GDPR, will overhaul data protection
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) will overhaul how businesses process and handle data. This brief explains its points and puts you in the direction of where to find out more information if needed.
What is it?
It is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims to give control back to citizens and residents over their personal data, simplifying the regulatory environment by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive of 1995. The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation. Thus, the regulation is directly binding and applicable.
It will change how businesses, charities and public sector organisations can handle the information of customers.
Is your company/startup/charity going to be impacted?
In short, yes. Individuals, organisations, and companies that are either ‘controllers’ or ‘processors’ of personal data will be covered by the GDPR. “If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR,” the ICO says on its website.
Both personal data and sensitive personal data are covered by GDPR. Personal data, a complex category of information, broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address… you name it. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.
These definitions are largely the same as those within current data protection laws and can relate to information that is collected through automated processes. Where GDPR differentiates from current data protection laws is that fake personal data can fall under the law – if it’s possible that a person could be identified by a fictitious name.
But the good news is that the GDPR recognises that smaller businesses require different treatment to large or public enterprises.
So, what’s different?
In the full text of GDPR there are 99 articles setting out the rights of individuals and obligations placed on organisations covered by the regulation. These include allowing people to have easier access to the data companies hold about them, a new fines regime and a clear responsibility for organisations to obtain the consent of people they collect information about.
While large businesses tend to be aware of the upcoming changes, there needs to be a lot more knowledge in smaller companies, including startups. One of the issues with startups is that when you’re going through all the formalities new businesses go through, there’s no data protection hook at that stage.
So, if you’re only just hearing of GDPR, here are some of the bigger changes to be prepared for.
Access to data
Under the GDPR requests for personal information can be made free-of-charge. When someone asks a business for their data, they must provide the information within one month. Everyone will have the right to get confirmation that an organisation has information about them, access to this information and any other supplementary information.
The new regulation also gives individuals the power to get their personal data erased in some circumstances. This includes where it is no longer necessary for the purpose it was collected, if consent is withdrawn, there’s no legitimate interest, and if it was unlawfully processed.
GDPR fines
One of the biggest, and most talked about, elements of the GDPR is the power for regulators to fine businesses that don’t comply with it. If an organisation doesn’t process an individual’s data in the correct way, it can be fined. If it requires and doesn’t have a data protection officer, it can be fined. If there’s a security breach, it can be fined.
Looking for more?
As well as this guidance, the ICO says it is creating a phone service to help small businesses prepare for GDPR. The service will provide answers about how small companies can implement GDPR procedures and starts at the beginning of November 2017.
Here’s where to go if you’re looking for more in-depth reading:
– The full regulation. It’s 88 pages long and has 99 articles.
– The ICO’s guide to GDPR is essential for both consumers and those working within businesses.
– EU GDPR is the Union’s official website for the regulation. It details all you need to know and has a handy countdown clock for when GDPR will come into force.
– The EU’s Article 29 data protection group is publishing guidelines on data breach notifications, transparency, and subject access requests.