GDPR – What does it mean for your business?
GDPR is the result of shifting compliance regulation, namely the General Data Protection Regulation. The GDPR will become enforceable from the 25th May 2018 and sets a high bar for privacy rights and data compliance.
What is the GDPR?
The GDPR is the replacement for a previous EU privacy directive known as Directive 95/46/EC, the directive which has been the basis of EU data protection laws since 1995. GDPR is a binding act, which must be followed in it’s entirity throughout the EU. It is an attempt to modernise, strengthen and harmonise EU data protection laws, in order to enhance individual rights and freedoms, consistent with European understanding of privacy as a fundamental human right.
The GDPR regulates;
- How businesses and individuals obtain data
- How businesses and individuals use data
- How businesses and individuals store data
- How businesses and individuals eliminate data
Who does GDPR affect?
Quite simply, the scope of GDPR is very very broad. It will affect;
- All organisations established in the EU
- All organisations involved in processing personal data of EU citizens
- All industries and sectors
- All EU citizens
What is considered “personal data”?
Personal data is considered to be any information relating to an identified or identifiable individual. This can be any information that can be used either on it’s own or in conjunction with other data. Personal data now includes not only data that is commonly considered to be personal in nature, for example, names, addresses, DOBs, email addresses etc, but now also data such as IP addresses, behavioural data, location data, bio-metric data, financial information and much more.
What does it mean to “process” data?
As per GDPR, processing data is “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Basically, if you collect, manage, use or store any personal data of EU citizens, you are processing data under GDPR.
Bare in mind that even if you don’t believe your business will be affected by GDPR (which it probably will), the GDPR and its principles will still be important to you. EU law generally sets the precedent for international regulation, by considering GDPR now, you may have a competitive analysis at a later stage.
How is the GDPR different from the directive?
- Expansion of scope
- GDPR applies to all organisations in the EU or processing data of EU citizens, broadening the scope of EU data protection laws beyond the borders of the EU
- Expansion of definitions of personal and sensitive data (as described above)
- Expansion of individual rights
- Right to be forgotten: An individual may request that an organisation delete ALL data on that individual without undue delay
- Right to object: An individual may prohibit certain data uses
- Right to rectification: Individuals may request that incomplete data be corrected or completed
- Right of access: Individuals have the right to know what data about them is being processed and how
- Right of portability: Individuals may request that personal data held by one organisation be transported to another
- Stricter consent requirements : Consent is a fundamental aspect of GDPR, organisations must ensure that consent is obtained and in accordance with GDPR’s new requirements. You will need to obtain consent from your subscribers and contacts for EVERY usage of their personal data, unless you can rely on a separate legal basis. The safest route is to obtain explicit consent. Bare in mind that:
- Consent must be specific to distinct purposes
- Silence, pre-ticked boxes or inactivity do not constitute consent. Subjects must explicitly opt-in to storage, use and management of their data.
- Separate consent must be obtained for different processing activities. This means that you must be clear about how data will be used when you obtained consent.
- Stricter Processing requirements: Individuals have the right to receive “fair and transparent” information about the processing of their personal data including:
- Contact details for the data controller
- Purpose of the data – as specific (purpose limitation) and minimised (data minimisation) as possible
- Retention period – as short as possible (storage limitation)
- Legal basis – You cannot process personal data just because you want to. You must have a legal basis to do so, such as where the processing is necessary to the performance of a contract, an individual has consented, or the processing is in the organisations legitimate interest.
What happens if you do not comply with GDPR?
Expect a 20 Million Euro or 4% of global turnover sanction, whichever is higher. Probably best to be compliant here…
Here’s some great GDPR resources for you to look over;