This is an essential introduction regarding the General Data Protection Regulation (GDPR) set in place for 25th May 2018.

Insight into GDPR

The General Data Protection Regulation (GDPR) is a binding legislative act from the European Union for the protection of personal data. Currently the UK relies on the Data Protection Act (DPA) 1998. The aim of GDPR is to give control back to ordinary people when it comes to their personal data and how it is collected and used.

It has been seven years in the making and will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

The focus is on personal identifiable information, moving beyond commonly held data like name and email address, including information related to economic, cultural or mental health information, identification numbers, location data, IP addresses, cookies, mobile IP’s or IMEI numbers on devices. All qualifying ‘personal data’ on the DPA still counts. Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.

Any data controller or processor that fails to comply will face fines of up to 4% of previous global annual turnover or €20 million, whichever is greater, and company reputation damaged. This is a seismic shift – the highest fine a regulator can currently impose is £500,000.

Who does it apply to?

Any company in the world, whether located in the EU or not, that controls or processes personal identifiable information of EU citizens. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.

In detail:

It applies to ‘controllers’ and ‘processors’ of data. Definitions are broadly the same as under the DPA. The controller states how and why personal data is processed. This could be any organisation, from profit-seeking to government to charity. A processor acts on the controller’s behalf, for example an IT company doing actual data processing. Data controllers and data processors are now equally liable for data breaches, so it is crucial that both parties work together and become fully compliant. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR. GDPR gives much more responsibility to data processors than the DPA, and both controllers and processors are now liable to the protection of personal data they collect or hold. Processors are now required to maintain records of personal data and processing activities as a legal obligation.

Data protection principles relating to processing personal data

Article 5 of the GDPR sets out 6 main principles. The same principles apply to companies from all sectors that deal with personal identifiable information of EU citizens and need to comply. Article 5 of the GDPR requires that personal data shall be:

So whether it’s a fitness app where users submit their dietary and exercise habits into their own account which was created with their personal details, or retail companies collecting data online through ecommerce or loyalty cards. All are treated equally when it comes to personal data and must comply.

Lawful processing

It is important that you determine your lawful basis for processing personal data and document this. GDPR gives 6 scenarios for the lawful processing of personal data:

1. Legal Obligation
2. Public Interest
3. Vital Interests
4. Contractual
5. Legitimate Interests
6. Consent

Of these, the marketer will chiefly be interested in the grounds of legitimate interests, contractual and consent, i.e. for direct/email marketing.

Any business that holds data will need to document what personal data they hold, when and where it came from, and who it has been shared with.

GDPR requires you to:

• identify a lawful basis for processing the personal data or the “conditions for processing”;
• state your data retention periods;
• state that individuals have the right to complain to the ICO.

The best way to state policies is through your privacy policy. This means updating your site’s privacy notice, where you need to ensure you state everything you’re doing with the personal data and how you’re using/doing it.

Here’s a neatly arranged PDF version of the General Data Protection Regulation (GDPR) including its recitals, and a copy of the original GDPR document in PDF format.

Disclaimer: The information in this article is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an adviser or solicitor, or consult the Information Commissioner’s Office (ICO – https://ico.org.uk/)