Introduction
GDPR: The basics
General Data Protection Regulation (GDPR) is a new data protection law from the European Union (EU). It was created to better protect EU citizens’ personal data and to unify the data laws of all EU member states. GDPR took effect on 25th May 2018 and replaces the current UK Data Protection Act 1998.
GDPR law applies to the processing of personal data in a professional or commercial context. It doesn’t apply to personal activities. To comply with GDPR, organisations must get consent from their EU customers before processing their personal data. Such customers also have a right to access the data held on them and have the right to be forgotten.
Compliance with GDPR is essential. Organisations that do not comply will be fined severely. Where data misuse is serious, such fines can equal up to 4% of annual global turnover [1].
What is meant by personal data?
The European Commission defines personal data as ‘any information that relates to an identified or identifiable living individual’ [2]. The Commission give the following as examples of personal data:
- First name and surname
- Home address
- Email address
- Identification card number
- Mobile phone location data
- Internet Protocol (IP) address
- Cookie ID
- Advertising identifier on a phone
- Medical data which can uniquely identify a person
Who does GDPR apply to?
GDPR applies to any organisation that processes EU citizens’ data. This means GDPR applies to private or public organisations, large or small organisations, and charities. However, smaller organisations, public organisations, and companies that process data on a large scale all have slightly different rules [3].
It doesn’t matter whether the data is processed by your organisation directly or sent to a third party. Both your organisation and the third party must comply. And both must make it clear how they collect personal data, why they need it and how they process it.
‘Processing’ data means you are collecting, storing, recording, using or organising it. This also includes making it available to other staff members, altering or deleting it. These are all forms of data processing, according to the European Commission [4], who provide the following as examples of data processing:
- Sending promotional emails
- Storing contact details of customers or staff
- Storing IP addresses
- Putting a photo/video of someone on a website
- Other video recordings
Is GDPR a good thing?
Yes! The way we use data has changed dramatically since the UK Data Protection Act was created back in 1998. GDPR replaces this outdated law and fits in better with modern data usage. It puts individuals in charge of their data and protects them from malicious data sharing.
Reliance on the internet and cloud storage means personal data is shared frequently and carelessly. Major cyber-attacks and the shady practices of Facebook/Google have shocked us all. Companies and individuals have had to wake up and take data protection seriously. GDPR helps everyone achieve this.
GDPR also benefits organisations by forcing a re-think on data storage. 85% of data stored by companies is considered obsolete, and the cost of storing this data on servers is huge [5]. To comply with GDPR, your company will likely need to delete old data. This is a chance to clean your computers or filing cabinets of clutter and have a fresh start. In doing so, you may also save some money.
GDPR can also provide a competitive edge and boost your company’s reputation. Clearly displaying your data policy and how it aligns with GDPR will increase customer confidence, especially if competitors haven’t done this yet [6].
How to comply with GDPR as an organisation
As stated earlier, GDPR compliance rules will differ depending on the type of organisation. For example, only public organisations and companies processing data on a huge scale will need to appoint a Data Protection Officer. However, there are rules that all organisations must follow, these being:
Awareness
Everyone in your organisation needs an awareness of GDPR. Both decision-makers and other staff should have an awareness of data protection issues and understand how to comply with GDPR.
Consent
GDPR places a lot of emphasis on consent. Your customers must consent to their personal data being processed. This consent must be opt-in. The days of pre-ticked boxes (meaning you must opt-out) are gone [7]. For example, if a customer wants to receive marketing emails from you, they must opt-in by ticking a box or clicking a button. If they don’t opt-in, you can’t send them any marketing emails. Simple.
Please be aware, however, that data can be processed without consent if there is a legal obligation. For example, when a customer pays online with a credit card. Data can also legally be processed without consent when saving someone’s life, to stop criminal activity, or if it is in the public interest.
Policy
Firstly, you need to ensure your data protection policy aligns with official GDPR guidelines. Secondly, you need to explain your data protection policy in plain English. If you don’t have a policy or your current policy uses complicated language, write up a new one. Don’t use silly technical terms and legal jargon – keep it short and simple.
Access
Another important aspect of GDPR is the customer’s right to access data. Customers can now ask what personal data you hold on them and request a copy of this data. If any of the data you hold on them is incorrect, they can ask you to rectify it. Similarly, customers now have a ‘right to be forgotten’. This means your customers can request you delete all the data you hold on them [8].
Because of these new customer powers, you will need to be prepared. If someone asks for a copy of all data you hold on them, this will need to be exported in a simple and clear format. You will also need a process in place to thoroughly delete customer data.
Security
In the event of a security breach or cyber-attack which puts customer data at risk, you must report it to your local data protection regulator within 72 hours. In the UK, our regulator is the Information Commissioner’s Office (ICO). Using breach detection tools, monitoring and training staff to spot breaches can also help you comply with this rule [9].
Conclusion
Overall, GDPR is a long overdue revision to data protection law. It gives individuals greater power over their personal data. It also gives organisations the opportunity to start taking data protection seriously. And although it may seem like a great deal of effort, complying with GDPR is actually very simple. For further information, we highly recommend checking out the EU’s official GDPR guidance.
List of references
[1]Paul Rubens. (2018) How to comply with GDPR. Available: https://www.esecurityplanet.com/network-security/how-to-comply-with-gdpr.html. Last accessed 22nd May 2018.
[2] European Commission. (2018) What is personal data? Available: https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en . Last accessed: 22nd May 2018.
[3] European Commission. (2018) Who does the data protection law apply to? Available: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en . Last accessed: 22nd May 2018.
[4] European Commission. (2018) What constitutes data processing? Available: https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-constitutes-data-processing_en . Last accessed: 24th May 2018.
[5] Dennis Dayman. (2018) Stop whining, GDPR is actually good for your business. Available: https://thenextweb.com/contributors/2018/03/18/stop-whining-gdpr-actually-good-business/ . Last accessed: 24th May 2018.
[6] Mike Gillespie. (unknown) Why Europe’s GDPR privacy regulation is good for business. Available: https://www.computerweekly.com/opinion/Why-Europes-GDPR-privacy-regulation-is-good-for-business . Last accessed: 24th May 2018.
[7] Madeline Bennett. (2018) GDPR compliance – here are the 14 things you actually need to do. Available: https://government.diginomica.com/2018/01/22/gdpr-compliance-here-are-the-14-things-you-actually-need-to-do/ . Last accessed: 25th May 2018.
[8] Joe Curtis. (2018) What is GDPR? Everything you need to know post-compliance deadline. Available: http://www.itpro.co.uk/it-legislation/27814/what-is-gdpr-everything-you-need-to-know. Last accessed: 25th May 2018.
[9] Paul Rubens. (2018) How to comply with GDPR. Available: https://www.esecurityplanet.com/network-security/how-to-comply-with-gdpr.html. Last accessed 25th May 2018.