data

Article 5 of the GDPR sets out 6 main principles. The same principles apply to companies from all sectors that deal with personal identifiable information of EU citizens and need to comply. Article 5 of the GDPR requires that personal data shall be:

So whether it’s a fitness app where users submit their dietary and exercise habits into their own account which was created with their personal details, or retail companies collecting data online through ecommerce or loyalty cards. All are treated equally when it comes to personal data and must comply.

Lawful processing

It is important that you determine your lawful basis for processing personal data and document this. GDPR gives 6 scenarios for the lawful processing of personal data:

1. Legal Obligation
2. Public Interest
3. Vital Interests
4. Contractual
5. Legitimate Interests
6. Consent

Of these, the marketer will chiefly be interested in the grounds of legitimate interests, contractual and consent, i.e. for direct/email marketing.

Any business that holds data will need to document what personal data they hold, when and where it came from, and who it has been shared with.

GDPR requires you to:

• identify a lawful basis for processing the personal data or the “conditions for processing”;
• state your data retention periods;
• state that individuals have the right to complain to the ICO.

The best way to state policies is through your privacy policy. This means updating your site’s privacy notice, where you need to ensure you state everything you’re doing with the personal data and how you’re using/doing it.

Here’s a neatly arranged PDF version of the General Data Protection Regulation (GDPR) including its recitals, and a copy of the original GDPR document in PDF format.

What to do with old or archived personal data

All archived or old data will still fall under the GDPR regulation and all personal data has to be GDPR compliant before 25th May 2018. After doing a data map and finding the archived data, you’ll want to know if you can bring it back to life again.

First question to ask is – do you know where all your data is? There may well be some data you don’t realise you’ve got, hidden away, that you’ll find you shouldn’t have under the new legislation. Data could be 4 days or 4 years old but the governing rule is, if you don’t know how you got the data, where it came from or how old it is by 25 May 2018 – get rid of it. You need to provide an auditable record and prove every piece of data you have is GDPR compliant, so it only takes one person to complain and say they didn’t give consent when needed for example, to create a legal case that you will lose if you don’t have supportive evidence that proves it is GDPR compliant.

Make a strict policy on data retention that abides to the new regulations – what’s your set period of time? Make judgement on how long to keep the data for and be strict on deleting securely. Make this apparent in your privacy policy.

For further guidance from the ICO, see their helpful documents: Preparing for the GDPR – 12 steps to take now and Data protection self assessment toolkit.

Disclaimer: The information in this article is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an adviser or solicitor, or consult the Information Commissioner’s Office (ICO – https://ico.org.uk/)